Viewpoint: PSD2 will revolutionise the payments system

All respondents to an EAST Poll that ran from May to August 2018 felt that the new Payments Service Directive 2 (PSD2) will revolutionise the payments system.  58% felt that it would have an impact on a medium or shortt term basis and 42% felt that the impact would be on a long term basis.

PSD2

PSD2 came into force on 13 January 2018. Banks need to adapt to the required changes that open many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future.  The PSD2 aims are to:

  • better protect consumers when they pay online
  • promote the development and use of innovative online and mobile payments such as through open banking
  • make cross-border European payment services safer.

PSD2 is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA).

Message from the Executive Director

Another year is drawing to a close.  On behalf of the EAST Board I would like to thank everyone who has contributed towards the success of EAST this year – as a non-profit organisation on a tight budget we very much depend on the contributions made by our members towards our outputs.

This month we published upgraded Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses – this will benefit the industry and law enforcement agencies globally when working to prevent payment terminal related crime, or in the follow up to specific cases.  This work would not have been possible without the creative input of Ben Birtwistle (NatWest Bank Plc) and Claire Shufflebotham (TMD Security).

We held National Member meetings in Frankfurt in February (our 44th Meeting hosted by EURO Kartensysteme GmbH), in The Hague in June (our 45th Meeting hosted by EC3 at Europol) and in London in October (our 46th Meeting hosted by the LINK Scheme).  The 46th Meeting was immediately followed by a Terminal Fraud Seminar and an ATM Physical Attacks Seminar.  These successful events were organised by our Financial Crime & Security (FCS) Events team and were co-located with RBR’s ATM & Cyber Security Conference 2018 (#ACS18).  These events are planned to be held again in October 2019 and for more information please check our new Events Website which went ‘live’ during the year.

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong, held two meetings in January and September, both hosted by ING in Amsterdam.  EGAF produced  the upgraded Terminal Fraud Definitions and also worked with Europol on an update to the published ‘Guidance and Recommendations to help counter Logical Attacks at ATM’s’.  The updated version will soon be published by Europol.  Law Enforcement participation is from Europol, INTERPOL, the US Secret Service, the BKA and the French Gendarmerie (IRCGN).

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both in The Hague, one hosted by Europol and the other by the LINK Scheme.  Law Enforcement participation in this group continues to increase with LEAs fro10 ifferent countries participating, in addition to Europol.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, held two meetings in April and November, both hosted by the BPFI in Dublin.  This group has recently produced Payment Fraud Terminology and definitions, used when producing Payment Alerts and other documents. The aim is for this terminology to be adopted globally when describing or reporting payment and transaction fraud.  Law Enforcement participation is from Europol, INTERPOL and the US Secret Service.

In addition to the work of the above groups, we supported Law Enforcement during the year by presenting at: a seminar on Fraud in Electronic Payments organised by the Portuguese Judicial Police; Europol’s 5th Strategic Meeting on Payment Card Fraud held in Hanoi, Vietnam; the Europol Training on Payment Card Forensics; by attending Europol’s Cryptocurrency Conference; and most recently by joining Europol’s Advisory Group on Financial Services.

We also presented at the following public and private sector events: the Fourth Annual Latin American Forum on Security in Payment Systems, and the CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and European Fraud Updates.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (34 sent out this year to date), EAST Physical Attack Alerts (10 sent out this year to date) and most recently EAST Payment Alerts (6 sent out this year to date).  This year the total number of Fraud Alerts published passed 200!

EAST Associate Membership continues to grow.  We now have 202 Associate Member organisations from 52 countries and territories.  This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Wherever you are reading this I would like to wish you a wonderful festive break and a very happy New Year!

Kind regards

Lachlan

 

 

Viewpoint: Poll shows majority of payment fraud losses are reimbursed in a week

In a website research poll that ran from September to December 2017, participants who had experienced losses due to payment fraud over the past two years were asked how long it took them to get reimbursed.  77% were reimbursed within a week, with a third getting their money back on the first day, and for 23% reimbursement took up to a month. The full poll results can be seen in the chart below.

payment fraud

Money can only be taken from your bank account if you have authorised the transaction or your bank can prove you were at fault. If you notice a payment out of your bank account that you did not authorise, best advice is to contact your bank immediately. If you are sure you did not authorise a particular payment you can claim a refund.

The current website research poll, which closes at the end of April, is also on Payment Fraud and asks how you felt if you have been contacted by your bank about suspicious transactions, and/or your account was blocked for the same reason.  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.

Message from the Executive Director

The end of another busy year is almost upon us.  On behalf of the EAST Board I would like to thank everyone who has contributed towards the continued success of EAST this year – and it has been a very busy year.  In June we changed our name to become the European Association for Secure Transactions, the culmination of many discussions held by our Board and National Members, and positioning EAST to continue to be able to support the needs of our members in the fast changing payments landscape.  The announcement was made at our Third EAST FCS Forum in The Hague.  This well-attended event, the best yet, also featured two new interactive workshops run by EAST EGAF and EAST EGAP.

We held National Member meetings in Oslo in February (our 41st Meeting hosted by Bits AS), in The Hague in June (our 42nd Meeting hosted by Europol) and in Edinburgh in October (our 43rd Meeting hosted by the LINK Scheme).  In January Halo BCA joined EAST as a new National Member for Indonesia and in April Banorte IXE joined EAST as a new National Member for Mexico

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong, held three meetings in January, May and September, all hosted by ING in Amsterdam.  EGAF updated its guidelines on standardising terminology for locations of Card Data Compromise (CDC) devices at ATMs and also the definitions used to report and classify ATM fraud.  Law Enforcement participation is from Europol, the US Secret Service, the BKA and the French Gendarmerie (IRCGN).

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both in The Hague, one hosted by Europol and the other by the LINK Scheme.  Law Enforcement participation in this group is increasing with LEAs from 8 different countries participating, in addition to Europol.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, held its first face-to-face meeting in April and its second meeting last month.  Both were hosted by the BPFI in Dublin.  This group will add value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  Law Enforcement participation is from Europol and the US Secret Service.

In addition to the work of the above groups, we supported Law Enforcement during the year by presenting at:  the Europol Training on Payment Card Forensics; an INTERPOL event focussed on countering Cyber and Financial Crimes; Europol’s 4th Strategic Payment Card Fraud meeting in Asia; and Europol’s first combined Strategic Payment Card Fraud Meeting with representatives from Asia-Pacific, Europe and Latin America.

We took part in the 5th Europol-INTERPOL Cybercrime Conference and formalised a relationship with ASEANAPOL, another step forward in addressing the consequences of the spread of the activities of organised criminal groups across regions and globally.

We also presented at the following private sector events: the MasterCard Global Risk Leadership Conference – Europe, the NCR Fraud & Security Summit, the Third Latin America Security Forum, and the General Assembly of Vigie Billet.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and European Fraud Updates.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (41 sent out this year to date), and EAST ATM Physical Attack Alerts (12 sent out this year to date).  Our first Payment Alert is expected to be published shortly.

EAST Associate Membership continues to grow.  We now have 192 Associate Member organisations from 52 countries and territories.  This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Wherever you are reading this I would like to wish you a wonderful festive break and a very happy New Year!

Kind regards

Lachlan

 

Viewpoint: Poll indicates malware and black box attacks are biggest fraud risk to the ATM channel

In a website research poll that ran from May to August 2017 participants were asked how they saw fraud risk developing for ATMs. 67% of respondents felt that malware and black box attacks were the biggest risk, 20% went for card skimming, 7% chose social engineering, and cash trapping and card trapping were each chosen by 3%. The poll results can be seen in the chart below.

black box

This poll result is in line with EAST’s published European ATM fraud statistics, with reports that date back to 2004.  Over the past thirteen years we have seen fraud trends change, particularly since the EMV (Chip and PIN) roll out commenced.  Most recently we have seen an increase in black box attacks, as highlighted in an ATM Crime Report published by EAST in April 2017 and covering the full year 2016.

The current website research poll, which closes at the end of December, is on Payment Fraud and asks if you have experienced losses due to payment fraud over the past two years, how long did it take to get reimbursed?  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.

Viewpoint: Has your payment card been compromised and , if so, where?

In a website research poll that ran from January to April 2017 cardholders who had had a payment card compromised were asked if they knew where the compromise took place. 33% of respondents answered ‘during an online transaction’, 14% ‘at an ATM’, 14% ‘at a petrol (gas) station’ ,10% ‘due to a data breach’. and 5% ‘at a merchant terminal’.  24% did not know where the compromise took place. The poll results can be seen in the chart below.

 

How safe you feel as a cardholder when making a card-based payment transaction is of paramount concern to the industry.  The EAST Payments Task Force (EPTF) is focusing on payment research.

The current website research poll, which closes at the end of August is on ATM fraud and asks what you feel is the biggest fraud risk to the ATM channel over the next few years?  To take it, and to see all past results, visit the ATM Research Page on this website.

Viewpoint: What is the highest risk for card-based payment transactions?

In a website research poll that ran from September to December 2016 cardholders were asked, in a card present scenario, which type of transaction they felt is least secure.  31% of respondents answered ‘using an ATM’, 29% ‘using a mobile phone’, 26% ‘using a retail payment terminal’ and 14% ‘using contactless technology’.  The poll results can be seen in the chart below.

Most people make card-based payment transactions on a regular basis.  When doing so trust in the security of the transaction is vital.  The industry consistently works to ensure that this trust is not-misplaced by monitoring transactions and by putting effective security measures in place.

That being said criminals continue to work at finding weak points in current security measures and in developing new ways to fraudulently obtain cash.  This results in ‘technology chase’ as both sides react to the actions of the other.

How safe you feel as a cardholder when making a card-based payment transaction is of paramount concern to the industry.  The EAST Payments Task Force (EPTF) is currently focusing on payment research.

The current website research poll, which closes at the end of April, is also on payment security and asks those who have had a payment card compromised for information on where the compromise took place.  To take it, and to see all past results, visit the ATM Research Page on this website.

Viewpoint: Are mobile phone payments safe?

The EAST Payments Task Force (EPTF) is currently focusing on payment research. In a website research poll on mobile phone payments that ran from May to August 2016 the question ‘Are you satisfied your payment details are safe when buying goods or services using your mobile phone?’ was asked.  58% of respondents were not satisfied, 28% were satisfied and 14% were completely satisfied.  The poll results can be seen in the chart below.

There are currently more than 7.8 billion mobile phones in use around the world. With the number of phones in operation now exceeding the number of people on the planet, banks and stores are using this facility to reach their customers and see the saturation of mobile phones as an opportunity to make the consumer payment experience a convenient and seamless one.

Consumers can now use NFC technology on their smart phone to make contactless payments in stores and to pay for goods and services using in-app payment tools or directly using the internet browser on the phone.

In making payments easier to manage and more accessible for consumers, there is an underlying risk that access to that information is also made easier for the criminal element, aiming to capture the payment data used by unsuspecting consumers.

While the industry continues to build solutions and barriers to this criminal activity the EPTF is examining consumer behaviour and this poll result is an indication of how consumers view the safety of their payment details when using mobile phones to pay for goods and services.

The current website research poll, which closes at the end of April, is also on payment security and asks those who have had a payment card compromised for information on where the compromise took place.  To take it, and to see all past results, visit the ATM Research Page on this website.

Message from the Executive Director

Another year is almost over.  On behalf of the Board I would like to thank all those who have worked so hard to provide information, time and resources to help us to meet our targets and objectives.  Some of the highlights are as follows:

EAST National Members - badgeWe held National Member meetings in Stockholm in February (our 38th Meeting co-hosted by Bankomat AB and the Pan-Nordic Card Association), in The Hague in June (our 39th Meeting hosted by Europol) and in Bucharest in October (our 40th Meeting hosted by the Romanian Banking Association – ARB).  In January The Polish Bank Association (ZBP) joined EAST as the new National Member for Poland, taking over from Bank Zachodni WBK.
The EAST Expert Group on ATM Fraud - Logo

The EAST Expert Group on ATM Fraud (EGAF), chaired by Otto de Jong, held three meetings in January, May and September, all hosted by ING in Amsterdam.  EGAF members assisted Europol to translate the co-produced document ‘Guidance & recommendations regarding logical attacks on ATMs’ into German, Italian and Spanish.

The EAST Expert Group on ATM Physical Attacks - LogoThe EAST Expert Group on ATM Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both hosted by the LINK Scheme in London.  In February EGAP published a document entitled ‘ATM Physical Security Guidelines’ and in October a document with lists of the Manufacturers of ATM Protective devices.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, continues to come together.  EAST has expanded its remit beyond ATMs to include all terminal types and the EAST focus is increasingly moving to Card Not Present (CNP) fraud issues which continue to rise.  A series of teleconferences have been held and the first face-to-face meeting is planned for 2017.

In March EAST supported Europol and represented the private sector at the Second Strategic Meeting on Payment Card Fraud (PCF) in Kuala Lumpur, Malaysia.  I participated in this two day meeting which was co-organised with ASEANAPOL, with the cooperation of INTERPOL and the support of the Romanian National Police and the Royal Malaysian Police.

In May EAST joined forces with the Latin American Association of Operators Electronic Funds Transfer and Information Services (ATEFI) in order to further strengthen cross border cooperation in combating all types of payment crime including payment card fraud, hi-tech crime and ATM cyber and physical attacks.

In June Úna Dillon presented at the 2nd Europol Training Course on Payment Card Fraud Forensics and Investigations, which was held at the National Spanish Police Academy, Ávila, Spain, and at the 37th member meeting of the European Association of Payment Service Providers for Merchants (EPSM), which was held in Dublin, Ireland.

In August Rui Carvalho presented at the SAS Fraud & Security Intelligence Customer Connect event held in the USA at the SAS World Headquarters in Cary, North Carolina.    .

In December I presented on behalf of the private sector at the Third Strategic Meeting on Payment Card Fraud (PCF) organised by Europol in Bangkok, Thailand.  The event was co-organised with ASEANAPOL and INTERPOL with the support of the Romanian National Police and the Royal Thai Police, and was hosted by the Electronic Transactions Development Agency (ETDA), and the Ministry of Digital Economy and Society.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European ATM Crime Reports and European Fraud Updates.  Our thanks go out to all the people and organisations that have shared information for the above, and for EAST ATM Fraud Alerts (49 sent out this year to date), and EAST ATM Physical Attack Alerts (3 sent out this year to date).

EAST Associate Members - badgeEAST Associate Membership continues to grow  both numerically and geographically.  We currently have 168 Associate Member organisations from 51 countries and territories. This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations

Lastly, registration is now open for our third Financial Crime and Security (FCS) Forum, EAST FCS 2017, which will be held on 8th/9th June 2017 in The Hague.  This event has an exciting new format which will include breakout sessions hosted by both EGAF and EGAP.  As I write early-bird registration discounts are still available.  It would be wonderful to meet you there.

On behalf of EAST, I would like to wish all readers a wonderful festive break and a very happy and fulfilling New Year.

Kind regards

Lachlan