EAST Publishes European Fraud Update 3-2018

EAST has published its third European Fraud Update for 2018. This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 46th EAST meeting held in London on 9th October 2018.

Payment fraud issues were reported by fourteen countries. Seven countries reported card-not-present (CNP) as a key fraud driver. One country reported merchant manipulation of settlement files to force through authorisations on POS terminals – once the forced transaction is through on a card the merchant cashes out using it. One country reported malware related to two APT attacks – some Chinese criminals are under observation in connection with them. Another country reported impersonation fraud relating to bill payments – possibly involving collusive postal workers. To date in 2018 the EAST Payments Task Force (EPTF) has published six Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps, CNP fraud and Technological fraud. The EPTF has recently published payment terminology and definitions.

ATM malware and logical security attacks were reported by seven countries.  Four of the countries reported ATM related malware and six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published eleven related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  The overall trend is downward, as the recently published EAST European Payment Terminal Crime Report covering January to June 2018 highlights.  The usage of M3 – Card Reader Internal Skimming devices was reported by four countries and one country reported the use of M2 – Throat Inlay Skimming Devices.  Skimming attacks on other terminal types were reported by five countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country reported that a series of shimming devices at POS terminals had been detected and taken down.  To date in 2018 EAST EGAF has published twelve related Fraud Alerts.

Year to date International skimming related losses were reported in 44 countries and territories outside SEPA and in 6 within SEPA.  The top three locations where such losses were reported remain Indonesia, the USA and India.

Six countries reported incidents of Transaction Reversal Fraud (TRF), one of which reported a new attack variant where the criminals use a ‘chip-on-a-strip’.  To date in 2018 EAST EGAF has published five related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries and eight countries reported explosive gas attacks, one of which reported that two people had been sent to hospital due to related smoke inhalation.  Five countries reported solid explosive attacks.  The spread of such attacks has long been of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  One such attack resulted in the death of a person, the first time that this has been reported.  To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published seven related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).