The Terminal Fraud Definitions used by EAST when issuing Fraud Alerts, or when compiling the statistics and other information for European Payment Terminal Reports and Fraud Updates, are shown below. The definitions for Terminal Related Fraud Attacks have been prepared by the EAST Expert Group on All Terminal Fraud (EGAF) and also illustrate what the criminal target outcome is for each fraud type.

The aim is for these Terminal Fraud Definitions, as well as the related criminal benefits, to be adopted globally when describing or reporting payment terminal fraud.

EAST also publishes Terminology for Locations of Card Data Compromise (CDC) Devices at Terminals, Fraud Terminology, Fraud Definitions, Central/Host Fraud Definitions, Terminal Physical Attacks Definitions & Terminology and Countermeasures against ATM Malware and Black Box Attacks.

Data Relay Attacks

Terminal-to-Terminal Data Relay
Within these attacks the legitimate customer/user operates a Compromised Terminal with their card for either a contact or a contactless transaction. The following Terminal-to-Terminal relay variants have been observed:
a) Contact to Contact relay b) Contactless to Contactless relay
For both attack variants the Compromised Terminal operated by the customer can be an unattended payment terminal (UPT) as well as an ATM. At both types of terminals, the installation of an Active Shimming Device is required to take full control over the data exchange with the customer card. The transaction data may be utilized to perform a Cash-Out transaction at an ATM or for payment at a POS terminal. The customer may experience aborted or interrupted transactions but does not knowingly disclose any confidential data. The PIN can be retrieved via different methods based on the type of Compromised Terminal. This could be a camera, a keypad overlay or via Offline Plaintext PIN verification initiated by the shimming device, if this is supported by the Compromised Terminal.

Card-to-Terminal Data Relay
Within these attacks, the customer is the victim of a phishing campaign disclosing confidential account data including the PIN to enable transaction data relay from the customer card. Within such relay attacks the customer is not using a terminal and no Active Shimming Device is utilized. The following Card-to-Terminal relay variants have been observed:
a) Synchronous relays:	The customer presents their card on their mobile phone with the intention of performing a transaction with a banking app. Instead of utilizing a legitimate app, the customer had unknowingly previously installed a malicious app (e.g. Ngate), which he received via a phishing attack. This malicious app triggers a transaction and relays data in real-time to a terminal operated by the criminal.
a) Asynchronous relays:	Through social engineering or phishing the customer enables the criminal to provision their card into a digital wallet controlled by the criminal (also known as ‘Ghost Tab’). Once the provisioning fraud has been completed, the criminal can use the wallet to perform transactions without any further customer interaction or connection to the customer card. The relay occurs from centrally controlled wallets towards runners using malicious apps that forward NCF traffic to purchase gift cards or to perform ATM cash-outs. The relay is utilized to scale the operation of many wallets.

Terminal Related Fraud Attacks

Criminal Benefits

Each fraud type defined below has distinct criminal benefits and, in order to help understand these, EAST EGAF has come up with six ways that that criminals achieve their target as shown below. The applicable criminal benefits are shown next to each fraud definition.

Note: CNP = Card-Not-Present