2019 EAST FCS Seminars – Save The Date!

The 2019 EAST Financial Crime & Security (FCS) Seminars will be held on Wednesday 9th October 2019, at the Park Plaza, Victoria, London, UK.  Save the date!  Register now to get the Early Bird Registration Rate and save £100 on the Standard Registration Rate! (see current 2019 prices here)

Early Registration deadline – Monday 19th August 2019

Two concurrent seminars will be held:

To view last year’s EAST FCS programme and speakers or to check the venue details please visit our events website: www.east-events.org

These events will be co-located with RBR’s ATM & Cyber Security 2019 event, although separate registration is required.

FCS Seminars

47th EAST Meeting hosted by SIBS in Lisbon

The 47th Meeting of EAST National Members was hosted by SIBS at the SANA Metropolitan Hotel in Lisbon on 6th February 2019. National country crime updates were provided by 21 countries, and a global update by HSBC.  Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2019 will be produced later this month, based on the national country crime updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST presents at EUCPN / Europol Conference on Prevention of ATM Physical Attacks

EAST Executive Director Lachlan Gunn, representing the EAST Expert Group on ATM and ATS Physical Attacks (EAST EGAP), presented at a conference on the prevention of ATM physical attacks co-organised by the European Crime Prevention Network (EUCPN) and Europol.  The event, attended by experts from law enforcement and the private sector, was held in Brussels on 22/23 January 2019.

ATM Physical AttacksThe focus of the conference was on the sharing of experiences, insights and best practices with a view to preventing these types of attack on ATMs.  Of particular concern were explosive gas and solid explosive attacks.  An overview of the current situation was built up and then in-depth workshops were held to consider ATM Physical Attack prevention before, during and after an attack.

As a result of the conference the EUCPN and Europol will prepare a paper on the most effective measures that can be used to prevent or deter ATM Physical attacks.

Europol launches new ATM Logical Attack Guidelines at 17th EAST EGAF Meeting

ATM Logical AttackEuropol has published new guidelines to help industry and law enforcement counter the ATM Logical Attack threat.  The document was officially launched at the 17th Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF), which took place on Wednesday 16th January 2019 at ING Domestic Bank in Amsterdam.  Production of the document was coordinated by EAST EGAF.  It has three sections:

  1. Description of Modi Operandi
  2. Mitigating the risk of ATM Logical and Malware Attacks, Setting up Lines of Defence
  3. Identifying and responding  to Logical and Malware Attacks

The original Guidelines were published in 2015 when law enforcement and the private sector came together to support the banking and payments industry. That report, the first of its kind, provided vendor-neutral guidance on countermeasures to such attacks, as well as a collection of indicators that could be used to detect when an incident may have occurred.  This new version provides clearer definitions and greater clarity of the criminal methods and techniques encountered in these attacks, and more detailed recommendations on how to mount a robust and effective response to them.

Steven Wilson, Head of Business at Europol’s European Cybercrime Centre (EC3), said “This updated and refocused edition of the report draws upon the expertise of an expanded panel of experts from both law enforcement and the private sector. In addition to the key role played by EAST, I would like to extend my thanks to Diebold Nixdorf, GMV, ING, INTERPOL, NCR, TMD Security and Trend Micro for their invaluable work and contributions, without which this report would not be possible.  I continue to look forward to Europol’s engagement and cooperation with all of our partners within private industry and law enforcement in such endeavours, and our continuing fight against threats affecting the payment industry.”

Circulation of the document is restricted to Law Enforcement and to the banking and payments industry, which includes EAST Members (National and Associate).

17TH EAST EGAF Meeting

The 17th Meeting was chaired by Mr Otto de Jong and was attended by Europol and INTERPOL as well as by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors and Forensic Analysts.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.  The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 204 EAST Fraud Alerts have been issued, 3 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this will soon be open and more information can be found on the EAST Events website.

Viewpoint: PSD2 will revolutionise the payments system

All respondents to an EAST Poll that ran from May to August 2018 felt that the new Payments Service Directive 2 (PSD2) will revolutionise the payments system.  58% felt that it would have an impact on a medium or shortt term basis and 42% felt that the impact would be on a long term basis.

PSD2

PSD2 came into force on 13 January 2018. Banks need to adapt to the required changes that open many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future.  The PSD2 aims are to:

  • better protect consumers when they pay online
  • promote the development and use of innovative online and mobile payments such as through open banking
  • make cross-border European payment services safer.

PSD2 is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA).

Message from the Executive Director

Another year is drawing to a close.  On behalf of the EAST Board I would like to thank everyone who has contributed towards the success of EAST this year – as a non-profit organisation on a tight budget we very much depend on the contributions made by our members towards our outputs.

This month we published upgraded Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses – this will benefit the industry and law enforcement agencies globally when working to prevent payment terminal related crime, or in the follow up to specific cases.  This work would not have been possible without the creative input of Ben Birtwistle (NatWest Bank Plc) and Claire Shufflebotham (TMD Security).

We held National Member meetings in Frankfurt in February (our 44th Meeting hosted by EURO Kartensysteme GmbH), in The Hague in June (our 45th Meeting hosted by EC3 at Europol) and in London in October (our 46th Meeting hosted by the LINK Scheme).  The 46th Meeting was immediately followed by a Terminal Fraud Seminar and an ATM Physical Attacks Seminar.  These successful events were organised by our Financial Crime & Security (FCS) Events team and were co-located with RBR’s ATM & Cyber Security Conference 2018 (#ACS18).  These events are planned to be held again in October 2019 and for more information please check our new Events Website which went ‘live’ during the year.

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong, held two meetings in January and September, both hosted by ING in Amsterdam.  EGAF produced  the upgraded Terminal Fraud Definitions and also worked with Europol on an update to the published ‘Guidance and Recommendations to help counter Logical Attacks at ATM’s’.  The updated version will soon be published by Europol.  Law Enforcement participation is from Europol, INTERPOL, the US Secret Service, the BKA and the French Gendarmerie (IRCGN).

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both in The Hague, one hosted by Europol and the other by the LINK Scheme.  Law Enforcement participation in this group continues to increase with LEAs fro10 ifferent countries participating, in addition to Europol.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, held two meetings in April and November, both hosted by the BPFI in Dublin.  This group has recently produced Payment Fraud Terminology and definitions, used when producing Payment Alerts and other documents. The aim is for this terminology to be adopted globally when describing or reporting payment and transaction fraud.  Law Enforcement participation is from Europol, INTERPOL and the US Secret Service.

In addition to the work of the above groups, we supported Law Enforcement during the year by presenting at: a seminar on Fraud in Electronic Payments organised by the Portuguese Judicial Police; Europol’s 5th Strategic Meeting on Payment Card Fraud held in Hanoi, Vietnam; the Europol Training on Payment Card Forensics; by attending Europol’s Cryptocurrency Conference; and most recently by joining Europol’s Advisory Group on Financial Services.

We also presented at the following public and private sector events: the Fourth Annual Latin American Forum on Security in Payment Systems, and the CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and European Fraud Updates.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (34 sent out this year to date), EAST Physical Attack Alerts (10 sent out this year to date) and most recently EAST Payment Alerts (6 sent out this year to date).  This year the total number of Fraud Alerts published passed 200!

EAST Associate Membership continues to grow.  We now have 202 Associate Member organisations from 52 countries and territories.  This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Wherever you are reading this I would like to wish you a wonderful festive break and a very happy New Year!

Kind regards

Lachlan

 

 

EAST Upgrades Terminal Fraud Definitions

EAST has upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This information is now available on the EAST website.

The EAST Expert Group on All Terminal Fraud (EGAF) has identified six ways by which criminals achieve their targets from the different terminal fraud types as shown below:

In the upgraded Terminal Fraud Definitions each applicable criminal benefit is highlighted next to each terminal fraud type.  The defined Terminal Fraud Types are: Card Skimming; Card Shimming; Eavesdropping; Card Trapping; Cash Trapping; Transaction Reversal Fraud (TRF); Malware; and Black Box.

Below is the definition for Card Skimming which highlights that skimming enables criminals to: Create counterfeit cards; make card-not-present (CNP) purchases; use fake cards in-store; and sell compromised data.

fraud definitions - card skimming

EAST Executive Director Lachlan Gunn said “This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses. The EGAF Chair, Otto de Jong, and his team have produced something fresh and simple which we hope will be adopted globally by the Industry and Law enforcement when describing or reporting terminal fraud. In particular we would like to thank Ben Birtwistle of NatWest Bank plc, along with Claire Shufflebotham and Niek Westendorp of TMD Security, whose creative ideas and design made this latest upgrade possible.”

A summary of the upgraded fraud definitions and terminology is available on the EAST website along with a more detailed document for download.  These have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

200 Fraud Alerts Issued by EAST

EAST has published its 200th Fraud Alert.  These Alerts are issued by EAST National Members, often with the support of Law Enforcement and other EAST Associate Members.  To date 28 countries have issued Fraud Alerts covering ATMs, Unattended Payment Terminals (UPTs) and Point of Sale (POS) Terminals.

EAST first started issuing Fraud Alerts in September 2013.  These Alerts provide valuable and timely intelligence to law enforcement agencies and the industry, allowing the spread of emerging threats and criminal methodologies to be tracked across the world.  While most of the Alerts have been issued by countries within the Single Euro Payments Area (SEPA), there have been some from Belarus, Mexico, Russia, Serbia, Turkey, Ukraine and the United States.

To date EAST Fraud Alerts issued have covered:  Black Box attacks (cash out / jackpotting); Card Shimming (S1 devices); Card Skimming (highlighting the spread of different devices such as M1, M2, M3, D2 and D3); Card Trapping; Cash Trapping; Deposit Fraud; Eavesdropping (highlighting the use of different MOs such as E2 and E3); EMV Shock Cards; Malware (cash out / jackpotting); Transaction Reversal Fraud; and Vandalism.  The table below shows a summary the Alerts issued:

Fraud Alerts

Definitions of the different fraud types and related terminology are available on this website.

The EAST Expert Group on All Terminal Fraud (EGAF) initiated the Fraud Alerts and conducts in-depth analysis of some of the emerging threats and devices.  Each Alert covers: the type of fraud; the country where discovered; the terminal type(s) affected; an indication as to whether or not the fraud was successful; a description of the device and the criminal MO; indication as to the device location; information on PIN compromise (if card skimming or card trapping); and any available images.

EAST also issues Payment Alerts and Physical Attack Alerts.

EAST Alerts contain sensitive information and are restricted to EAST Members (National and Associate).  They are classified as AMBER using the variant of the Traffic Light Protocol (TLP) adopted by EAST.

EPTF holds Fourth Meeting

EPTFThe Fourth Meeting of the EAST Payments Task Force (EPTF) took place on Thursday 22nd November 2018 at the Banking & Payments Federation Ireland (BPFI) in Dublin.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.  The EPTF has recently published Payment Fraud Terminology and Payment Fraud Definitions.  The aim is for the payment fraud terminology, and related payment fraud definitions, to be adopted globally when describing or reporting payment and transaction fraud.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and was attended by key representatives from Card Issuers, Law Enforcement, Payment Processors, Payment Providers and Solution Providers.

Presentations or updates were given by BANCOMAT S.p.A, BPFI, Diebold Nixdorf,  EURO Kartensysteme GmbHEuropol, INTERPOL, PayLife, PayPal, Trend Micro, Visa Europe.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 202 EAST Associate Member Organisations from 52 countries and territories.

EAST Presents at CyberSouth Event

CyberSouthEAST Executive Director Lachlan Gunn presented at a CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud on 13 November 2018 . The event, which ran from 12-14 November 2018, was held at the Directorate for Investigating Organised Crime and Terrorism (DIICOT) in Bucharest, Romania and was implemented by the Council of Europe.  The CyberSouth project focuses on cooperation on cybercrime in the Southern Neighbourhood and aims at reinforcing the capacities of specialised units with responsibilities relating to tackling cybercrime and dealing with electronic evidence.

The workshop focused on increasing the knowledge of the participants on the different trends and typologies of online fraud and of electronic payment fraud in order to assist with strengthening the capacity of the criminal justice authorities in the CyberSouth countries to search for, seize, and confiscate the illicit proceeds of cyber-criminals in the target areas.  Cybercrime investigators and prosecutors from the following Southern Neighbourhood priority area countries attended the event: Algeria; Jordan; Lebanon; Morocco; Tunisia.

National representatives were also present from Germany, Israel, Romania and the USA.  Europol and Eurojust were present and the private sector was represented by American Express, BIT Defender and EAST.

The EAST presentation covered the structure and methodology used by EAST to help improve public/private sector cross-border cooperation in the fight against organised cross-border crime, and then shared information on the latest statistics and trends relating to logical (black box) attacks against ATMs, and also on malware used to enable jackpotting (cash out) at ATM locations.  The latest fraud definitions produced by EAST were also shared and it was advised that an updated version of these will soon be available.  These definitions are aimed at helping law enforcement agencies, private sector fraud investigators and other stakeholders to standardise reporting terminology when following up on incidents.

The Cybercrime Programme Office of the Council of Europe (C-PROC), based in Bucharest, is responsible for assisting countries worldwide in the strengthening of their criminal justice capacity to respond to to the challenges posed by cybercrime and electronic evidence on the basis of the standards of the Budapest Convention of Cybercrime.  This is the only binding international instrument on this issue and serves as a guideline for any country developing comprehensive national legislation against Cybercrime and as a framework for international cooperation between State Parties to The Convention on Cybercrime of the Council of Europe (CETS No.185).