EPTF holds Third Meeting

EPTFThe Third Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 18th April 2018 at the Banking & Payments Federation Ireland (BPFI) in Dublin.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and was attended by key representatives from Card Issuers, Law Enforcement, Payment Processors, Payment Providers and Solution Providers.

Presentations were given by BPFI, Dutch Payments Association, EURO Kartensysteme GmbH, Europol, Groupement Des Cartes Bancaires, PayLife, Swordfish Security

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 198 EAST Associate Member Organisations from 52 countries and territories.

European Commission facilitates access to electronic evidence

The European Commission (EC) is proposing new rules to make it easier and faster for police and judicial authorities to obtain the electronic evidence, such as e-mails or documents located on the cloud, they need to investigate, prosecute and convict criminals and terrorists.  The new rules will allow law enforcement in EU Member States to better track down leads online and across borders, while providing sufficient safeguards for the rights and freedoms of all concerned.

Criminals and terrorists all use text messages, emails and apps to communicate. More than half of all criminal investigations today include a cross-border request to obtain electronic evidence held by service providers based in another Member State or outside the EU. To obtain such data, judicial cooperation and mutual legal assistance is needed, however, the process is much too slow and cumbersome at present. Today, almost two thirds of crimes where electronic evidence is held in another country cannot be properly investigated or prosecuted, mainly due to the time it takes to gather such evidence or due to fragmentation of the legal framework. By making the process of obtaining electronic evidence more quickly and efficiently, the proposals will help close this loophole.

Vera Jourová, EU Commissioner for Justice, Consumers and Gender Equality said “While law enforcement authorities still work with cumbersome methods, criminals use fast and cutting-edge technology to operate. We need to equip law enforcement authorities with 21st century methods to tackle crime, just as criminals use 21st century methods to commit crime.”

Watch this video and discover more on the new rules proposed.

The proposals will:

  • create a European Production Order: This will allow a judicial authority in one Member State to request electronic evidence (such as emails, text or messages in apps) directly from a service provider offering services in the Union and established or represented in another Member State, regardless of the location of data, which will be obliged to respond within 10 days, and within 6 hours in cases of emergency (as compared to 120 days for the existing European Investigation Order or 10 months for a Mutual Legal Assistance procedure);
  • prevent data being from being deleted with a European Preservation Order: This will allow a judicial authority in one Member State to oblige a service provider offering services in the Union and established or represented in another Member State to preserve specific data to enable the authority to request this information later via mutual legal assistance, a European Investigation Order or a European Production Order;
  • include strong safeguards and remedies: Both orders can only be issued in the framework of criminal proceedings and all criminal law procedural safeguards apply. The new rules guarantee strong protection of fundamental rights, such as the involvement of judicial authorities and additional requirements for obtaining certain data categories. It also includes safeguards for the right of personal data protection. The service providers and persons whose data is being sought will benefit from various safeguards, such as a possibility for the service provider to request review if the, for instance, Order manifestly violates the Charter of Fundamental Rights of the European Union;
  • oblige service providers to designate a legal representative in the Union: to ensure that all service providers that offer services in the European Union are subject to the same obligations, even if their headquarters are in a third country, they are required to appoint a legal representative in the Union for the receipt of, compliance with and enforcement of decisions and orders issued by competent authorities of the member States for the purposes of gathering evidence in criminal proceedings;
  • provide legal certainty for businesses and service providers: whereas today, law enforcement authorities often depend on the good will of service providers to hand them the evidence they need, in the future, applying the same rules for ordering the provision of electronic evidence will improve legal certainty for authorities and for service providers.

For more information visit the website of the European Commission

ATM Malware attacks hit Europe

EAST has just published a European Payment Terminal Crime Report covering 2017 which reports that ATM malware attacks have started in Western and Central Europe. A total of 192 ATM malware and logical attacks were reported, up from 58 in 2016, a 231% increase.  189 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.

The use of malware for cash-out was seen for the first time in Western and Central Europe with 3 such attacks reported by two countries.  Related losses were up 230%, from €0.46 million to €1.52 million.  EAST Executive Director Lachlan Gunn said, “The use of malware, such as Cutlet Maker, to cash-out ATMs has been around for some time but has not been reported in Western or Central Europe until 2017.  Early indications are that such attacks are continuing this year, although the recent related arrests announced by Europol are encouraging.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all malware threats to payment terminals, while our Payments Task Force (EPTF) is focusing on malware threats against the wider banking infrastructure.”

Overall payment terminal related fraud attacks fell 11% when compared with 2016 (down from 23,588 to 20,971 incidents).  This fall was mainly driven by a 23% decrease in card skimming incidents (down from 3,315 to 2,556 incidents).  This is the seventh successive year that the number of skimming incidents has fallen and the number of incidents reported in 2017 is the lowest since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were up 6% when compared with 2016 (up from €332 million to €353 million).  Within these totals international skimming losses rose by 5% (up from €267 million to €280 million) and domestic skimming losses were up 21% (from €53 million to €64 million).

ATM related physical attacks rose 21% when compared with 2016 (up from 2,974 to 3,584 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 9% (up from 988 to 1,081 incidents).  Losses due to ATM related physical attacks were €31 million, a 37% drop from the €49 million reported during 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss for a robbery is estimated at €16,899 per incident, the average cash loss for a ram raid or burglary attack is €12,804 and the average cash loss per explosive or gas attack is €12,591.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

Mastermind Behind €1 Billion Cyber Bank Robbery Arrested

cobaltThe leader of the cybercrime syndicate behind the Carbanak and Cobalt malware attacks, which infiltrated over 100 financial institutions in 40 countries, has been arrested in Alicante, Spain.  The arrest followed a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.

Since 2013 the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over €1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.

Cashing out

The money was then cashed out by one of the following means:cobalt

  • ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate: when the payment was due, one of the gang members was waiting beside the machine to collect the money being ‘voluntarily’ spit out by the ATM;
  • The e-payment network was used to transfer money out of the organisation and into criminal accounts;
  • Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.

The criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.

International police cooperation

International police cooperation coordinated by Europol and the Joint Cybercrime Action Taskforce was central in bringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all located in different geographical locations around the world.

Europol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.

The close private-public partnership with the European Banking Federation (EBF), the banking industry as a whole and the private security companies was also paramount in the success of this complex investigation.

The full Infographic can be seen on the Europol Website

EAST Publishes European Fraud Update 1-2018

EAST Fraud Update 1-2018EAST has just published its first European Fraud Update for 2018.  This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 44th EAST meeting held in Frankfurt on 7th February 2018.

Payment fraud issues were reported by fifteen countries.  Seven countries reported increases in card-not-present (CNP) fraud related to ecommerce merchants in China.  Phishing activity was reported by four countries and one of them reported phishing attacks through advertisements placed on social media sites.  The EAST Payments Task Force (EPTF) issued a first Payment Alert in January 2018.  This covered a phishing email sent to employees of banking and financial institutions, which contained malware intended to exploit the local network and gain access to Swift services.

ATM malware and logical security attacks were reported by ten countries.  Five of the countries reported ATM related malware and one country reported the first successful Cutlet Maker cash-out attack in Western Europe.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.  Seven countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by sixteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks.  Skimming attacks on other terminal types were reported by five countries, all of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country also reported the use of card shimming devices at POS terminals.  To date in 2018 EAST EGAF has published three related Fraud Alerts.

Year to date International skimming related losses were reported in 40 countries and territories outside SEPA and in 7 within SEPA.  The top three locations where such losses were reported remain the USA, Indonesia and India.

Five countries reported incidents of Transaction Reversal Fraud (TRF).  Two countries reported a continued increase in such attacks and two countries reported new modus-operandi.  To date in 2018 EAST EGAF has published two related Fraud Alerts.

Ram raids and ATM burglary were reported by ten countries and, to date in 2018, the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published one related ATM Physical Attack Alert.  Eight countries reported explosive gas attacks and six countries reported solid explosive attacks.  The spread of such attacks is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

EAST EGAP holds 9th Meeting at Europol

EAST EGAPThe ninth meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Tuesday 6th March 2018 at Europol in The Hague.

EAST EGAP is a European specialist expert forum for discussion of ATM and ATS related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The meeting was chaired by Mr Graham Mott and was attended by key representatives from Terminal Deployers, ATM Networks, Security Equipment Vendors and Law Enforcement.  National threat assessments were shared by representatives from thirteen countries.

EAST EGAP, which meets twice each year, enables in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

EAST EGAP meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 10th October 2018.  Registration for this will soon be open and more information can be found on the EAST Events page.

44th EAST Meeting hosted by EKS

The 44th Meeting of EAST National Members was hosted by EURO Kartensysteme GmbH (EKS) in Frankfurt on 7th February 2018.  National country crime updates were provided by 21 countries. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were given by staff from the German Federal Criminal Police Office – BKA (Bundeskriminalamt) and also by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2018 will be produced later this month based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST and RBR to co-locate key security events

security eventsEAST and RBR will be co-locating key security events at the Park Plaza Victoria hotel in London, on 9th and 10th October 2018.

EAST’s Financial Crime & Security (FCS) Seminars, organised by the EAST Expert Group on all Terminal Fraud (EGAF) and the EAST Expert Group on ATM & ATS Physical Attacks (EGAP), first took place at the third EAST FCS Forum in June 2017.

RBR’s ATM & Cyber Security 2018 conference has established itself over the past decade as the world’s leading conference focused on physical and logical ATM security.  The 2017 event attracted 400 delegates representing 150 organisations from over 40 countries.

Co-locating these important events provides a unique opportunity for ATM and financial security professionals, including retail banks, law enforcement agencies, hardware and software providers and a range of industry bodies, to meet to discuss how best to address the latest security threats.

RBR’s ATM & Cyber Security 2018 will run for 1.5 days, immediately followed by the EAST FCS Seminars.  While the RBR and EAST events will continue to be run independently, hosting them in the same venue will concentrate an unprecedented level of expertise, with the ultimate objective of reducing the levels and impact of crime at ATMs and other payment terminals.

EAST’s Executive Director, Lachlan Gunn said, “ATM & Cyber Security is an important global security conference with a proven track record, and we believe that co-locating it with EAST’s user-driven FCS Seminars provides a compelling proposition for our members and for all industry stakeholders”.

RBR’s Managing Director Dominic Hirsch added, “EAST has a unique relationship with its members and RBR has for many years been impressed with the professional way it leads fraud intelligence and information sharing across Europe and beyond. There has always been a mutual respect between our organisations and we are delighted to have the opportunity to work together”.

Registration for the EAST FCS Seminars is not yet open and further information will be provided on the Events Page on this website in due course.

EAST publishes first Payment Alert

EPTFEAST has just published its first Payment Alert which covers an attack on a payment network through its member associations throughout Europe.  This Alert relates to a recent phishing email sent to employees of related banking and financial institutions.  Phishing is a social engineering attack that has become very popular and has caused severe damages and losses to companies and individuals.

This new Alert is an initiative of the EAST Payments Task Force (EPTF), a specialist task force for discussion of security issues affecting the payments industry and for the gathering, collation and dissemination of related information and statistics.

Rui Carvalho EAST Development Director and EPTF Chair said: “In June last year EAST changed its name to become the European Association for Secure Transactions to expand its remit beyond ATMs to include all terminal types and to also focus on payment transactions.  As card skimming incidents continue to decline in Europe our focus is increasingly moving to Payment related cyber-attacks and Card Not Present (CNP) fraud issues which continue to rise.  The EPTF Payment Alerts will help to bring focus on new and developing threats in these criminal areas.”

Through its Expert Group on All Terminal Fraud (EGAF) EAST has been issuing Fraud Alerts since 2013 (170 Alerts issued to date) and Physical Attack Alerts have been issued by its Expert Group on ATM & ATS Physical Attacks (EGAP) since 2015 (18 Alerts issued to date).

EAST Alerts contain sensitive information and are restricted to EAST Members (National and Associate).  They are classified as AMBER using the variant of the Traffic Light Protocol (TLP) adopted by EAST and an overview of the TLP classifications used by EAST is below:

Viewpoint: Poll shows majority of payment fraud losses are reimbursed in a week

In a website research poll that ran from September to December 2017, participants who had experienced losses due to payment fraud over the past two years were asked how long it took them to get reimbursed.  77% were reimbursed within a week, with a third getting their money back on the first day, and for 23% reimbursement took up to a month. The full poll results can be seen in the chart below.

payment fraud

Money can only be taken from your bank account if you have authorised the transaction or your bank can prove you were at fault. If you notice a payment out of your bank account that you did not authorise, best advice is to contact your bank immediately. If you are sure you did not authorise a particular payment you can claim a refund.

The current website research poll, which closes at the end of April, is also on Payment Fraud and asks how you felt if you have been contacted by your bank about suspicious transactions, and/or your account was blocked for the same reason.  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.