EAST supports Europol Strategic Payment Card Fraud Meeting

On 20-21 November 2017, Europol’s European Cybercrime Centre (EC3), with the support of EAST, hosted an international meeting with a specific focus on combating payment card fraud across Europe and beyond.

In its sixth occurrence since it was first organised in Singapore in 2015, this meeting was held for the first time at Europol’s headquarters in The Hague, bringing together representatives from 3 regions of the world: 8 EU Member States (Portugal, Greece, France, Denmark, Spain, Romania, Bulgaria and Italy), Latin America (Argentina, Dominican Republic, Chile, Colombia and AMERIPOL) and Asia (Malaysia, Philippines, Thailand and ASEANAPOL).

The EAST presentation focused on combating payment card fraud from the perspective of the private sector – EAST Executive Director Lachlan Gunn gave an overview of EAST and presented the latest threats, criminal methodologies and crime and fraud statistics.  EAST Development Director Rui Carvalho, who chairs the EAST Payments Task Force (EPTF), covered the latest payment crime trends as reported at the 43rd EAST Meeting.

The latest European Central Bank Report estimates €1.44 billion losses in Payment card fraud in 2013 The overall losses were up 8%. Card Not Present (CNP) fraud has experienced significant increases in Europe in the last years and although Card Present Fraud (CP) within the EU decreased during the last years still remain significant as the EMV (chip and pin) protection has not yet been fully implemented. In fact, organised crime groups set up permanent bases in overseas locations where Chip is not implemented cashing out compromised European cards.

EAST has supported all the Europol Strategic Meetings on Payment Card Fraud held in the ASEAN and LATAM regions.


EAST Publishes European Fraud Update 3-2017

Fraud UpdateEAST has published its third European Fraud Update for 2017.  This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 43rd EAST meeting held in Edinburgh on 4th October 2017.

Payment fraud issues were reported by eleven countries.  One country reported that a fake P2P website was used to get funds illegally, which are then transferred to genuine cards for cash withdrawal.  Card-Not-Present (CNP) fraud shows a significant increase in fake websites, such as ticketing sites.  Data acquired through social engineering is used immediately by criminals to make fund transfers to money mule accounts.  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by seven countries.  To date in 2017 EAST has published fourteen related Fraud Alerts.  Two of the countries reported ATM related malware and all seven reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by thirteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Four countries reported such attacks and, to date in 2017, EAST has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 53 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

Six countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a continued increase in such attacks and two countries reported a new modus-operandi.

Ram raids and ATM burglary were reported by ten countries and eight countries reported explosive gas attacks.  To date in 2017 EAST has published eleven related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Presents at Third Latin American Security Forum

Latin American SecurityRui Carvalho, EAST Development Director, presented at the third Annual Latin American Forum on Security in Payment Systems, held on 18th / 19th October 2017 in Lima, Peru.

The event was co-organised by ATEFI and Liquid Nexxus in order to raise awareness of payment-related crime in Latin America.

ATEFI is the Latin American Association of Operators Electronic Funds Transfer and Information Services and represents 20 ATM networks in 14 countries throughout Latin America.

Rui Carvalho (pictured on the left with Fernanda Romero and Oscar Castellano of ATEFI) presented an overview of Terminal Related Fraud and Transaction Fraud  in Europe from the perspective of the Electronic Payments Industry, as represented by EAST.

In May 2016 EAST and ATEFI joined forces in order to further strengthen cross border cooperation in combating all types of payment crime including payment card fraud, hi-tech crime and ATM cyber and physical attacks.



EAST presents at NCR Fraud & Security Summit

Fraud & Security SummitEAST Executive Director Lachlan Gunn presented at the 5th Annual NCR Fraud & Security Summit, held in London on 9th October 2017.  The event allowed security experts from around the world to share experiences and information on a wide array of security topics such as emerging threats, trends, solutions and innovations.

Lachlan Gunn (pictured on the right with NCR’s Charlie Harrow) gave an overview of EAST and its new structure, before delivering an update on the payment fraud and crime situation in Europe.  He referred to statistics from EAST’s recently published European Payment Terminal Crime Report which highlighted a significant increase in logical (black box) attacks.

The Agenda included presentations that covered NCR’s Security Startegy, expanding logical protection to the Network, contactless and new technologies, protecting ATMs from physical attacks, ATM attack trends and an update on the new NCR 80 Series ATMs.

EAST and ASEANAPOL formalise collaboration

EAST and ASEANAPOL have formalised collaboration.  This was agreed by the 37th ASEANAPOL Conference held in Singapore on 11-15 September 2017 and by the 43rd EAST Meeting held in Edinburgh on 4th October 2017. This collaboration is another step forward in addressing the consequences of the spread of the activities of organised criminal groups across regions and globally.

ASEANAPOL is the National Police organisation for the Association of Southeast Asian Nations (ASEAN).

Working with Europol’s European Cybercrime Centre (EC3) EAST has attended four Strategic Meetings on Payment Card Fraud that were held in the ASEAN region.  At the most recent meeting in July 2017, the increasing threat posed by fraudulent payment card activities by organised crime groups led to the creation of the Investigative Network of Law Enforcement specialists from the European Union and ASEAN countries (EURASEAN). This initiative, led by Europol, is supported by both ASEANAPOL and INTERPOL, with the assistance of EAST representing the private sector.

In June of this year ASEANAPOL gave a presentation at the 3rd EAST FCS Forum in the Hague.  Mr Ferdinand Bartolome, Director for Police Services, ASEANAPOL Secretariat, gave a presentation which covered ASEANAPOL and its initiatives in the pursuit of payment card fraud, initiatives undertaken with EUROPOL and trends and counter-measures in ATM fraud.  Mr Bartolome is pictured left, with EAST Executive Director Lachlan Gunn, at the event.

In a European Payment Terminal Crime Report, published today, EAST shows that out of total reported losses of €118 million, suffered by European card issuers due to payment card skimming, and reported for the period January to June 2017, €96 million were international skimming losses.  Such losses are committed outside national borders by criminals using stolen card details.  The majority of these losses were seen in the USA and the Asia-Pacific region. The above-mentioned EURASEAN initiative, and the EAST-ASEANAPOL collaboration, are significant steps forward in the efforts to counter the spread of such losses.

ATM Black Box Attacks continue to rise

ATM black box attacksEAST has just published a European Payment Terminal Crime Report covering the first six months of 2017 which reports that ATM black box attacks took place in eleven countries.

A total of 114 such attacks were reported, up from 28 during the same period in 2016, a 307% increase.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were up 268%, from €0.41 million to €1.51 million.  EAST Executive Director Lachlan Gunn said, “This sees the continuation of a trend that we first reported in April of this year when we published full year statistics for 2016.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all logical threats against payment terminals and against the wider banking infrastructure.”

Overall payment terminal related fraud attacks rose 10% when compared with H1 2016 (up from 10,820 to 11,934 incidents).  This rise was mainly driven by an 88% increase in transaction reversal fraud (up from 4,840 to 9,081 incidents).  The downward trend for card skimming continues with 1,221 card skimming incidents reported, down 22% from 1,573 in H1 2016.  This is the lowest number of skimming incidents reported since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were down 29% when compared with the same period in 2016 (down from €174 million to €124 million).  Within these totals international skimming losses fell 32% (down from €142 million to €96 million) and Domestic skimming losses fell 15% (down from €26 million to €22 million).

ATM related physical attacks rose 6% when compared with H1 2016 (up from 1,604 to 1,696 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were down 2% (down from 492 to 481 incidents).  Losses due to ATM related physical attacks were €12.2 million, a 55% drop from the €27 million reported during the same period in 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss per explosive or gas attack is estimated at €14,575, the average cash loss for a robbery is €10,357 per incident and the average cash loss for a ram raid or burglary attack is €9,761.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

ATM Black Box Attacks

The full Crime Report is available to EAST Members (National and Associate)

43rd EAST Meeting hosted by LINK Scheme

43rd EAST MeetingThe 43rd Meeting of EAST National Members was hosted by the LINK Scheme in Edinburgh on 4th October 2017.  National country crime updates were provided by 20 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

A presentation on Card Not Present (CNP) Fraud was given by Police Scotland and updates were provided by the EAST Payments Task Force (EPTF), the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 3-2017 will be produced later this month, based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

The 43rd EAST Meeting was the first meeting of EAST National Members as the ‘European Association for Secure Transactions’.  At the EAST FCS Forum on 8th June 2017 EAST, formerly known as the European ATM Security Team, changed its name.

EAST presents at Mastercard Global Risk Leadership Conference

Otto de Jong from ING Netherlands and chair of the EAST Expert Group on All Terminal Fraud (EGAF) attended and presented at the ‘MasterCard Global Risk Leadership Conference – Europe’ in Albufeira, Portugal.  The focus of the event was the sharing of knowledge and best practices on key payment security issues, vulnerabilities, and innovative techniques to mitigate fraud.

On 26 September Otto de Jong (second from right in picture), together with representatives from MasterCard and MacAfee, gave a presentation on Cybersecurity Research Leadership and Cyber Attack Methods.  In his talk he gave an overview of EAST and covered rising card fraud threats from the perspective of the industry (ATM and POS terminal).

The Conference, which ran from 25 to 28 September 2017, was attended by stakeholders from the card payments industry in Europe (Issuers , Acquirers and Vendors).

5th Europol-INTERPOL Cybercrime Conference

The Europol-INTERPOL Cybercrime Conference is a joint initiative launched in 2013. Held annually, it is hosted alternatively by Europol and INTERPOL.  This year, more than 420 participants gathered at Europol’s headquarters in The Hague to attend the 5th annual Europol-INTERPOL Cybercrime Conference.

The central theme of this three day conference, from 27-29 September 2017, was “Actively united for a safer cyber space” and has underlined the importance of law enforcement, private sector, academia, government and NGOs jointly engaging in the fight against cybercriminals.

Expanding on the theme of last year’s conference hosted by INTERPOL in Singapore  – ‘Solutions for Attribution’ – this year’s conference saw 205 participants from different sectors representing more than 185 organisations and 167 law enforcement representatives from 68 countries engaging in fruitful and solution-oriented discussions on a number of cybercrime-related topics.  EAST Executive Director Lachlan Gunn attended the event on behalf of EAST.

More than 50 speakers actively elaborated on the current and new threats and trends in cybercrime , the financial aspects of cybercrime, Internet of Things security and resilience, strategies to combat ransomware, the criminal abuse of encryption and anonymisation, Darknet market sites, access to data and electronic evidence, and DNS abuse.

In the part of the Agenda that focused on the financial aspects of cybercrime cases were presented by both law enforcement agencies and the private sector.  Key topics in this section were new types of logical attack on ATMs and a history of the different types of financial malware.  Threats and trends were also covered which included a threat assessment and current view of the European fraud landscape.



Viewpoint: Poll indicates malware and black box attacks are biggest fraud risk to the ATM channel

In a website research poll that ran from May to August 2017 participants were asked how they saw fraud risk developing for ATMs. 67% of respondents felt that malware and black box attacks were the biggest risk, 20% went for card skimming, 7% chose social engineering, and cash trapping and card trapping were each chosen by 3%. The poll results can be seen in the chart below.

black box

This poll result is in line with EAST’s published European ATM fraud statistics, with reports that date back to 2004.  Over the past thirteen years we have seen fraud trends change, particularly since the EMV (Chip and PIN) roll out commenced.  Most recently we have seen an increase in black box attacks, as highlighted in an ATM Crime Report published by EAST in April 2017 and covering the full year 2016.

The current website research poll, which closes at the end of December, is on Payment Fraud and asks if you have experienced losses due to payment fraud over the past two years, how long did it take to get reimbursed?  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.