ATM Black Box Attacks spread across Europe

EAST ATM Crime Report 2016 - ATM black box attacks increaseIn a European ATM Crime Report covering 2016 EAST has reported that ATM black box attacks were up 287% when compared to 2015.

A total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were down 39%, from €0.74 million to €0.45 million.

EAST Executive Director Lachlan Gunn said, “While the rise in ATM black box attacks is a concern, we are pleased to note that many of these attacks were not successful.  In 2015, to help the industry counter such attacks, our EAST Expert Group on ATM Fraud (EGAF) worked with Europol to produce a document entitled ‘Guidance & recommendations regarding logical attacks on ATMs’.  At our third global Financial Crime & Security (FCS) Forum, which will be held in The Hague on 8th/9th June 2017, EAST EGAF will lead a proactive breakout session during which black box attacks will be discussed.”

ATM related fraud attacks increased by 26%, up from 18,738 in 2015 to 23,588 in 2016.  This rise was mainly driven by a 147% increase in Transaction Reversal Fraud (up from 5,104 to 12,581 incidents).  The downward trend for card skimming continues with 3,315 card skimming incidents reported, down 20% from 4,131 in 2015.  This is the lowest number of skimming incidents reported since 2005.

Losses due to ATM related fraud attacks were up 2% when compared with 2015 (up from €327 million to €332 million).  The Asia-Pacific region and the USA are where the majority of such losses were reported.  Domestic skimming losses rose 24% over the same period (up from €44 million to €53 million).

ATM related physical attacks rose 12% when compared with 2015 (up from 2,657 to 2,974 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 47% from the previous year (up from 673 to 988 incidents).  Losses due to ATM related physical attacks were €49 million, unchanged from the previous year.

The average cash loss for a ram raid or burglary attack is estimated at €14,890, the average cash loss per explosive attack is €17,403 and the average cash loss for a robbery is €20,293.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below:

European ATM Crime Statistics Summary

The full Crime Report is available to EAST Members (National and Associate).

ATM Explosive Attacks surge in Europe

european-atm-crime-report-h1-2016In a European ATM Crime Report covering the first six months of 2016 EAST has reported that ATM explosive attacks were up 80% when compared to the same period in 2015.

A total of 492 explosive attacks were reported, up from 273 during the same period in 2015.  While the majority were explosive gas attacks, 110 were solid explosive attacks.  EAST Executive Director Lachlan Gunn said, “This rise in explosive attacks is of great concern to the industry in Europe as such attacks create a significant amount of collateral damage to equipment and buildings as well as a risk to life.  The EAST Expert Group on Physical Attacks (EGAP) is working to analyse the attacks and to share intelligence best practice information across the industry and law enforcement that can help to mitigate the threat.”

Overall ATM related physical attacks rose 30% when compared with H1 2015 (up from 1,232 to 1,604 incidents).  Losses due to ATM related physical attacks rose 3% to €27 million (up from €26.3 million in 2015).  The average cash loss for a ram raid or burglary attack is estimated at €17,327, the average cash loss per explosive attack is €16,631 and the average cash loss for a robbery is €20,017.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

EAST also reported a 28% increase in ATM related fraud attacks, up from 8,421 in H1 2015 to 10,820 in H1 2016.  This rise was mainly driven by a 281% increase in Transaction Reversal Fraud (up from 1,270 to 4,840 incidents).  The downward trend for card skimming continues with 1,573 card skimming incidents reported, down 21% from 1,986 in H1 2015.

Losses due to ATM related fraud attacks were up 12% when compared with H1 2015 (up from €156 million to €174 million).  This rise was largely driven by an 8% rise in international skimming losses (up from €131 million to €142 million).  The Asia-Pacific region (particularly Indonesia) and the USA are where the majority of such losses were reported.  Domestic skimming losses rose 24% over the same period.

The number of ATM logical attacks reported continues to rise.  28 incidents were reported (all ‘cash out’ or ‘jackpotting’ attacks), up from just 5 during the same period in 2015.  Related losses were €0.4 million.

A summary of the report statistics under the main headings is in the table below:

h1-2016-crime-report-summary-stats

The full Crime Report is available to EAST Members (National and Associate).

EAST presents at 37th meeting of the EPSM

EPSM - Fexco Nicolas Adolph Denis McCarthy
From left to right Nicolas Adolph, Chairman EPSM, Úna Dillon, EAST Development Director, Denis McCarthy, CEO Fexco

Úna Dillon, EAST Development Director, presented at the 37th member meeting of the European Association of Payment Service Providers for Merchants (EPSM) which was held in Dublin, Ireland on Tuesday 21st June 2016.

EPSM Chairman, Nicolas Adolph, invited EAST to participate in the meeting which consisted of more than 40 representatives from global payment service providers.

The session focused on current payments matters such has EU Regulation and the impact on PSPs and merchants. Lars Tebrügge, ESPM, gave a comprehensive overview on the requirements around MIF, PSD2, NIS and GDPR. In particular he outlined the potential fines that can be imposed for non-compliance with data protection legislation, e.g. up to 4% of a company’s global profits.

Clemens Hisch, Corestar, followed with an interesting discussion on one of the 6 pillars of the FinTech industry, namely Payments.

Georg Schardt from Sofort provided an overview on his company and on the challenges they have faced, in particular relating to the over-regulation of the payments industry. He discussed the impact of PSD2 on service providers like Sofort and on the tendency for banking institutions to suffer from a lack of innovation due to a focus on new policies.

Omnipay / FirstData was represented by John Faherty who gave an interesting perspective on the transformation of the payments landscape with Alternative Payments.

Rodney Farmer, the EPSM representative to the PCI Advisory Board, gave the group an overview of the current PCI guidelines including the PCI BoA and PCI DSS 3.2.

The EAST presentation covered latest statistics as published recently in the EAST ATM Crime Report 2015 and details on new scams affecting both ATMs and Point of Sale terminals.

The overall event was hosted by Denis McCarthy and his team from Fexco, the world leader in Fintech and business solutions.

More details on the EPSM can be found here.

Card skimming losses continue to rise outside Europe

EAST 2015 Crime ReportIn a European ATM Crime Report covering the full year 2015 EAST has reported that skimming losses relating to the usage of stolen European card data outside Europe have risen to the highest level seen since 2008.

There was a 19% increase in ATM related fraud attacks, up from 15,702 to 18,738 in 2015.  This increase was mainly driven by a significant rise in Transaction Reversal Fraud (TRF) attacks (up from 160 to 5,104) and a smaller rise in card trapping attacks (up from 5,298 to 6,352).  4,131 card skimming incidents were reported, down 27% from 5,631 in 2014.

Losses due to ATM related fraud attacks were up 17% when compared with 2014 (up from €280 million to €327million).  This rise was largely driven by a 15% rise in international skimming losses (up from €238 million to €274 million).  The USA and the Asia-Pacific region are where the majority of such losses were reported.  Domestic skimming losses rose 19% over the same period (up from €37 million to €44 million).

EAST Executive Director Lachlan Gunn said, “While regional card blocking, often known as geo-blocking, is effective at minimising international skimming losses when implemented, the continued rise of such losses is of concern to Europe.  EAST is now working closely with Europol to increase awareness among experts in Asia-Pacific and the Americas about all types of non-cash means of payment, including card skimming, ATM malware, internet fraud and eCommerce fraud.  Most recently we supported the Second Strategic Meeting on Payment Card Fraud.  This event, which was organised by Europol’s European Cybercrime Centre (EC3) in Kuala Lumpur on 22-23 March 2016, provided the regional law enforcement community with a comprehensive overview of the ATM fraud and its migration to Asia, and the focus is now to establish a cross-regional network to assist international investigations.”

ATM related physical attacks rose by 34% when compared with 2014 (up from 1,980 to 2,657 incidents).  This is partly explained by a 9% increase in reported solid explosive and explosive gas attacks.  673 such attacks were reported, up from 619 in 2014.  Nine countries reported such attacks, four of them countries with more than 40,000 ATMs installed.  The number of reported robberies also increased, up from 60 in 2014 to 838 in 2015.  This rise is partly due to the fact that more countries are now apply to provide such data.

Losses due to ATM related physical attacks rose 81% to €49 million (up from €27 million in 2014).  The average cash loss for ram raids/ATM burglary was €17,830 per incident, and the average cash loss for an explosive or gas attack is €15,602 per incident.  While around 40% of such attacks do not result in cash loss, collateral damage to equipment and buildings can be significant.

In 2014 EAST began to collect statistics for ATM Malware after the first incidents were reported in Western Europe.  15 incidents were reported in 2015, down from 51 in 2014.  These were all ‘cash out’ or ‘jackpotting’ attacks.  Related losses of €743,000 were reported, down from €1.23 million in 2014.

To counter the malware threat, the EAST Expert Group on ATM Fraud (EGAF) worked with the European Cybercrime Centre (EC3) at Europol to create ‘Guidance & recommendations regarding logical attacks on ATMs’, a document published by Europol in June 2015.

 A summary of the report statistics under the main headings is in the table below.

EAST 2015 Crime Report Summary Stats

The full Crime Report is available to EAST Members (National and Associate).

European ATM Fraud Incidents up 15%, driven by low tech crime

EAST ATM Crime Report H1 2015In a European ATM Crime Report covering the first six months of 2015 EAST has reported that ATM fraud incidents were up 15% when compared to the same period in 2014.

ATM related fraud attacks were up from 7,345 in H1 2014 to 8,421 in H1 2015. This rise was mainly driven by an 18% increase in card trapping attacks (up from 2,579 to 3,043 incidents) and a 985% increase in Transaction Reversal Fraud (TRF) attacks (up from 117 to 1,270 incidents). Trapped cards can be used in the EMV environment (if the PIN has also been compromised). 1,986 card skimming incidents were reported, down 18% from 2,425 in H1 2014.

Losses due to ATM related fraud attacks were up 18% when compared with H1 2014 (up from €132 million to €156 million). This rise was largely driven by an 18% rise in international skimming losses (up from €111 million to €131 million). The Asia-Pacific region (particularly Indonesia) and the USA are where the majority of such losses were reported. Domestic skimming losses rose 11% over the same period.

EAST Executive Director Lachlan Gunn said, “International skimming losses have risen for the past four reporting periods and EAST is working closely with Europol to raise awareness of this issue in Asia-Pacific and the Americas.”

ATM related physical attacks rose by 19% when compared with H1 2014 (up from 1,032 to 1,232 incidents).  This is explained by a 1,013% increase in reported robberies, due to the fact that one country has been able to report on this for the first time.  423 such attacks were reported, up from 38 in 2014.

Losses due to ATM related physical attacks rose 100% to €26 million (up from €13 million in 2014), again mainly due to the fact that one country has reported losses due to robbery for the first time. Losses due to robbery rose from €0.4 million to €10.5 million. The average cash loss for robberies was €24,799 per incident, for ram raids/ATM burglary €22,604 per incident, and for explosive attacks €19,737.

In H1 2015 5 ATM malware incidents were reported (‘cash out’ or ‘jackpotting’ attacks), with related losses of €0.14 million. To counter the malware threat, the EAST Expert Group on ATM Fraud (EGAF) worked with Europol to create ‘Guidance & recommendations regarding logical attacks on ATMs’, a document published by Europol in June 2015.

A summary of the report statistics under the main headings is in the table below.

EAST H1 2015 Crime Report Summary Stats

The full Crime Report is available to EAST Members (National and Associate) and Subscribers.

European ATM Related Fraud Incidents fall 26%, although Skimming Losses rise

EAST ATM Crime Report 2014In a European ATM Crime Report covering the full year 2014 EAST has reported that ATM related fraud incidents fell 26% when compared to 2013, although related losses were up 13%.

EAST reported a 26% decrease in ATM related fraud attacks, down from 21,346 in 2013 to 15,702 in 2014. This fall was mainly driven by a 95% reduction in Transaction Reversal Fraud (TRF) attacks and a 31% reduction in cash trapping attacks. 5,631 card skimming incidents were reported, down 3% from 5,822 in 2013. Card trapping incidents fell 2% over the same period (down from 5,394 to 5,298). Trapped cards can be used in the EMV environment (if the PIN has also been compromised).

Losses due to ATM related fraud attacks were up 13% when compared with 2013 (up from €248 million to €280 million). This rise was largely driven by an 18% rise in international skimming losses (up from €201 million to €238 million). The USA and the Asia-Pacific region are where the majority of such losses were reported. Domestic skimming losses fell 9% over the same period.

EAST Executive Director Lachlan Gunn said, “The rise in international skimming losses is not being seen in European countries where regional card blocking, often known as geo-blocking, has been widely implemented. Keeping an active magnetic stripe on a European EMV card continues to make that card vulnerable to card skimming and geo-blocking significantly reduces the risk of successful compromise.”

ATM related physical attacks fell 6% when compared with 2013 (down from 2,102 to 1,980 incidents). This is partly explained by an 11% decrease in reported solid explosive and explosive gas attacks. 619 such attacks were reported, down from 696 in 2013. Nine countries reported such attacks, five of them countries with more than 40,000 ATMs installed.

Losses due to ATM related physical attacks rose 17% to €27 million (up from €23 million in 2013). The average cash loss for ram raids/ATM burglary was €25,640 per incident, up from €11,393 in 2013. While around 40% of such attacks do not result in cash loss, collateral damage to equipment and buildings can be significant.

In 2014 EAST began to collect statistics for ATM Malware after the first incidents were reported in Western Europe. These were ‘cash out’ or ‘jackpotting’ attacks. In 2014 51 such incidents were reported, with related losses of €1.23 million.

A summary of the report statistics under the main headings is in the table below.

2014 Summary Results Table

The full Crime Report is available to EAST Members (National and Associate) and Subscribers.