ATM Physical Attacks in Europe on the increase

Posted on 09/04/2019

EAST has just published a European Payment Terminal Crime Report covering 2018 which reports that ATM physical attacks have risen for the fourth consecutive year.

ATM related physical attacks rose 27% when compared with 2017 (up from 3,584 to 4,549 incidents). Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were down 3% (down from 1,081 to 1,052 incidents). Explosive attacks remain a cause for concern as the number of countries reporting them has risen from ten in 2017 to eleven in 2018. Such attacks result in extensive collateral damage and can pose a risk to life.

Losses due to ATM related physical attacks were €36 million, a 16% increase from the €31 million reported during 2017. The average cash loss per explosive or gas attack is estimated at €17,103, the average cash loss for a robbery is estimated at €13,682 per incident and the average cash loss for a ram raid or burglary attack is estimated at €13,198. These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

EAST Executive Director Lachlan Gunn said, “The success rate for solid explosive attacks is of particular concern – we estimate that the average cash loss per solid explosive attack is €27,065. Such attacks continue to spread geographically with two countries reporting them for the first time in early 2019. Our Expert Group on ATM and ATS Physical Attacks (EGAP) is actively monitoring the situation and provides a cross-border platform for the industry and law enforcement to share related intelligence and measures that can be taken to mitigate the risks.”

Payment terminal related fraud attacks fell 36% when compared with 2017 (down from 20,971 to 13,511 incidents). This fall was mainly driven by a 26% decrease in card skimming incidents (down from 2,556 to 1,883 incidents) and by a 66% fall in transaction reversal fraud incidents (down from 14,098 to 4,843 incidents).

Losses due to payment terminal related fraud attacks fell 30% when compared with 2017 (down from €353 million to €247 million). Within these totals international skimming losses fell by 27% (down from €280 million to €205 million) and domestic skimming losses were down 44% (from €64 million to €36 million).

A total of 157 ATM malware and logical attacks were reported, down from 192 in 2017, an 18% decrease. 156 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM. Related losses were down 70%, from €1.52 million to €0.45 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

Europol publishes French language version of new ATM Logical Attack Guidelines

Posted on 20/03/2019

Europol has just published a French language version of the new guidelines to help industry and law enforcement counter the ATM Logical Attack threat. The English version of the document was officially launched in January 2019 at the 17th Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF)

The production of this document was coordinated by EAST EGAF. It has three sections:

Description of Modi Operandi (Description des Modes Opératoires)
Mitigating the risk of ATM Logical and Malware Attacks, Setting up Lines of Defence (Réduction du risque d’Attaques Logiques et de Programmes Malveillants visant les DAB, Mise en place de Lignes de Défense)
Identifying and responding to Logical and Malware Attacks (Identification et réponse aux Attaques Logiques et de Logiciels Malveillants)

This new version provides clearer definitions and greater clarity of the criminal methods and techniques encountered in these attacks, and more detailed recommendations on how to mount a robust and effective response to them.

Circulation of the document is restricted to Law Enforcement and to the banking and payments industry, which includes EAST Members (National and Associate).

2019 EAST FCS Seminars – Save The Date!

Posted on 12/02/2019

The 2019 EAST Financial Crime & Security (FCS) Seminars will be held on Wednesday 9th October 2019, at the Park Plaza, Victoria, London, UK. Save the date! Register now to get the Early Bird Registration Rate and save £100 on the Standard Registration Rate! (see current 2019 prices here)

Early Registration deadline – Monday 19th August 2019

Two concurrent seminars will be held:

EAST FCS Terminal Fraud Seminar (organised by the EAST Expert Group on All Terminal Fraud (EGAF)
EAST FCS ATM Physical Attacks Seminar (organised by the EAST Expert Group on ATM & ATS Physical Attacks (EGAP)

To view last year’s EAST FCS programme and speakers or to check the venue details please visit our events website: www.east-events.org

These events will be co-located with RBR’s ATM & Cyber Security 2019 event, although separate registration is required.

47th EAST Meeting hosted by SIBS in Lisbon

Posted on 12/02/2019

The 47th Meeting of EAST National Members was hosted by SIBS at the SANA Metropolitan Hotel in Lisbon on 6th February 2019. National country crime updates were provided by 21 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF). An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2019 will be produced in early March, based on the national country crime updates provided at the meeting. EAST Fraud Updates are available on the EAST Website to EAST Members.

Europol launches new ATM Logical Attack Guidelines at 17th EAST EGAF Meeting

Posted on 17/01/2019

Europol has published new guidelines to help industry and law enforcement counter the ATM Logical Attack threat. The document was officially launched at the 17th Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF), which took place on Wednesday 16th January 2019 at ING Domestic Bank in Amsterdam. Production of the document was coordinated by EAST EGAF. It has three sections:

Description of Modi Operandi
Mitigating the risk of ATM Logical and Malware Attacks, Setting up Lines of Defence
Identifying and responding to Logical and Malware Attacks

The original Guidelines were published in 2015 when law enforcement and the private sector came together to support the banking and payments industry. That report, the first of its kind, provided vendor-neutral guidance on countermeasures to such attacks, as well as a collection of indicators that could be used to detect when an incident may have occurred. This new version provides clearer definitions and greater clarity of the criminal methods and techniques encountered in these attacks, and more detailed recommendations on how to mount a robust and effective response to them.

Steven Wilson, Head of Business at Europol’s European Cybercrime Centre (EC3), said “This updated and refocused edition of the report draws upon the expertise of an expanded panel of experts from both law enforcement and the private sector. In addition to the key role played by EAST, I would like to extend my thanks to Diebold Nixdorf, GMV, ING, INTERPOL, NCR, TMD Security and Trend Micro for their invaluable work and contributions, without which this report would not be possible. I continue to look forward to Europol’s engagement and cooperation with all of our partners within private industry and law enforcement in such endeavours, and our continuing fight against threats affecting the payment industry.”

Circulation of the document is restricted to Law Enforcement and to the banking and payments industry, which includes EAST Members (National and Associate).

17TH EAST EGAF Meeting

The 17th Meeting was chaired by Mr Otto de Jong and was attended by Europol and INTERPOL as well as by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors and Forensic Analysts.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures. The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 204 EAST Fraud Alerts have been issued, 3 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019. Registration for this is now open and more information can be found on the EAST Events website.

EAST FCS Terminal Fraud Seminar 2018

Posted on 29/10/2018

An EAST FCS Terminal Fraud Seminar was held on 10th October 2018 in London, co-located with RBRs ATM & Cyber Security 2018 Conference. The interactive and successful event focused on two key outputs of the EAST Expert Group on All Terminal Fraud (EGAF):

Guidelines regarding logical attacks on ATMs
Standardised fraud definitions

An introduction to EGAF by the Chair, Otto de Jong, was followed by a presentation by EAST’s Executive Director Lachlan Gunn, covering the latest EAST fraud statistics from the H1 2018 European Payment Terminal Crime Report. This highlighted that losses due to card fraud at payment terminals have fallen to the lowest level since 2005. Total losses of €107 million were reported and the decrease is primarily due to a fall in losses due to card skimming (down from €118 million to €104 million). Overall payment terminal related fraud incidents were down 43% (from 11,934 to 6,790). Within this total card skimming incidents were down 19% (from 1,221 to 985) and well below the peak of 5,743 incidents reported during the same period in 2010.

Juan Jesus Leon Cobos of GMV then covered the evolution of ‘Cash-out’/jackpotting attacks, sharing the latest trends from Latin America. This was followed by a presentation from Tobias-Christian Wieloch of the European Cybercrime Centre (EC3) at Europol which focused on Europol’s published ‘Guidance & Recommendations regarding Logical & Malware Attacks on ATMs’, and an update to it that will soon be available.

Nick Webber, an independent forensic expert, then shared insights into card shimming and ‘wedge’ attacks, with a particular focus on the UK experience.

The final presentation came from Ben Birtwistle of the Royal Bank of Scotland and Claire Shufflebotham of TMD Security, who jointly covered the existing fraud definitions published by EAST, and steps being taken to update and simplify the definitions using graphics, as well as the addition of criminal benefits for each fraud type. Otto de Jong then summarised the event and what would be taken forward for future discusson.

Attendance to the regular EAST EGAF work group meetings is limited and this event enabled active participation and input from a much wider pool of expertise. Due to the positive response received from delegates, this Terminal Fraud Seminar is expected to be repeated in 2019.

More information on the event, which was sponsored by NCR, can be found on the EAST Events Website

2018 EAST FCS Terminal Fraud Seminar Sponsor

46th EAST Meeting hosted by LINK in London

Posted on 10/10/2018

The 46th Meeting of EAST National Members was hosted by the LINK scheme in London on 9th October 2018. National country crime updates were provided by 18 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Europol gave a presentation which included information on the latest Internet Organised Crime Threat Assessment (IOCTA) 2018.

Presentations were also given by the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP). An update was given by the EAST Payments Task Force (EPTF).

EAST Fraud Update 3-2018 will be produced later this month, based on the national country crime updates provided at the meeting. EAST Fraud Updates are available on the EAST Website to EAST Members.

Card fraud losses fall to 13 year low

Posted on 10/10/2018

EAST has just published a European Payment Terminal Crime Report covering the first six months of 2018 which reports that losses due to card fraud at payment terminals have fallen to the lowest level since 2005.

Total losses of €107 million were reported and the decrease is primarily due to a fall in losses due to card skimming (down from €118 million to €104 million). Overall payment terminal related fraud incidents were down 43% (from 11,934 to 6,790). Within this total card skimming incidents were down 19% (from 1,221 to 985) and well below the peak of 5,743 incidents reported during the same period in 2010.

EAST Executive Director Lachlan Gunn said, “The significant drop in card skimming incidents and losses reflects the continued effectiveness of EMV, as well as the work that has been put in by payment terminal deployers and card issuers with regard to counter-measures such as geo-blocking, fraud monitoring capabilities and fraud detection. Europe led the way with EMV, which is now a global standard, and all stakeholders in the payment card industry are benefitting from the increased security.”

Logical attacks against ATMs were down 46% (from 114 to 61) and all the reported ‘jackpotting’ attacks were ‘black box’ attacks. Related losses were down 83% (from €1.51 million to €0.25 million) reflecting the fact that many of these attacks are unsuccessful.

ATM related physical attacks were up 21% (from 1,696 to 2,046 incidents). Attacks due to ram raids and ATM burglary were up 26% (from 470 to 590 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 2% (from 481 to 490 incidents). Losses due to ATM related physical attacks were €15.1 million, a 24% increase from the €12.2 million reported during the same period in 2017.

The average cash loss per explosive or gas attack is estimated at €14,748, the average cash loss for a robbery is €14,613 per incident and the average cash loss for a ram raid or burglary attack is €12,275. These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

Terminal Fraud

Posted on 12/09/2018

While most payment transactions take place seamlessly and without issue, financial criminals remain active and terminal fraud is a problem for payment terminal deployers, ATM deployers, card issuers, equipment manufacturers and vendors, software providers, law enforcement agencies and other payment industry stakeholders. On 10th October 2018 the EAST Expert Group on All Terminal Fraud (EAST EGAF) will hold an open Financial Crime & Security (FCS) Seminar in London to focus on the issue. EAST EGAF is chaired by Otto de Jong of ING Bank.

EAST Executive Director Lachlan Gunn said ‘EAST EGAF was formed as a working group in 2013 and will hold its 16th Meeting on Wednesday 19th September 2018 in Amsterdam. Attendance at EAST EGAF meetings is restricted in accordance with the group’s Terms of Reference, which makes the coming FCS Seminar in October a great opportunity for all those affected by, or concerned about, terminal fraud to engage with EAST’.

This interactive event focuses on two key outputs of EAST EGAF – Guidelines regarding logical attacks on ATMs and standardised fraud definitions. An introduction to the Group will be followed by a presentation of the latest EAST Fraud Statistics (H1 2018). A session by Juan Jesús León Cobos of GMV will then focus on the evolution of cash-out/jackpotting attacks in Latin America, followed by a session by Europol’s Tobias Wieloch highlighting Guidelines on how to counter them. A perspective on card shimming in the UK will then be given by forensic experts Brian Underhill and Nick Weber, followed by a session on the importance of standardising fraud definitions by Ben Birtwistle of RBS and Claire Shufflebotham of TMD Security. The event is co-located with RBR’s ATM & Cyber Security 2018 Conference. See the full programme here.

Attendance at EAST EGAF meetings is limited, as it is a working group, and this EAST FCS Seminar enables wider participation and the opportunity for all attendees to engage with the Group and its organisers.

The Seminar is sponsored by:

India’s Cosmos bank suffers global ATM cash-out attack

Posted on 14/08/2018

India’s Cosmos cooperative bank has suffered a major global ATM cash-out attack losing Rs 94.42 crore (Euro 12 million approx) in 14,849 transactions between 11 August and 13 August 2018. The illicit ATM withdrawals took place in at least 28 countries.

On 11 August hackers are believed to have stolen information of the bank’s Visa and Rupay card customers through a malware attack on its ATM (switch) server which led to an initial loss of Rs 80 crore. According to local police 12,000 transactions were made using Visa cards, which saw Rs 78 crore illegally withdrawn from ATMs in 28 countries, while a further Rs 2 crore were transferred through 2,489 Rupay card transactions in India.

In a second attack on 13 August the hackers initiated SWIFT transactions and transferred Rs 13.92 crore to an account in a Hong Kong-based bank, from where the money was quickly withdrawn.

Cosmos Bank Chairman Milind A. Kale said “We suspect the malware attack to be done from Canada. The money was withdrawn from ATM machines from 28 countries through around 12,000 international transactions and around 2,849 domestic transactions. The transactions were carried out using fake debit cards. The deposit of account holders is safe and intact. However, as a precautionary measure, we have stopped the online system for two days.”

This attacks comes just days after the US Federal Bureau of Investigation (FBI) issued a confidential alert, warning that cyber criminals were planning an unlimited global ATM cash-out operation. More details of this can be found on the website Krebs On Security

EAST has worked with Europol to produce guidance and recommendations to counter logical attacks on ATMs, which are now available in four languages. These guidelines are under review and an updated version is expected to be released later this year.