Terminal Fraud

terminal fraudWhile most payment transactions take place seamlessly and without issue, financial criminals remain active and terminal fraud is a problem for payment terminal deployers, ATM deployers, card issuers, equipment manufacturers and vendors, software providers, law enforcement agencies and other payment industry stakeholders.  On 10th October 2018 the EAST Expert Group on All Terminal Fraud (EAST EGAF) will hold an open Financial Crime & Security (FCS) Seminar in London to focus on the issue.  EAST EGAF is chaired by Otto de Jong of ING Bank.

EAST Executive Director Lachlan Gunn said ‘EAST EGAF was formed as a working group in 2013 and will hold its 16th Meeting on Wednesday 19th September 2018 in Amsterdam. Attendance at EAST EGAF meetings is restricted in accordance with the group’s Terms of Reference, which makes the coming FCS Seminar in October a great opportunity for all those affected by, or concerned about, terminal fraud to engage with EAST’.

This interactive event focuses on two key outputs of EAST EGAF – Guidelines regarding logical attacks on ATMs and standardised fraud definitions.  An introduction to the Group will be followed by a presentation of the latest EAST Fraud Statistics (H1 2018).  A session by Juan Jesús León Cobos of GMV will then focus on the evolution of cash-out/jackpotting attacks in Latin America, followed by a session by Europol’s Tobias Wieloch highlighting Guidelines on how to counter them.  A perspective on card shimming in the UK will then be given by forensic experts Brian Underhill and Nick Weber, followed by a session on the importance of standardising fraud definitions by Ben Birtwistle of RBS and Claire Shufflebotham of TMD Security. The event is co-located with RBR’s ATM & Cyber Security 2018 Conference.  See the full programme here.

Attendance at EAST EGAF meetings is limited, as it is a working group, and this EAST FCS Seminar enables wider participation and the opportunity for all attendees to engage with the Group and its organisers.


The Seminar is sponsored by:

 

 

 

 

India’s Cosmos bank suffers global ATM cash-out attack

India’s Cosmos cooperative bank has suffered a major global ATM cash-out attack losing Rs 94.42 crore (Euro 12 million approx) in 14,849 transactions between 11 August and 13 August 2018.  The illicit ATM withdrawals took place in at least 28 countries.

On 11 August hackers are believed to have stolen information of the bank’s Visa and Rupay card customers through a malware attack on its ATM (switch) server which led to an initial loss of Rs 80 crore.  According to local police 12,000 transactions were made using Visa cards, which saw Rs 78 crore illegally withdrawn from ATMs in 28 countries, while a further Rs 2 crore were transferred through 2,489 Rupay card transactions in India.

In a second attack on 13 August the hackers initiated SWIFT transactions and transferred Rs 13.92 crore to an account in a Hong Kong-based bank, from where the money was quickly withdrawn.

Cosmos Bank Chairman Milind A. Kale said  “We suspect the malware attack to be done from Canada. The money was withdrawn from ATM machines from 28 countries through around 12,000 international transactions and around 2,849 domestic transactions. The transactions were carried out using fake debit cards. The deposit of account holders is safe and intact. However, as a precautionary measure, we have stopped the online system for two days.”

This attacks comes just days after the US Federal Bureau of Investigation (FBI) issued a confidential alert, warning that cyber criminals were planning an unlimited global ATM cash-out operation.  More details of this can be found on the website Krebs On Security

EAST has worked with Europol to produce guidance and recommendations to counter logical attacks on ATMs, which are now available in four languages. These guidelines are under review and an updated version is expected to be released later this year.

EAST presents at Europol Training on Payment Card Fraud Forensics

card fraud forensics trainingOn 26 June 2018 EAST Development Director Rui Carvalho presented at the fourth edition of the Europol Training Course on Payment Card Fraud Forensics and Investigations at the Spanish National Police Academy in Ávila, Spain. His talk gave an overview of EAST and covered terminal and payment fraud in Europe from the perspective of the private sector.

The Europol training, which ran from 25 to 29 June 2018, covered a wide range of topics including cryptocurrencies, ATM malware, forensic tools for the examination of skimming equipment, Near Field Communication (NFC) technology, EU regulation in non-cash payment, and data breaches or cyber attacks.

The training course was attended by 74 Investigators, forensic experts, and future police officers from 27 countries in the European Union, as well as from Iceland, Gibraltar, Montenegro, Moldova, Canada, Ukraine and South Korea.  Presentations were given by 33 speakers from different law enforcement agencies, the European Commission, Europol and bodies from the private sector (including EAST) and academia.  Since the first training in 2015 over 200 international students have benefited from the training programme, which has been supported by EAST.

45th EAST Meeting hosted by EC3 at Europol

EC3The 45th Meeting of EAST National Members was hosted by the European Cybercrime Centre (EC3) at Europol on 6th June 2018. National country crime updates were provided by 21 countries, and a global update by HSBC.  Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

EC3 presented on the latest initiatives and events relating to e-commerce fraud prevention, global airport actions (GAAD) to combat online fraud involving stolen or fake credit card data to purchase plane tickets, actions relating to virtual currencies, the Europol-ASEAN Strategic Payment Card Fraud Meeting, and provided updates on Advisory Group activities relating to Internet Security, Communication Providers and Financial Services.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).  An update was given by the EAST Expert Group on All Terminal Fraud (EGAF).

EAST Fraud Update 2-2018 will be produced later this month, based on the national country crime updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

The 46th EAST Meeting will be held in London on 9th October 2018 and will be followed by EAST FCS Seminars on 10th October 2018 at the same venue.

ATM Malware attacks hit Europe

EAST has just published a European Payment Terminal Crime Report covering 2017 which reports that ATM malware attacks have started in Western and Central Europe. A total of 192 ATM malware and logical attacks were reported, up from 58 in 2016, a 231% increase.  189 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.

The use of malware for cash-out was seen for the first time in Western and Central Europe with 3 such attacks reported by two countries.  Related losses were up 230%, from €0.46 million to €1.52 million.  EAST Executive Director Lachlan Gunn said, “The use of malware, such as Cutlet Maker, to cash-out ATMs has been around for some time but has not been reported in Western or Central Europe until 2017.  Early indications are that such attacks are continuing this year, although the recent related arrests announced by Europol are encouraging.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all malware threats to payment terminals, while our Payments Task Force (EPTF) is focusing on malware threats against the wider banking infrastructure.”

Overall payment terminal related fraud attacks fell 11% when compared with 2016 (down from 23,588 to 20,971 incidents).  This fall was mainly driven by a 23% decrease in card skimming incidents (down from 3,315 to 2,556 incidents).  This is the seventh successive year that the number of skimming incidents has fallen and the number of incidents reported in 2017 is the lowest since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were up 6% when compared with 2016 (up from €332 million to €353 million).  Within these totals international skimming losses rose by 5% (up from €267 million to €280 million) and domestic skimming losses were up 21% (from €53 million to €64 million).

ATM related physical attacks rose 21% when compared with 2016 (up from 2,974 to 3,584 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 9% (up from 988 to 1,081 incidents).  Losses due to ATM related physical attacks were €31 million, a 37% drop from the €49 million reported during 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss for a robbery is estimated at €16,899 per incident, the average cash loss for a ram raid or burglary attack is €12,804 and the average cash loss per explosive or gas attack is €12,591.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

44th EAST Meeting hosted by EKS

The 44th Meeting of EAST National Members was hosted by EURO Kartensysteme GmbH (EKS) in Frankfurt on 7th February 2018.  National country crime updates were provided by 21 countries. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were given by staff from the German Federal Criminal Police Office – BKA (Bundeskriminalamt) and also by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2018 will be produced later this month based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST Publishes European Fraud Update 3-2017

Fraud UpdateEAST has published its third European Fraud Update for 2017.  This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 43rd EAST meeting held in Edinburgh on 4th October 2017.

Payment fraud issues were reported by eleven countries.  One country reported that a fake P2P website was used to get funds illegally, which are then transferred to genuine cards for cash withdrawal.  Card-Not-Present (CNP) fraud shows a significant increase in fake websites, such as ticketing sites.  Data acquired through social engineering is used immediately by criminals to make fund transfers to money mule accounts.  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by seven countries.  To date in 2017 EAST has published fourteen related Fraud Alerts.  Two of the countries reported ATM related malware and all seven reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by thirteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Four countries reported such attacks and, to date in 2017, EAST has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 53 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

Six countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a continued increase in such attacks and two countries reported a new modus-operandi.

Ram raids and ATM burglary were reported by ten countries and eight countries reported explosive gas attacks.  To date in 2017 EAST has published eleven related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

43rd EAST Meeting hosted by LINK Scheme

43rd EAST MeetingThe 43rd Meeting of EAST National Members was hosted by the LINK Scheme in Edinburgh on 4th October 2017.  National country crime updates were provided by 20 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

A presentation on Card Not Present (CNP) Fraud was given by Police Scotland and updates were provided by the EAST Payments Task Force (EPTF), the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 3-2017 will be produced later this month, based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

The 43rd EAST Meeting was the first meeting of EAST National Members as the ‘European Association for Secure Transactions’.  At the EAST FCS Forum on 8th June 2017 EAST, formerly known as the European ATM Security Team, changed its name.

Viewpoint: Poll indicates malware and black box attacks are biggest fraud risk to the ATM channel

In a website research poll that ran from May to August 2017 participants were asked how they saw fraud risk developing for ATMs. 67% of respondents felt that malware and black box attacks were the biggest risk, 20% went for card skimming, 7% chose social engineering, and cash trapping and card trapping were each chosen by 3%. The poll results can be seen in the chart below.

black box

This poll result is in line with EAST’s published European ATM fraud statistics, with reports that date back to 2004.  Over the past thirteen years we have seen fraud trends change, particularly since the EMV (Chip and PIN) roll out commenced.  Most recently we have seen an increase in black box attacks, as highlighted in an ATM Crime Report published by EAST in April 2017 and covering the full year 2016.

The current website research poll, which closes at the end of December, is on Payment Fraud and asks if you have experienced losses due to payment fraud over the past two years, how long did it take to get reimbursed?  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.

EAST Publishes European Fraud Update 2-2017

EAST has published its second European Fraud Update for 2017.  This is based on country crime updates given by representatives of 21 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 42nd EAST meeting held at Europol on 7th June 2017.

Payment fraud issues were reported by ten countries.  One country reported a new fraud type where the card Primary Account Number (PAN) is compromised in China, leading to fraud in China.  In these cases the CPP is sometimes detected, but most of the time it is not.  Another country reported data compromise due ‘vishing’ attacks (voice phishing), ‘phishing’ websites and ‘SMiShing’ (SMS phishing).  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by fifteen countries.  To date in 2017 EAST has published ten related Fraud Alerts.  Two of the countries reported ATM malware and fourteen reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  Five countries reported ‘black box’ attacks for the first time, further indication that this attack type is continuing to spread.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by nineteen countries.  The usage of M3 – Card Reader Internal Skimming devices continues to spread.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Nine countries reported such attacks and, to date in 2017, EAST has published six related Fraud Alerts.

International skimming related losses were reported in 49 countries and territories outside of the Single Euro Payments Area (SEPA) and in 9 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and the Philippines.

Skimming attacks on other terminal types were reported by ten countries and five countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.  Two countries reported the usage of card reader internal shimming devices at POS terminals.

Eight countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a significant increase in such attacks and two countries reported such attacks for the first time.

Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks.  To date in 2017 EAST has published nine related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).