EAST Publishes European Fraud Update 1-2020

EAST has just published its first European Fraud Update for 2020. This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 2 non-SEPA countries, at the 50th EAST meeting held in Vienna on 12th February 2020.

Payment fraud issues were reported by eighteen countries. Seven countries reported CNP fraud occurring worldwide. One reported that the card data is either bought in bulk or obtained via card testing/BIN attacks. The attackers use scripts/bots (not real people) to conduct the fraud. Four countries reported BIN attacks. One reported that they are originating from the Middle East for the first time and another reported them in relation to both CP and CNP fraud, with losses reported in the USA, the UK and Brazil. Two countries reported Account Takeover Fraud, one of them in connection with SIM swapping.

Six countries reported phishing. One reported the use of fake emails by criminals to impersonate bank customers, claiming that their bank account details have changed. Another reported that online banking was targeted, and a third country reported phishing using social networks, with related fraud occurring in China. Three countries reported SMS phishing (Smishing). One of them reported this related to token validation transactions – the IP addresses are in Morocco and the fraud occurs in an EU country with losses via Western Union.

To date in 2020 the EAST Payments Task Force (EPTF) has published one related Payment Alert.

ATM malware and logical attacks were reported by twelve countries – one reported successful ATM malware attacks where ‘Cutlet Maker’ was used, and ten reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To date in 2020 the EAST Expert Group on All Terminal Fraud (EGAF) has published one related Fraud Alert.

Card skimming at ATMs was reported by ten countries, and the downward trend continues. Six countries reported the usage of ‘M3 – Card Reader Internal Skimming devices’, and the usage of ‘M1 – Overlay Skimming Devices’ and ‘M2 – Throat Inlay Skimming Devices’ was also reported. Skimming attacks on other terminal types were reported by eight countries. Four reported attacks on unattended payment terminals (UPTs) at petrol stations, and three reported attacks at railway ticket machines. To date in 2020 EAST EGAF has published four related Fraud Alerts.

Year to date International skimming related losses were reported in 14 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Five countries reported card trapping attacks, one of them reporting a new method that allows several cards to be captured in one attack. Three countries reported transaction reversal fraud (TRF) incidents. To date in 2020 EAST EGAF has published two related Fraud Alerts.

Ram raids and ATM burglary were reported by eleven countries and eleven countries reported explosive gas attacks, one of which resulted in a fatality. Eight countries reported solid explosive attacks. The usage of Triacetone Triperoxide (TATP) for solid explosive attacks continues to increase across Europe. Mixing TAPT is a complicated procedure that requires good knowledge of the chemicals, as there is a danger of setting off an unexpected explosion. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.
To date in 2020 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published two related Physical Attack Alerts.

The full European Fraud Update is available to EAST Members (National, Global and Associate).

EAST EGAF holds 20th Meeting in Amsterdam

The 20th Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 15th January 2020 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong from ING Bank and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

This was a milestone meeting and, in recognition of his work in founding and supporting EGAF, as well as his 16 years of active support for EAST, Otto was presented with an award by Ms Veronica Borgogna of BANCOMAT S.p.A, the current Chair of EAST.

Presentations were made by Europol (AP Cyborg), Geldmaat, Damage Control and Fiducia & GAD IT AG.

The EGAF Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 227 EAST Fraud Alerts have been issued, 2 to date in 2020.

EAST Publishes European Fraud Update 3-2019

European FraudEAST has just published its third European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 49th EAST Meeting held in London on 8th October 2019.

Payment fraud issues were reported by seventeen countries. Social engineering is a key concern. Seven countries reported phishing attacks. One of them stated that fraudsters are using phishing to get targets for fake web campaigns where consumers can win money, and another reported fake web surveys aimed at getting consumer data. In one country the quality of vishing calls is improving, where the people making the spoof calls are very believable and often have local accents from the customer’s home area. Impersonation fraud was reported by four countries – in one of them police officers are impersonated, and another reported spoof calls being received by customers from bank call centres.

Card Not Present (CNP) fraud was reported by six countries. One of them reported CNP fraud at digital media players. Contactless fraud was reported by two countries – in one of them it is related to lost and stolen cards, and in the other card present (CP) transactions are being made at small merchants up to the allowed limit. To date in 2019 the EAST Payments Task Force (EPTF)  has issued five related Payment Alerts.

ATM malware and logical attacks were reported by five countries – one reported a new way of getting malware onto an ATM, that did not succeed, and four reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published seven related Fraud Alerts.

Card skimming at ATMs was reported by thirteen countries. Overall skimming incidents in Europe continue to decline. Three countries reported the usage of ‘M3 – Card Reader Internal Skimming devices’, and the most recent variants continue to be made of transparent plastic. To date in 2019 EAST EGAF has published thirteen related Fraud Alerts. Year to date International skimming related losses were reported in 41 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Four countries reported card trapping attacks, one of them reporting such attacks at fake terminals, designed to resemble lobby door opening devices at bank branches.

Ram raids and ATM burglary were reported by nine countries and twelve countries reported explosive gas attacks. After one such attack collateral damage of over €200,000 was reported. Six countries reported solid explosive attacks. The usage of Triacetone Triperoxide (TATP) for solid explosive attacks is increasing across Europe. This explosive is also known as the ‘Mother of Satan’. Mixing TAPT is a complicated procedure that requires good knowledge of the chemicals, as there is a danger of setting off an unexpected explosion.

The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published nine related Physical Attack Alerts.

The full European Fraud Update is available to EAST Members (National and Associate).

EAST FCS Terminal Fraud Seminar 2019

terminal fraud

An EAST FCS Terminal Fraud Seminar was held on 9th October 2019 in London, co-located with RBRs ATM & Cyber Security 2019 Conference. The interactive event followed the basic structure of work group meetings held by the EAST Expert Group on All Terminal Fraud (EGAF). This group, which meets three times a year, provides a platform for law enforcement and private sector experts to come together and share fraud information, trends and statistics in a structured manner.

terminal fraudAn introduction to EGAF by the Chair, Otto de Jong, was followed by a presentation by EAST Development Director Rui Carvalho, covering the latest EAST terminal fraud statistics from the H1 2019 European Payment Terminal Crime Report.  Tobias Wieloch of Europol then gave a high level view of the terminal fraud attack situation across Europe which was followed by threat assessments from around Europe:

  • NORTH – Nordics – Arnt Olav Rottereng – Evry
  • SOUTH – Italy – Veronica Borgogna – Bancomat SpA
  • EAST – Russia – Nikolai Dosh – Mastercard Members Association (MCMA)
  • WEST – UK – Ben Birtwistle – NatWest Bank Plc

terminal fraudThese were followed by an overview and demonstration of the Checkcard Software by Tobias Heckmann from the University of Applied Sciences in Bingen, Germany. This has been developed as an investigation tool to validate whether or not a smart card is genuine. The check is done off-line, either using software on a desktop or on an android phone.

terminal fraudThe event concluded with an update on logical security – Otto de Jong covered black box attacks and Terence Devereux of Diebold Nixdorf spoke about ATM malware attacks.

Attendance at the regular EAST EGAF work group meetings is limited and this event enabled active participation and input from a much wider pool of expertise.

More information on the event can be found on the EAST Events Website

ATM malware and logical attacks fall in Europe

EAST has just published a European Payment Terminal Crime Report covering the first six months of 2019 which reports that ATM malware and logical attacks continue to trend downwards.

ATM malware and logical attacks against ATMs were down 43% (from 61 to 35) and all bar one of the reported ‘jackpotting’ attacks are believed to have been unsuccessful. Malware was used for 3 of the attack attempts and the remainder were ‘black box’ attacks. Related losses were down 100% (from €0.25 million to €0.00 million), although a small loss (less than €1,000) was reported in one case.

EAST Executive Director Lachlan Gunn said, “This fall in logical and malware attacks is very good news and reflects the work that has been put into preventing such attacks by the industry and law enforcement. In January 2019, supported by our Expert Group on All Terminal Fraud (EGAF), Europol updated their ‘Guidance & recommendations regarding logical attacks on ATMs’, which was first published in 2015. These Guidelines, which have been widely shared with ATM deployers and law enforcement agencies, reinforce the recommendations made by the ATM vendors.”

Terminal related fraud attacks were up 59% (from 6,760 to 10,723 incidents). This increase was primarily due to an increase in transaction reversal fraud attacks (up from 2,292 to 5,649 incidents), while card skimming incidents fell to an all time low (down from 985 to 731 incidents). This downward trend reflects the success of EMV and that measures to counter skimming at terminals, along with geo-blocking, are working well in Europe.

Total losses of €124 million were reported, up 16% from the €107 million reported during the same period in 2018. This increase is primarily due to a rise in international losses due to card skimming (up from €87 million to €100 million), which indicates that EMV implementation is not yet complete globally with resultant risks for European cardholders. Losses due to transaction reversal fraud were up 135% (from €1.36 million to €3.2 million).

ATM related physical attacks were up 16% (from 2,046 to 2,376 incidents). Attacks due to ram raids and ATM burglary were up 3% (from 590 to 610 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 3% (from 490 to 503 incidents). Losses due to ATM related physical attacks were €11.4 million, a 25% decrease from the €15.1 million reported during the same period in 2018.

The average cash loss for a robbery is estimated at €15,140 per incident, the average cash loss per explosive or gas attack is €10,161 and the average cash loss for a ram raid or burglary attack is €9,632. These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

EAST EGAF holds 19th Meeting in Amsterdam

EAST EGAFThe Nineteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 18th September 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 219 EAST Fraud Alerts have been issued, 18 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is still open and more information can be found on the EAST Events website.

EAST Publishes European Fraud Update 2-2019

FraudEAST has published its second European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 48th EAST meeting held at Europol in The Hague on 5th June 2019.

Payment fraud issues were reported by 18 countries. To date in 2019 the EAST Payments Task Force (EPTF) has issued 4 related Payment Alerts.

Two countries reported mobile wallet fraud in relation to Apple Pay. One reported that mobile wallets are fast becoming the new money mules – fraudsters are enrolling cards that are not yet associated to a specific wallet. Another country reported that fraudsters are obtaining security codes through phishing, with which they can then install a mobile banking app on their own smartphone, using the victim’s data. One country reported that fraudsters are increasingly using mobile call centres to call customers from numbers that appear to be genuine, and then are pretending to be bank security staff. This enables them to obtain key personal information and data.

Five countries reported fake websites, mainly in China and other Asian countries – customers place orders for goods, which are never fulfilled, or for services which are never provided. One country reported that the quality of fake websites and fake emails is constantly improving, with fewer language errors and better design and formatting.

ATM malware and logical attacks were reported by 6 countries. They all reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. In most cases the attacks were unsuccessful. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published 5 related Fraud Alerts.

Card skimming at ATMs was reported by eighteen countries. Five countries reported the continued usage of M3 – Card Reader Internal Skimming devices. The most recent variants are made of transparent plastic. Skimming attacks on other terminal types were reported by six countries, three of which reported such attacks on railway ticket machines. To date in 2019 EAST EGAF has published 8 related Fraud Alerts.

Year to date International skimming related losses were reported in 37 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Eight countries reported cash trapping attacks, two of them reporting decreases in such attacks. Five countries reported card trapping attacks, two of them reporting that such attacks are increasing.

Ram raids and ATM burglary were reported by 10 countries and 9 countries reported explosive gas attacks, 4 of which reported that such attacks are increasing. Seven countries reported solid explosive attacks, two of which are seeing increases in such attacks, and one reported an attack carried out by criminals armed with assault rifles. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published 7 related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

ATM Physical Attacks in Europe on the increase

ATM physical attacksEAST has just published a European Payment Terminal Crime Report covering 2018 which reports that ATM physical attacks have risen for the fourth consecutive year.

ATM related physical attacks rose 27% when compared with 2017 (up from 3,584 to 4,549 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were down 3% (down from 1,081 to 1,052 incidents).  Explosive attacks remain a cause for concern as the number of countries reporting them has risen from ten in 2017 to eleven in 2018.  Such attacks result in extensive collateral damage and can pose a risk to life.

Losses due to ATM related physical attacks were €36 million, a 16% increase from the €31 million reported during 2017.  The average cash loss per explosive or gas attack is estimated at €17,103, the average cash loss for a robbery is estimated at €13,682 per incident and the average cash loss for a ram raid or burglary attack is estimated at €13,198.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

EAST Executive Director Lachlan Gunn said, “The success rate for solid explosive attacks is of particular concern – we estimate that the average cash loss per solid explosive attack is €27,065.  Such attacks continue to spread geographically with two countries reporting them for the first time in early 2019.  Our Expert Group on ATM and ATS Physical Attacks (EGAP) is actively monitoring the situation and provides a cross-border platform for the industry and law enforcement to share related intelligence and measures that can be taken to mitigate the risks.”

Payment terminal related fraud attacks fell 36% when compared with 2017 (down from 20,971 to 13,511 incidents).  This fall was mainly driven by a 26% decrease in card skimming incidents (down from 2,556 to 1,883 incidents) and by a 66% fall in transaction reversal fraud incidents (down from 14,098 to 4,843 incidents).

Losses due to payment terminal related fraud attacks fell 30% when compared with 2017 (down from €353 million to €247 million).  Within these totals international skimming losses fell by 27% (down from €280 million to €205 million) and domestic skimming losses were down 44% (from €64 million to €36 million).

A total of 157 ATM malware and logical attacks were reported, down from 192 in 2017, an 18% decrease.  156 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.  Related losses were down 70%, from €1.52 million to €0.45 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

EAST Publishes European Fraud Update 1-2019

European Fraud Update 1-2019EAST has published its first European Fraud Update for 2019.  This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 47th EAST meeting held in Lisbon on 6th February 2019.

Payment fraud issues were reported by 20 countries.  Three countries reported phishing attacks. One of them reported that the fraudsters are managing to obtain online banking credentials and one time passwords (OTPs) for cash withdrawals at ATMs, as well as managing to make minor purchases through digital payment apps.  Another country reported criminals taking remote control of people’s computers and then gaining access to their bank account(s).  This has led to a consumer awareness campaign highlighting that, in addition to never asking for a customer’s PIN, banks will also never ask for remote PC access to be allowed.  One country reported that, since mobile operators started to implement new services, there has been a growing trend of SIM card duplication.  The SIM cards of phones used for financial transaction authorisation are duplicated, ensuring that the original phone does not work.  This means that the OTPs are sent to the duplicate phone, not the genuine one.

ATM malware and logical attacks were reported by 8 countries.  Three of the countries reported ATM related malware and one of them advised that a new malware variant ‘HelloWorld’ was found.  Eight countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  One country reported the first use of a mini M2 – Throat Inlay Skimming Device.  Two countries reported skimming related arrests.  Skimming attacks on other terminal types were reported by 5 countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations and two reported attacks using POS terminals.  To date in 2019 EAST EGAF has published three related Fraud Alerts.

Six countries reported cash trapping attacks, one of them reporting that criminals continue to switch their focus from transaction reversal fraud (TRF) attacks to cash trapping.

Ram raids and ATM burglary were reported by 8 countries and 9 countries reported explosive gas attacks.  Nine countries also reported solid explosive attacks, and this type of attack continues to spread with 4 countries reporting such attacks for the first time.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.  EAST EGAP has also just published new Terminal Physical Attack Definitions and Terminology to help industry and law enforcement when reporting attacks against ATMs and other terminals.  These can be downloaded from the EAST website.

The full Fraud Update is available to EAST Members (National and Associate).

47th EAST Meeting hosted by SIBS in Lisbon

The 47th Meeting of EAST National Members was hosted by SIBS at the SANA Metropolitan Hotel in Lisbon on 6th February 2019. National country crime updates were provided by 21 countries, and a global update by HSBC.  Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2019 will be produced in early March, based on the national country crime updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.