ATM Malware attacks hit Europe

EAST has just published a European Payment Terminal Crime Report covering 2017 which reports that ATM malware attacks have started in Western and Central Europe. A total of 192 ATM malware and logical attacks were reported, up from 58 in 2016, a 231% increase.  189 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.

The use of malware for cash-out was seen for the first time in Western and Central Europe with 3 such attacks reported by two countries.  Related losses were up 230%, from €0.46 million to €1.52 million.  EAST Executive Director Lachlan Gunn said, “The use of malware, such as Cutlet Maker, to cash-out ATMs has been around for some time but has not been reported in Western or Central Europe until 2017.  Early indications are that such attacks are continuing this year, although the recent related arrests announced by Europol are encouraging.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all malware threats to payment terminals, while our Payments Task Force (EPTF) is focusing on malware threats against the wider banking infrastructure.”

Overall payment terminal related fraud attacks fell 11% when compared with 2016 (down from 23,588 to 20,971 incidents).  This fall was mainly driven by a 23% decrease in card skimming incidents (down from 3,315 to 2,556 incidents).  This is the seventh successive year that the number of skimming incidents has fallen and the number of incidents reported in 2017 is the lowest since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were up 6% when compared with 2016 (up from €332 million to €353 million).  Within these totals international skimming losses rose by 5% (up from €267 million to €280 million) and domestic skimming losses were up 21% (from €53 million to €64 million).

ATM related physical attacks rose 21% when compared with 2016 (up from 2,974 to 3,584 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 9% (up from 988 to 1,081 incidents).  Losses due to ATM related physical attacks were €31 million, a 37% drop from the €49 million reported during 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss for a robbery is estimated at €16,899 per incident, the average cash loss for a ram raid or burglary attack is €12,804 and the average cash loss per explosive or gas attack is €12,591.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

44th EAST Meeting hosted by EKS

The 44th Meeting of EAST National Members was hosted by EURO Kartensysteme GmbH (EKS) in Frankfurt on 7th February 2018.  National country crime updates were provided by 21 countries. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were given by staff from the German Federal Criminal Police Office – BKA (Bundeskriminalamt) and also by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2018 will be produced later this month based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST Publishes European Fraud Update 3-2017

Fraud UpdateEAST has published its third European Fraud Update for 2017.  This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 43rd EAST meeting held in Edinburgh on 4th October 2017.

Payment fraud issues were reported by eleven countries.  One country reported that a fake P2P website was used to get funds illegally, which are then transferred to genuine cards for cash withdrawal.  Card-Not-Present (CNP) fraud shows a significant increase in fake websites, such as ticketing sites.  Data acquired through social engineering is used immediately by criminals to make fund transfers to money mule accounts.  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by seven countries.  To date in 2017 EAST has published fourteen related Fraud Alerts.  Two of the countries reported ATM related malware and all seven reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by thirteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Four countries reported such attacks and, to date in 2017, EAST has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 53 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

Six countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a continued increase in such attacks and two countries reported a new modus-operandi.

Ram raids and ATM burglary were reported by ten countries and eight countries reported explosive gas attacks.  To date in 2017 EAST has published eleven related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

43rd EAST Meeting hosted by LINK Scheme

43rd EAST MeetingThe 43rd Meeting of EAST National Members was hosted by the LINK Scheme in Edinburgh on 4th October 2017.  National country crime updates were provided by 20 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

A presentation on Card Not Present (CNP) Fraud was given by Police Scotland and updates were provided by the EAST Payments Task Force (EPTF), the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 3-2017 will be produced later this month, based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

The 43rd EAST Meeting was the first meeting of EAST National Members as the ‘European Association for Secure Transactions’.  At the EAST FCS Forum on 8th June 2017 EAST, formerly known as the European ATM Security Team, changed its name.

Viewpoint: Poll indicates malware and black box attacks are biggest fraud risk to the ATM channel

In a website research poll that ran from May to August 2017 participants were asked how they saw fraud risk developing for ATMs. 67% of respondents felt that malware and black box attacks were the biggest risk, 20% went for card skimming, 7% chose social engineering, and cash trapping and card trapping were each chosen by 3%. The poll results can be seen in the chart below.

black box

This poll result is in line with EAST’s published European ATM fraud statistics, with reports that date back to 2004.  Over the past thirteen years we have seen fraud trends change, particularly since the EMV (Chip and PIN) roll out commenced.  Most recently we have seen an increase in black box attacks, as highlighted in an ATM Crime Report published by EAST in April 2017 and covering the full year 2016.

The current website research poll, which closes at the end of December, is on Payment Fraud and asks if you have experienced losses due to payment fraud over the past two years, how long did it take to get reimbursed?  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.

EAST Publishes European Fraud Update 2-2017

EAST has published its second European Fraud Update for 2017.  This is based on country crime updates given by representatives of 21 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 42nd EAST meeting held at Europol on 7th June 2017.

Payment fraud issues were reported by ten countries.  One country reported a new fraud type where the card Primary Account Number (PAN) is compromised in China, leading to fraud in China.  In these cases the CPP is sometimes detected, but most of the time it is not.  Another country reported data compromise due ‘vishing’ attacks (voice phishing), ‘phishing’ websites and ‘SMiShing’ (SMS phishing).  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by fifteen countries.  To date in 2017 EAST has published ten related Fraud Alerts.  Two of the countries reported ATM malware and fourteen reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  Five countries reported ‘black box’ attacks for the first time, further indication that this attack type is continuing to spread.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by nineteen countries.  The usage of M3 – Card Reader Internal Skimming devices continues to spread.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Nine countries reported such attacks and, to date in 2017, EAST has published six related Fraud Alerts.

International skimming related losses were reported in 49 countries and territories outside of the Single Euro Payments Area (SEPA) and in 9 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and the Philippines.

Skimming attacks on other terminal types were reported by ten countries and five countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.  Two countries reported the usage of card reader internal shimming devices at POS terminals.

Eight countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a significant increase in such attacks and two countries reported such attacks for the first time.

Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks.  To date in 2017 EAST has published nine related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Publishes European Fraud Update 1-2017

European Fraud Update 1-2017EAST has just published its first European Fraud Update for 2017.  This is based on country crime updates given by representatives of 19 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 41st EAST meeting held in Oslo, Norway on 8th February 2017.

Card skimming at ATMs was reported by eighteen countries.  The usage of M3 – Card Reader Internal Skimming devices continues.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks and EAST has recently published four related ATM Fraud Alerts.

International skimming related losses were reported in 45 countries and territories outside of the SEPA and in 9 within SEPA.  The top three locations where such losses were reported remain the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country reported the use of an M3 – Card Reader Internal Skimming Device at a public transport ticket machine, the first time this has been seen.

One country reported a new form of crime, ‘Cash-in’ or ‘Cash Deposit’ fraud.  The criminals deposit fake banknotes into ATMs (where the cash deposit function is available) and then credit their cards or other accounts.

ATM malware and logical security attacks were reported by eight countries all involving the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  EAST has recently published seven related ATM Fraud Alerts.  To help counter such attacks Europol has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  This is available in four languages: English, German, Italian and Spanish.

Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks.  The use of solid explosives continues to spread and seven countries reported such attacks.

Payment fraud issues were reported by five countries.  One country reported an increase in both vishing and phishing attacks and another reported criminal abuse of the chargeback system.

The full Fraud Update is available to EAST Members (National and Associate).

ATM Malware Criminals Apprehended

Five members of an international organised criminal group (OCG) have been arrested and three of them convicted so far as a result of a complex operation led by law enforcement agencies from Europe and Asia, with the active support of Europol’s European Cybercrime Centre (EC3).  One arrest was made by the Romanian National Police, three arrests by the Taiwanese Criminal Investigation Bureau and one arrest by the Belarusian Central Office of the Investigative Committee.  EC3 assisted the investigation by providing analytical support, organising operational meetings in Europe and Asia as well as analysing the seized data/ equipment.

This OCG is responsible for carrying out highly-sophisticated ATM malware attacks against bank ATMs, which were made to dispense all the money they contained (known as cash-out or jackpotting).  The modus operandi employed was highly sophisticated and involved:

  • spear-phishing emails with attachments containing malicious programmes,
  • penetration of the banks’ internal networks,
  • compromising and controlling the network of ATMs,
  • special computer programmes which deleted most of the traces of the criminal activity, etc.

Related losses suffered by the affected banks are estimated at around EUR 3 million. In some cases, after the cashing-out, the stolen money was partially recovered from the criminals.

EC3A key factor for the successful dismantling of this international cybercrime syndicate was close police cooperation on the global level and deep involvement of the Europol Liaison Office at the INTERPOL Global Complex for Innovation (IGCI).

Steven Wilson, Head of EC3, said: “The majority of cybercrimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice.”  Mr Wilson will give the keynote address at the EAST Financial Crime and Security Forum which will be held in The Hague on 8th/9th June 2017.

To further strengthen international police cooperation the Third Strategic Meeting on Payment Card Fraud (PCF) was held last month at the Electronic Transactions Development Agency (ETDA) in Bangkok, Thailand.

Europol, working with the EAST Expert Group on ATM Fraud (EGAF), has published guidelines to help industry and law enforcement counter the threat presented by ATM logical and malware attacks.

EAST EGAF holds 12th Meeting

The EAST Expert Group on ATM FraudThe Twelfth Meeting of the EAST Expert Group on ATM Fraud (EAST EGAF) took place on Wednesday 18th January 2017 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global ATM crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from ATM Deployers, ATM Networks, ATM Vendors, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on ATM Skimming, ATM Card Trapping, ATM Cash Trapping, ATM Reversal Fraud and ATM Logical Fraud.

The focus of the Group is on topics and issues raised by EAST National Members, which represent 34 countries with a total deployment of 1,332,228 ATMs. Outputs from the group are presented to all meetings of EAST National Members.

In addition EAST EGAF generates EAST ATM Fraud Alerts for all EAST Members (National and Associate). In total 127 EAST ATM Fraud Alerts have been issued, 3 to date in 2017.

EAST Publishes European Fraud Update 3-2016

east-european-fraud-update-3-2016EAST has just published its third European Fraud Update for 2016. This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 6 non-SEPA countries, at the 40th EAST meeting held in Bucharest, Romania on 12th October 2016.

Card skimming at ATMs was reported by nineteen countries. The usage of M3 – Card Reader Internal Skimming devices continues. This type of device is placed at various locations inside the motorised card reader behind the shutter.  Seven countries reported such attacks.

International skimming related losses were reported in 57 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA. The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and six countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

ATM malware and logical security attacks were reported by eight countries all involving the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To help counter such attacks the Europol document ‘Guidance and Recommendations regarding Logical attacks on ATMs’ is now available in four languages: English, German, Italian and Spanish.

Ram raids and ATM burglary were reported by nine countries and eleven countries reported explosive gas attacks, four of them seeing big increases in such attacks.  The use of solid explosives continues to spread and six countries reported such attacks.

Payment fraud issues were reported by eight countries. Two of them reported data breaches and one updated on contactless card fraud. One country reported fraud relating to a popular games console and another fraud related to advertising on social media.

The full Fraud Update is available to EAST Members (National and Associate).