EAST EGAF holds 19th Meeting in Amsterdam

EAST EGAFThe Nineteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 18th September 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 219 EAST Fraud Alerts have been issued, 18 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is still open and more information can be found on the EAST Events website.

Terminal Fraud Update – EAST FCS Seminars 2019

Terminal Fraud

Act now to save your place for the Terminal Fraud Seminar that will be held by the EAST Expert Group on All Terminal Fraud (EGAF) on 9th October 2019.

SESSION FOCUS – LOGICAL SECURITY UPDATE

This session will focus on logical attacks against ATMs. These can be split into two types – black box attacks and malware attacks.

Terminal FraudEAST EGAF Chair, Otto de Jong of ING Bank, will first present on black box attacks. These are a type of jackpotting attack. The criminals connect an unauthorised device (or black box) which sends dispense commands directly to the ATM cash dispenser in order to ‘Cash-Out’ the ATM. He will cover the latest developments for this type of attack methodology.

Terminal FraudThen Terence Devereux of Diebold Nixdorf will present an update on malware attacks. For these attacks the criminals use unauthorised software, or authorised software run in an unauthorised manner, on the ATM’s PC. These attacks are focussed on either jackpotting (most common), or card skimming, as follows:

  • Jackpotting: Targets control of the cash dispense function in order to ‘cash-out’ the ATM
  • Man-In-The-Middle (MitM): Targets communication between the ATM’s PC and the acquirer host system in order to falsify host responses and dispense cash without debiting the criminal’s account
  • SW-Skimming: Targets card and PIN data in order to create counterfeit cards for subsequent fraudulent transactions

This interactive event follows the basic structure of EAST EGAF Member meetings. Attendance at EAST EGAF meetings is limited, as it is a working group, and this event enables a wider participation and the opportunity for all attendees to engage with the Group and its organizers.

Terminal Fraud

The EAST FCS Seminars will be co-located with RBR’s ATM & Cyber Security 2019 event, although separate registration is required.


2019 EAST FCS ATM Physical Attack Seminar Sponsors

 

 

 

 

Additional sponsorship opportunities are still available

EAST Publishes European Fraud Update 2-2019

FraudEAST has published its second European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 48th EAST meeting held at Europol in The Hague on 5th June 2019.

Payment fraud issues were reported by 18 countries. To date in 2019 the EAST Payments Task Force (EPTF) has issued 4 related Payment Alerts.

Two countries reported mobile wallet fraud in relation to Apple Pay. One reported that mobile wallets are fast becoming the new money mules – fraudsters are enrolling cards that are not yet associated to a specific wallet. Another country reported that fraudsters are obtaining security codes through phishing, with which they can then install a mobile banking app on their own smartphone, using the victim’s data. One country reported that fraudsters are increasingly using mobile call centres to call customers from numbers that appear to be genuine, and then are pretending to be bank security staff. This enables them to obtain key personal information and data.

Five countries reported fake websites, mainly in China and other Asian countries – customers place orders for goods, which are never fulfilled, or for services which are never provided. One country reported that the quality of fake websites and fake emails is constantly improving, with fewer language errors and better design and formatting.

ATM malware and logical attacks were reported by 6 countries. They all reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. In most cases the attacks were unsuccessful. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published 5 related Fraud Alerts.

Card skimming at ATMs was reported by eighteen countries. Five countries reported the continued usage of M3 – Card Reader Internal Skimming devices. The most recent variants are made of transparent plastic. Skimming attacks on other terminal types were reported by six countries, three of which reported such attacks on railway ticket machines. To date in 2019 EAST EGAF has published 8 related Fraud Alerts.

Year to date International skimming related losses were reported in 37 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Eight countries reported cash trapping attacks, two of them reporting decreases in such attacks. Five countries reported card trapping attacks, two of them reporting that such attacks are increasing.

Ram raids and ATM burglary were reported by 10 countries and 9 countries reported explosive gas attacks, 4 of which reported that such attacks are increasing. Seven countries reported solid explosive attacks, two of which are seeing increases in such attacks, and one reported an attack carried out by criminals armed with assault rifles. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published 7 related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

EAST EGAF holds 18th Meeting in Amsterdam

EGAFThe Eighteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 8th May 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 210 EAST Fraud Alerts have been issued, 9 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is now open and more information can be found on the EAST Events website.

ATM Physical Attacks in Europe on the increase

ATM physical attacksEAST has just published a European Payment Terminal Crime Report covering 2018 which reports that ATM physical attacks have risen for the fourth consecutive year.

ATM related physical attacks rose 27% when compared with 2017 (up from 3,584 to 4,549 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were down 3% (down from 1,081 to 1,052 incidents).  Explosive attacks remain a cause for concern as the number of countries reporting them has risen from ten in 2017 to eleven in 2018.  Such attacks result in extensive collateral damage and can pose a risk to life.

Losses due to ATM related physical attacks were €36 million, a 16% increase from the €31 million reported during 2017.  The average cash loss per explosive or gas attack is estimated at €17,103, the average cash loss for a robbery is estimated at €13,682 per incident and the average cash loss for a ram raid or burglary attack is estimated at €13,198.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

EAST Executive Director Lachlan Gunn said, “The success rate for solid explosive attacks is of particular concern – we estimate that the average cash loss per solid explosive attack is €27,065.  Such attacks continue to spread geographically with two countries reporting them for the first time in early 2019.  Our Expert Group on ATM and ATS Physical Attacks (EGAP) is actively monitoring the situation and provides a cross-border platform for the industry and law enforcement to share related intelligence and measures that can be taken to mitigate the risks.”

Payment terminal related fraud attacks fell 36% when compared with 2017 (down from 20,971 to 13,511 incidents).  This fall was mainly driven by a 26% decrease in card skimming incidents (down from 2,556 to 1,883 incidents) and by a 66% fall in transaction reversal fraud incidents (down from 14,098 to 4,843 incidents).

Losses due to payment terminal related fraud attacks fell 30% when compared with 2017 (down from €353 million to €247 million).  Within these totals international skimming losses fell by 27% (down from €280 million to €205 million) and domestic skimming losses were down 44% (from €64 million to €36 million).

A total of 157 ATM malware and logical attacks were reported, down from 192 in 2017, an 18% decrease.  156 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.  Related losses were down 70%, from €1.52 million to €0.45 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

EAST Publishes European Fraud Update 1-2019

European Fraud Update 1-2019EAST has published its first European Fraud Update for 2019.  This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 47th EAST meeting held in Lisbon on 6th February 2019.

Payment fraud issues were reported by 20 countries.  Three countries reported phishing attacks. One of them reported that the fraudsters are managing to obtain online banking credentials and one time passwords (OTPs) for cash withdrawals at ATMs, as well as managing to make minor purchases through digital payment apps.  Another country reported criminals taking remote control of people’s computers and then gaining access to their bank account(s).  This has led to a consumer awareness campaign highlighting that, in addition to never asking for a customer’s PIN, banks will also never ask for remote PC access to be allowed.  One country reported that, since mobile operators started to implement new services, there has been a growing trend of SIM card duplication.  The SIM cards of phones used for financial transaction authorisation are duplicated, ensuring that the original phone does not work.  This means that the OTPs are sent to the duplicate phone, not the genuine one.

ATM malware and logical attacks were reported by 8 countries.  Three of the countries reported ATM related malware and one of them advised that a new malware variant ‘HelloWorld’ was found.  Eight countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  One country reported the first use of a mini M2 – Throat Inlay Skimming Device.  Two countries reported skimming related arrests.  Skimming attacks on other terminal types were reported by 5 countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations and two reported attacks using POS terminals.  To date in 2019 EAST EGAF has published three related Fraud Alerts.

Six countries reported cash trapping attacks, one of them reporting that criminals continue to switch their focus from transaction reversal fraud (TRF) attacks to cash trapping.

Ram raids and ATM burglary were reported by 8 countries and 9 countries reported explosive gas attacks.  Nine countries also reported solid explosive attacks, and this type of attack continues to spread with 4 countries reporting such attacks for the first time.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.  EAST EGAP has also just published new Terminal Physical Attack Definitions and Terminology to help industry and law enforcement when reporting attacks against ATMs and other terminals.  These can be downloaded from the EAST website.

The full Fraud Update is available to EAST Members (National and Associate).

Card fraud losses fall to 13 year low

EAST has just published a European Payment Terminal Crime Report covering the first six months of 2018 which reports that losses due to card fraud at payment terminals have fallen to the lowest level since 2005.

Total losses of €107 million were reported and the decrease is primarily due to a fall in losses due to card skimming (down from €118 million to €104 million). Overall payment terminal related fraud incidents were down 43% (from 11,934 to 6,790). Within this total card skimming incidents were down 19% (from 1,221 to 985) and well below the peak of 5,743 incidents reported during the same period in 2010.

EAST Executive Director Lachlan Gunn said, “The significant drop in card skimming incidents and losses reflects the continued effectiveness of EMV, as well as the work that has been put in by payment terminal deployers and card issuers with regard to counter-measures such as geo-blocking, fraud monitoring capabilities and fraud detection. Europe led the way with EMV, which is now a global standard, and all stakeholders in the payment card industry are benefitting from the increased security.”

Logical attacks against ATMs were down 46% (from 114 to 61) and all the reported ‘jackpotting’ attacks were ‘black box’ attacks.  Related losses were down 83% (from €1.51 million to €0.25 million) reflecting the fact that many of these attacks are unsuccessful.

ATM related physical attacks were up 21% (from 1,696 to 2,046 incidents).  Attacks due to ram raids and ATM burglary were up 26% (from 470 to 590 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 2% (from 481 to 490 incidents).  Losses due to ATM related physical attacks were €15.1 million, a 24% increase from the €12.2 million reported during the same period in 2017.

The average cash loss per explosive or gas attack is estimated at €14,748, the average cash loss for a robbery is €14,613 per incident and the average cash loss for a ram raid or burglary attack is €12,275.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

card fraud

The full Crime Report is available to EAST Members (National and Associate)

EAST EGAF holds 16th Meeting in Amsterdam

EGAFThe Sixteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 19th September 2018 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 195 EAST Fraud Alerts have been issued, 28 to date in 2018.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 10th October 2018.  Registration for this is now open and more information can be found on the EAST Events website.

Terminal Fraud

terminal fraudWhile most payment transactions take place seamlessly and without issue, financial criminals remain active and terminal fraud is a problem for payment terminal deployers, ATM deployers, card issuers, equipment manufacturers and vendors, software providers, law enforcement agencies and other payment industry stakeholders.  On 10th October 2018 the EAST Expert Group on All Terminal Fraud (EAST EGAF) will hold an open Financial Crime & Security (FCS) Seminar in London to focus on the issue.  EAST EGAF is chaired by Otto de Jong of ING Bank.

EAST Executive Director Lachlan Gunn said ‘EAST EGAF was formed as a working group in 2013 and will hold its 16th Meeting on Wednesday 19th September 2018 in Amsterdam. Attendance at EAST EGAF meetings is restricted in accordance with the group’s Terms of Reference, which makes the coming FCS Seminar in October a great opportunity for all those affected by, or concerned about, terminal fraud to engage with EAST’.

This interactive event focuses on two key outputs of EAST EGAF – Guidelines regarding logical attacks on ATMs and standardised fraud definitions.  An introduction to the Group will be followed by a presentation of the latest EAST Fraud Statistics (H1 2018).  A session by Juan Jesús León Cobos of GMV will then focus on the evolution of cash-out/jackpotting attacks in Latin America, followed by a session by Europol’s Tobias Wieloch highlighting Guidelines on how to counter them.  A perspective on card shimming in the UK will then be given by forensic experts Brian Underhill and Nick Weber, followed by a session on the importance of standardising fraud definitions by Ben Birtwistle of RBS and Claire Shufflebotham of TMD Security. The event is co-located with RBR’s ATM & Cyber Security 2018 Conference.  See the full programme here.

Attendance at EAST EGAF meetings is limited, as it is a working group, and this EAST FCS Seminar enables wider participation and the opportunity for all attendees to engage with the Group and its organisers.


The Seminar is sponsored by:

 

 

 

 

ATM Malware attacks hit Europe

EAST has just published a European Payment Terminal Crime Report covering 2017 which reports that ATM malware attacks have started in Western and Central Europe. A total of 192 ATM malware and logical attacks were reported, up from 58 in 2016, a 231% increase.  189 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.

The use of malware for cash-out was seen for the first time in Western and Central Europe with 3 such attacks reported by two countries.  Related losses were up 230%, from €0.46 million to €1.52 million.  EAST Executive Director Lachlan Gunn said, “The use of malware, such as Cutlet Maker, to cash-out ATMs has been around for some time but has not been reported in Western or Central Europe until 2017.  Early indications are that such attacks are continuing this year, although the recent related arrests announced by Europol are encouraging.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all malware threats to payment terminals, while our Payments Task Force (EPTF) is focusing on malware threats against the wider banking infrastructure.”

Overall payment terminal related fraud attacks fell 11% when compared with 2016 (down from 23,588 to 20,971 incidents).  This fall was mainly driven by a 23% decrease in card skimming incidents (down from 3,315 to 2,556 incidents).  This is the seventh successive year that the number of skimming incidents has fallen and the number of incidents reported in 2017 is the lowest since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were up 6% when compared with 2016 (up from €332 million to €353 million).  Within these totals international skimming losses rose by 5% (up from €267 million to €280 million) and domestic skimming losses were up 21% (from €53 million to €64 million).

ATM related physical attacks rose 21% when compared with 2016 (up from 2,974 to 3,584 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 9% (up from 988 to 1,081 incidents).  Losses due to ATM related physical attacks were €31 million, a 37% drop from the €49 million reported during 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss for a robbery is estimated at €16,899 per incident, the average cash loss for a ram raid or burglary attack is €12,804 and the average cash loss per explosive or gas attack is €12,591.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)