Terminal fraud attacks in Europe drop during the Covid-19 pandemic

Terminal fraud attacks in Europe drop during the Covid-19 pandemicEAST has published a European Payment Terminal Crime Report covering 2020 which shows that terminal related fraud attacks have dropped significantly during the Covid-19 pandemic.

Terminal related fraud attacks were down 64% (from 18,217 to 6,523 incidents). Card skimming fell to another all-time low (down from 1,496 to 656 incidents) and transaction reversal fraud (TRF) at ATMs decreased by 97% (down from 9,054 to just 250 incidents). Total losses of €218 million were reported, down 14% from the €249 million reported during 2019. Most losses remain international issuer losses due to card skimming, which were €183 million.

EAST Executive Director Lachlan Gunn said, “2020 was a highly unusual year due to the Covid-19 pandemic, and crime and fraud patterns changed accordingly.  While it is good news to see such a significant fall in terminal fraud attacks, there is concern that explosive attacks at ATMs have only fallen by 6%, and that related losses are up by 39%.  The average cash loss for a solid explosive attack is estimated at €28,218, and collateral damage to equipment and buildings can be significant.  There are also major safety issues.  Despite national lockdowns and border closures, mobile organised crime groups continued to operate across Europe.

ATM related physical attacks were down 19% (from 4,571 to 3,722 incidents).  Attacks due to ram raids and ATM burglary were down 33% (from 1,122 to 749 incidents).  ATM explosive attacks (including explosive gas and solid explosive attacks) were down 6% (from 977 to 923 incidents).  Losses due to ATM related physical attacks were €22.4 million, a 1% increase from the €22.1 million reported during 2019.  47% of these losses were due to explosive attacks, which were up 39% from €10.49 to €14.59 million.

ATM malware and logical attacks against ATMs were up 44% (from 35 to 129) and all the reported attacks were Black Box attacks.  A Black Box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, in order to ‘cash-out’ or ‘jackpot’ the ATM.  Related losses were up 14% from €1.09 to €1.24 million.  Most such attacks remain unsuccessful.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)

EAST presents on ATM Attacks at EUFCC

EUFCC

On 3rd November 2020, Europol and the FS-ISAC hosted the 3rd EU Financial Cybercrime Coalition (EUFCC) meeting. The virtual event brought together EU law enforcement and the financial sector to discuss financially motivated cybercrime in three dedicated workshops. Subject matter experts from both the private sector and law enforcement discussed the latest threats and trends in relation to ransomware, ATM attacks, and cyber-enabled fraud and business email compromise.

In the ATM Attacks session, Europol gave the law enforcement perspective and EAST Executive Director Lachlan Gunn gave a presentation from the viewpoint of the industry. The main issue covered was black box attacks which, as highlighted by the latest crime statistics published by EAST, are a rising threat in Europe.

The EAST presentation highlighted how its public/private sector platforms operate, and the latest ATM Attack trends.  The key topics covered by EAST were:

EAST also touched on e-skimming, and EAST Development Director Rui Carvalho, who also chairs the EAST Payments Task Force (EPTF), commented that, while skimming attacks on terminals are at the lowest level ever reported by EAST, e-skimming is a rising threat.  This is on the Agenda for discussion at the 8th EPTF Meeting, which will be held on 11th November 2020.

Black Box attacks increase across Europe

Black BoxEAST has just published a European Payment Terminal Crime Report covering the first six months of 2020 which reports a sharp increase in Black Box attacks on European ATMs.

ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks. A Black Box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, in order to ‘cash-out’ or ‘jackpot’ the ATM. Related losses were up from less than €1,000, to just over €1 million.

EAST Executive Director Lachlan Gunn said, “Overall crime at terminals has decreased during the lockdown phase of the pandemic. While this rise in Black Box attacks is of concern, most such attacks remain unsuccessful. Our Expert Group on All Terminal Fraud (EGAF) is focussed on addressing this issue, with close cooperation between industry partners and law enforcement. In January 2019 EGAF worked with Europol to update a document, published by Europol, entitled ‘Guidance & recommendations regarding logical attacks on ATMs’. This is currently available in English, French, German, Russian, Spanish and Turkish”.

Terminal related fraud attacks were down 66% (from 10,723 to 3,631 incidents). Card skimming fell to another all-time low (down from 731 to 321 incidents) and transaction reversal fraud (TRF) at ATMs decreased by 97% (down from 3,405 to just 108 incidents). Total losses of €109 million were reported, down 12% from the €124 million reported during the same period in 2019.

ATM related physical attacks were down 23% (from 2,376 to 1,829 incidents). Attacks due to ram raids and ATM burglary were down 34% (from 610 to 405 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 0.4% (from 503 to 505 incidents). Losses due to ATM related physical attacks were €12.6 million, an 11% increase from the €11.4 million reported during the same period in 2019. This increase was driven by a rise in losses due to explosive and gas attacks, which were up 49% from €5.1 million to €7.6 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)

 

2nd Interim EAST Meeting – National and Global Members

A second Interim Meeting of EAST National and Global Members took place on Wednesday 7th October 2020. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Rui Carvalho, EAST Development Director.  The 1st EAST Global Congress is now scheduled to be held in February 2021, dependant on the prevailing status of the pandemic.

Law enforcement overviews were provided by EuropolINTERPOL and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered the recent publication of their Internet Organised Crime Threat Assessment (IOCTA 2020), focussed on criminal trends relating to Covid-19, and prevention and awareness; the other covered Physical ATM attacks across Europe.  The INTERPOL presentation covered the impact of Covid-19 on Financial crimes from the global perspective and the GCCPOL presentation covered payment and fraud issues seen by their 6 member countries.

Updates were received from 28 countries, either directly or via a global update by HSBC. As with the previous meeting, the key focus remained on the impact of the coronavirus crisis and each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).

EAST Fraud Update 3-2020 will be produced during October, based on the country updates provided at the Interim EAST Meeting. EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

France Breaks Up ATM Jackpotting Network

According to French prosecutors an international network engaged in ATM jackpotting has been broken up by police (Source: AFP/SecurityWeek).

In a statement on Friday 15 May Paris prosecutor Remy Heitz said that two suspects (aged 26 and 31) and already known to the authorities, have been charged and placed in detention.  He said that, between May 10-12, several individuals from the “Russian-speaking community” suspected of belonging to an “international jackpotting organisation” were detained in Colombes outside Paris, Laval in western France and the southern city of Nice, while trying to damage an ATM.  The criminal group worked across Europe to insert malware into ATMs, attacking the machines at night. “A hacker, operating from abroad, would take control of the cash dispensing software,” the statement said.

Nineteen incidents across France have already come to light, with the financial damage estimated at €280,000.

“We have a new wave of ‘jackpotting’ in France,” Francois-Xavier Masson, head of France’s agency for combating crimes in information and communication technologies (OCLCTIC), told AFP, adding that more than 60 incidents have been identified since the end of 2019.  “There was a previous wave in 2018 and then it came to a halt, before resuming at the end of 2019. The way the groups act is changing, the teams are more international. But we are also changing how we act”, he added.

ATM jackpotting has become a recognised problem across the world in recent years.  This is done by either using malware, or by using an unauthorised device (known as a black box), to ‘jackpot’ or  ‘cash-out’ an ATM. Typically all the cash in the machine is illegally ejected in such attacks, and collected by the criminals at the scene.  The EAST Expert Group on All Terminal Fraud (EGAF) focuses on the prevention of malware and black box attacks and, since 2016, has produced 48 malware and black box related Fraud Alerts from 24 countries, which are available to EAST Members.

EAST EGAF has also produced standard definitions for both methods, which can be seen in the below images (for a full list of all Terminal Fraud Definitions and related criminal benefits see the Terminal Fraud Definitions page on this website). 

 

 

EAST FCS Terminal Fraud Seminar 2019

terminal fraud

An EAST FCS Terminal Fraud Seminar was held on 9th October 2019 in London, co-located with RBRs ATM & Cyber Security 2019 Conference. The interactive event followed the basic structure of work group meetings held by the EAST Expert Group on All Terminal Fraud (EGAF). This group, which meets three times a year, provides a platform for law enforcement and private sector experts to come together and share fraud information, trends and statistics in a structured manner.

terminal fraudAn introduction to EGAF by the Chair, Otto de Jong, was followed by a presentation by EAST Development Director Rui Carvalho, covering the latest EAST terminal fraud statistics from the H1 2019 European Payment Terminal Crime Report.  Tobias Wieloch of Europol then gave a high level view of the terminal fraud attack situation across Europe which was followed by threat assessments from around Europe:

  • NORTH – Nordics – Arnt Olav Rottereng – Evry
  • SOUTH – Italy – Veronica Borgogna – Bancomat SpA
  • EAST – Russia – Nikolai Dosh – Mastercard Members Association (MCMA)
  • WEST – UK – Ben Birtwistle – NatWest Bank Plc

terminal fraudThese were followed by an overview and demonstration of the Checkcard Software by Tobias Heckmann from the University of Applied Sciences in Bingen, Germany. This has been developed as an investigation tool to validate whether or not a smart card is genuine. The check is done off-line, either using software on a desktop or on an android phone.

terminal fraudThe event concluded with an update on logical security – Otto de Jong covered black box attacks and Terence Devereux of Diebold Nixdorf spoke about ATM malware attacks.

Attendance at the regular EAST EGAF work group meetings is limited and this event enabled active participation and input from a much wider pool of expertise.

More information on the event can be found on the EAST Events Website

ATM malware and logical attacks fall in Europe

EAST has just published a European Payment Terminal Crime Report covering the first six months of 2019 which reports that ATM malware and logical attacks continue to trend downwards.

ATM malware and logical attacks against ATMs were down 43% (from 61 to 35) and all bar one of the reported ‘jackpotting’ attacks are believed to have been unsuccessful. Malware was used for 3 of the attack attempts and the remainder were ‘black box’ attacks. Related losses were down 100% (from €0.25 million to €0.00 million), although a small loss (less than €1,000) was reported in one case.

EAST Executive Director Lachlan Gunn said, “This fall in logical and malware attacks is very good news and reflects the work that has been put into preventing such attacks by the industry and law enforcement. In January 2019, supported by our Expert Group on All Terminal Fraud (EGAF), Europol updated their ‘Guidance & recommendations regarding logical attacks on ATMs’, which was first published in 2015. These Guidelines, which have been widely shared with ATM deployers and law enforcement agencies, reinforce the recommendations made by the ATM vendors.”

Terminal related fraud attacks were up 59% (from 6,760 to 10,723 incidents). This increase was primarily due to an increase in transaction reversal fraud attacks (up from 2,292 to 5,649 incidents), while card skimming incidents fell to an all time low (down from 985 to 731 incidents). This downward trend reflects the success of EMV and that measures to counter skimming at terminals, along with geo-blocking, are working well in Europe.

Total losses of €124 million were reported, up 16% from the €107 million reported during the same period in 2018. This increase is primarily due to a rise in international losses due to card skimming (up from €87 million to €100 million), which indicates that EMV implementation is not yet complete globally with resultant risks for European cardholders. Losses due to transaction reversal fraud were up 135% (from €1.36 million to €3.2 million).

ATM related physical attacks were up 16% (from 2,046 to 2,376 incidents). Attacks due to ram raids and ATM burglary were up 3% (from 590 to 610 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 3% (from 490 to 503 incidents). Losses due to ATM related physical attacks were €11.4 million, a 25% decrease from the €15.1 million reported during the same period in 2018.

The average cash loss for a robbery is estimated at €15,140 per incident, the average cash loss per explosive or gas attack is €10,161 and the average cash loss for a ram raid or burglary attack is €9,632. These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

New EAST Fraud Definitions now available in Russian

EAST Terminal Fraud Definitions are now available in the Russian language.  At the end of 2018 EAST upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  In the upgraded definitions each applicable criminal benefit is highlighted next to each terminal fraud type.

The translation was carried out by two EAST National Member organisations – the Ukrainian Interbank Payment Systems Member Association “EMA”  and the MasterCard Members Association (MCMA).

These fraud definitions are used by EAST when issuing Fraud Alerts, or when compiling the statistics and other information for European Payment Terminal Reports and Fraud Updates.  The aim is for these Terminal Fraud Definitions, as well as the related criminal benefits, to be adopted globally when describing or reporting payment terminal fraud.  This translation into Russian is another step forward towards achieving this.

Below is the  definition for Card Skimming in the Russian language.

The definitions have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

EAST Upgrades Terminal Fraud Definitions

EAST has upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This information is now available on the EAST website.

The EAST Expert Group on All Terminal Fraud (EGAF) has identified six ways by which criminals achieve their targets from the different terminal fraud types as shown below:

In the upgraded Terminal Fraud Definitions each applicable criminal benefit is highlighted next to each terminal fraud type.  The defined Terminal Fraud Types are: Card Skimming; Card Shimming; Eavesdropping; Card Trapping; Cash Trapping; Transaction Reversal Fraud (TRF); Malware; and Black Box.

Below is the definition for Card Skimming which highlights that skimming enables criminals to: Create counterfeit cards; make card-not-present (CNP) purchases; use fake cards in-store; and sell compromised data.

fraud definitions - card skimming

EAST Executive Director Lachlan Gunn said “This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses. The EGAF Chair, Otto de Jong, and his team have produced something fresh and simple which we hope will be adopted globally by the Industry and Law enforcement when describing or reporting terminal fraud. In particular we would like to thank Ben Birtwistle of NatWest Bank plc, along with Claire Shufflebotham and Niek Westendorp of TMD Security, whose creative ideas and design made this latest upgrade possible.”

A summary of the upgraded fraud definitions and terminology is available on the EAST website along with a more detailed document for download.  These have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

EAST Presents at CyberSouth Event

CyberSouthEAST Executive Director Lachlan Gunn presented at a CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud on 13 November 2018 . The event, which ran from 12-14 November 2018, was held at the Directorate for Investigating Organised Crime and Terrorism (DIICOT) in Bucharest, Romania and was implemented by the Council of Europe.  The CyberSouth project focuses on cooperation on cybercrime in the Southern Neighbourhood and aims at reinforcing the capacities of specialised units with responsibilities relating to tackling cybercrime and dealing with electronic evidence.

The workshop focused on increasing the knowledge of the participants on the different trends and typologies of online fraud and of electronic payment fraud in order to assist with strengthening the capacity of the criminal justice authorities in the CyberSouth countries to search for, seize, and confiscate the illicit proceeds of cyber-criminals in the target areas.  Cybercrime investigators and prosecutors from the following Southern Neighbourhood priority area countries attended the event: Algeria; Jordan; Lebanon; Morocco; Tunisia.

National representatives were also present from Germany, Israel, Romania and the USA.  Europol and Eurojust were present and the private sector was represented by American Express, BIT Defender and EAST.

The EAST presentation covered the structure and methodology used by EAST to help improve public/private sector cross-border cooperation in the fight against organised cross-border crime, and then shared information on the latest statistics and trends relating to logical (black box) attacks against ATMs, and also on malware used to enable jackpotting (cash out) at ATM locations.  The latest fraud definitions produced by EAST were also shared and it was advised that an updated version of these will soon be available.  These definitions are aimed at helping law enforcement agencies, private sector fraud investigators and other stakeholders to standardise reporting terminology when following up on incidents.

The Cybercrime Programme Office of the Council of Europe (C-PROC), based in Bucharest, is responsible for assisting countries worldwide in the strengthening of their criminal justice capacity to respond to to the challenges posed by cybercrime and electronic evidence on the basis of the standards of the Budapest Convention of Cybercrime.  This is the only binding international instrument on this issue and serves as a guideline for any country developing comprehensive national legislation against Cybercrime and as a framework for international cooperation between State Parties to The Convention on Cybercrime of the Council of Europe (CETS No.185).