New EAST Fraud Definitions now available in Russian

EAST Terminal Fraud Definitions are now available in the Russian language.  At the end of 2018 EAST upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  In the upgraded definitions each applicable criminal benefit is highlighted next to each terminal fraud type.

The translation was carried out by two EAST National Member organisations – the Ukrainian Interbank Payment Systems Member Association “EMA”  and the MasterCard Members Association (MCMA).

These fraud definitions are used by EAST when issuing Fraud Alerts, or when compiling the statistics and other information for European Payment Terminal Reports and Fraud Updates.  The aim is for these Terminal Fraud Definitions, as well as the related criminal benefits, to be adopted globally when describing or reporting payment terminal fraud.  This translation into Russian is another step forward towards achieving this.

Below is the  definition for Card Skimming in the Russian language.

The definitions have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

EAST EGAF holds 18th Meeting in Amsterdam

EGAFThe Eighteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 8th May 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 210 EAST Fraud Alerts have been issued, 9 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is now open and more information can be found on the EAST Events website.

EAST Publishes European Fraud Update 1-2019

European Fraud Update 1-2019EAST has published its first European Fraud Update for 2019.  This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 47th EAST meeting held in Lisbon on 6th February 2019.

Payment fraud issues were reported by 20 countries.  Three countries reported phishing attacks. One of them reported that the fraudsters are managing to obtain online banking credentials and one time passwords (OTPs) for cash withdrawals at ATMs, as well as managing to make minor purchases through digital payment apps.  Another country reported criminals taking remote control of people’s computers and then gaining access to their bank account(s).  This has led to a consumer awareness campaign highlighting that, in addition to never asking for a customer’s PIN, banks will also never ask for remote PC access to be allowed.  One country reported that, since mobile operators started to implement new services, there has been a growing trend of SIM card duplication.  The SIM cards of phones used for financial transaction authorisation are duplicated, ensuring that the original phone does not work.  This means that the OTPs are sent to the duplicate phone, not the genuine one.

ATM malware and logical attacks were reported by 8 countries.  Three of the countries reported ATM related malware and one of them advised that a new malware variant ‘HelloWorld’ was found.  Eight countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  One country reported the first use of a mini M2 – Throat Inlay Skimming Device.  Two countries reported skimming related arrests.  Skimming attacks on other terminal types were reported by 5 countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations and two reported attacks using POS terminals.  To date in 2019 EAST EGAF has published three related Fraud Alerts.

Six countries reported cash trapping attacks, one of them reporting that criminals continue to switch their focus from transaction reversal fraud (TRF) attacks to cash trapping.

Ram raids and ATM burglary were reported by 8 countries and 9 countries reported explosive gas attacks.  Nine countries also reported solid explosive attacks, and this type of attack continues to spread with 4 countries reporting such attacks for the first time.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.  EAST EGAP has also just published new Terminal Physical Attack Definitions and Terminology to help industry and law enforcement when reporting attacks against ATMs and other terminals.  These can be downloaded from the EAST website.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Upgrades Terminal Fraud Definitions

EAST has upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This information is now available on the EAST website.

The EAST Expert Group on All Terminal Fraud (EGAF) has identified six ways by which criminals achieve their targets from the different terminal fraud types as shown below:

In the upgraded Terminal Fraud Definitions each applicable criminal benefit is highlighted next to each terminal fraud type.  The defined Terminal Fraud Types are: Card Skimming; Card Shimming; Eavesdropping; Card Trapping; Cash Trapping; Transaction Reversal Fraud (TRF); Malware; and Black Box.

Below is the definition for Card Skimming which highlights that skimming enables criminals to: Create counterfeit cards; make card-not-present (CNP) purchases; use fake cards in-store; and sell compromised data.

fraud definitions - card skimming

EAST Executive Director Lachlan Gunn said “This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses. The EGAF Chair, Otto de Jong, and his team have produced something fresh and simple which we hope will be adopted globally by the Industry and Law enforcement when describing or reporting terminal fraud. In particular we would like to thank Ben Birtwistle of NatWest Bank plc, along with Claire Shufflebotham and Niek Westendorp of TMD Security, whose creative ideas and design made this latest upgrade possible.”

A summary of the upgraded fraud definitions and terminology is available on the EAST website along with a more detailed document for download.  These have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

200 Fraud Alerts Issued by EAST

EAST has published its 200th Fraud Alert.  These Alerts are issued by EAST National Members, often with the support of Law Enforcement and other EAST Associate Members.  To date 28 countries have issued Fraud Alerts covering ATMs, Unattended Payment Terminals (UPTs) and Point of Sale (POS) Terminals.

EAST first started issuing Fraud Alerts in September 2013.  These Alerts provide valuable and timely intelligence to law enforcement agencies and the industry, allowing the spread of emerging threats and criminal methodologies to be tracked across the world.  While most of the Alerts have been issued by countries within the Single Euro Payments Area (SEPA), there have been some from Belarus, Mexico, Russia, Serbia, Turkey, Ukraine and the United States.

To date EAST Fraud Alerts issued have covered:  Black Box attacks (cash out / jackpotting); Card Shimming (S1 devices); Card Skimming (highlighting the spread of different devices such as M1, M2, M3, D2 and D3); Card Trapping; Cash Trapping; Deposit Fraud; Eavesdropping (highlighting the use of different MOs such as E2 and E3); EMV Shock Cards; Malware (cash out / jackpotting); Transaction Reversal Fraud; and Vandalism.  The table below shows a summary the Alerts issued:

Fraud Alerts

Definitions of the different fraud types and related terminology are available on this website.

The EAST Expert Group on All Terminal Fraud (EGAF) initiated the Fraud Alerts and conducts in-depth analysis of some of the emerging threats and devices.  Each Alert covers: the type of fraud; the country where discovered; the terminal type(s) affected; an indication as to whether or not the fraud was successful; a description of the device and the criminal MO; indication as to the device location; information on PIN compromise (if card skimming or card trapping); and any available images.

EAST also issues Payment Alerts and Physical Attack Alerts.

EAST Alerts contain sensitive information and are restricted to EAST Members (National and Associate).  They are classified as AMBER using the variant of the Traffic Light Protocol (TLP) adopted by EAST.

Card fraud losses fall to 13 year low

EAST has just published a European Payment Terminal Crime Report covering the first six months of 2018 which reports that losses due to card fraud at payment terminals have fallen to the lowest level since 2005.

Total losses of €107 million were reported and the decrease is primarily due to a fall in losses due to card skimming (down from €118 million to €104 million). Overall payment terminal related fraud incidents were down 43% (from 11,934 to 6,790). Within this total card skimming incidents were down 19% (from 1,221 to 985) and well below the peak of 5,743 incidents reported during the same period in 2010.

EAST Executive Director Lachlan Gunn said, “The significant drop in card skimming incidents and losses reflects the continued effectiveness of EMV, as well as the work that has been put in by payment terminal deployers and card issuers with regard to counter-measures such as geo-blocking, fraud monitoring capabilities and fraud detection. Europe led the way with EMV, which is now a global standard, and all stakeholders in the payment card industry are benefitting from the increased security.”

Logical attacks against ATMs were down 46% (from 114 to 61) and all the reported ‘jackpotting’ attacks were ‘black box’ attacks.  Related losses were down 83% (from €1.51 million to €0.25 million) reflecting the fact that many of these attacks are unsuccessful.

ATM related physical attacks were up 21% (from 1,696 to 2,046 incidents).  Attacks due to ram raids and ATM burglary were up 26% (from 470 to 590 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 2% (from 481 to 490 incidents).  Losses due to ATM related physical attacks were €15.1 million, a 24% increase from the €12.2 million reported during the same period in 2017.

The average cash loss per explosive or gas attack is estimated at €14,748, the average cash loss for a robbery is €14,613 per incident and the average cash loss for a ram raid or burglary attack is €12,275.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

card fraud

The full Crime Report is available to EAST Members (National and Associate)

EAST EGAF holds 16th Meeting in Amsterdam

EGAFThe Sixteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 19th September 2018 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 195 EAST Fraud Alerts have been issued, 28 to date in 2018.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 10th October 2018.  Registration for this is now open and more information can be found on the EAST Events website.

Terminal Fraud

terminal fraudWhile most payment transactions take place seamlessly and without issue, financial criminals remain active and terminal fraud is a problem for payment terminal deployers, ATM deployers, card issuers, equipment manufacturers and vendors, software providers, law enforcement agencies and other payment industry stakeholders.  On 10th October 2018 the EAST Expert Group on All Terminal Fraud (EAST EGAF) will hold an open Financial Crime & Security (FCS) Seminar in London to focus on the issue.  EAST EGAF is chaired by Otto de Jong of ING Bank.

EAST Executive Director Lachlan Gunn said ‘EAST EGAF was formed as a working group in 2013 and will hold its 16th Meeting on Wednesday 19th September 2018 in Amsterdam. Attendance at EAST EGAF meetings is restricted in accordance with the group’s Terms of Reference, which makes the coming FCS Seminar in October a great opportunity for all those affected by, or concerned about, terminal fraud to engage with EAST’.

This interactive event focuses on two key outputs of EAST EGAF – Guidelines regarding logical attacks on ATMs and standardised fraud definitions.  An introduction to the Group will be followed by a presentation of the latest EAST Fraud Statistics (H1 2018).  A session by Juan Jesús León Cobos of GMV will then focus on the evolution of cash-out/jackpotting attacks in Latin America, followed by a session by Europol’s Tobias Wieloch highlighting Guidelines on how to counter them.  A perspective on card shimming in the UK will then be given by forensic experts Brian Underhill and Nick Weber, followed by a session on the importance of standardising fraud definitions by Ben Birtwistle of RBS and Claire Shufflebotham of TMD Security. The event is co-located with RBR’s ATM & Cyber Security 2018 Conference.  See the full programme here.

Attendance at EAST EGAF meetings is limited, as it is a working group, and this EAST FCS Seminar enables wider participation and the opportunity for all attendees to engage with the Group and its organisers.


The Seminar is sponsored by:

 

 

 

 

EAST Publishes European Fraud Update 2-2018

FraudEAST has published its second European Fraud Update for 2018.  This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 45th EAST meeting held in The Hague on 6th June 2018.

Payment fraud issues were reported by fifteen countries.  Seven countries reported card-not-present (CNP) as a key fraud driver.  Two countries reported attempted ‘Forced Post’ fraud, possible when some point of sale (POS) terminals allow the ‘force sale’ functionality.  One country reported a new form of malware on android mobile phones, distributed with a fake application uploaded from third-party android stores.  Another country reported cases of SIM swap fraud, where fraudsters authorise a bank transfer by switching the customer’s mobile phone number over to a new SIM and intercept the authorisation message.  To date in 2018 the EAST Payments Task Force (EPTF) has published five Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps and CNP fraud.

ATM malware and logical security attacks were reported by nine countries.  Five of the countries reported ATM related malware.  In addition to Cutlet Maker (used for ATM cash-out) a new variant called WinPot has been reported – this is used to check how many banknotes are in an ATM.  Six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published seven related Fraud Alerts. To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by fourteen countries.  For the first time one country reported the arrest of a Chinese national in connection with such attacks.  The usage of M3 – Card Reader Internal Skimming devices remains most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Six countries reported such attacks.  One country reported the use of M2 – Throat Inlay Skimming Devices.  Skimming attacks on other terminal types were reported by five countries, four of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  To date in 2018 EAST EGAF has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 31 countries and territories outside SEPA and in 3 within SEPA.  The top three locations where such losses were reported remain Indonesia, the USA and India.

Three countries reported incidents of Transaction Reversal Fraud (TRF), two of which reported new attack variants.  To date in 2018 EAST EGAF has published four related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries.  Six countries reported explosive gas attacks, one of which reported such attacks against ATS machines for the first time.  Another reported that explosive gas attacks against ATMs have started for the first time.  Five countries reported solid explosive attacks.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

ATM Malware attacks hit Europe

EAST has just published a European Payment Terminal Crime Report covering 2017 which reports that ATM malware attacks have started in Western and Central Europe. A total of 192 ATM malware and logical attacks were reported, up from 58 in 2016, a 231% increase.  189 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.

The use of malware for cash-out was seen for the first time in Western and Central Europe with 3 such attacks reported by two countries.  Related losses were up 230%, from €0.46 million to €1.52 million.  EAST Executive Director Lachlan Gunn said, “The use of malware, such as Cutlet Maker, to cash-out ATMs has been around for some time but has not been reported in Western or Central Europe until 2017.  Early indications are that such attacks are continuing this year, although the recent related arrests announced by Europol are encouraging.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all malware threats to payment terminals, while our Payments Task Force (EPTF) is focusing on malware threats against the wider banking infrastructure.”

Overall payment terminal related fraud attacks fell 11% when compared with 2016 (down from 23,588 to 20,971 incidents).  This fall was mainly driven by a 23% decrease in card skimming incidents (down from 3,315 to 2,556 incidents).  This is the seventh successive year that the number of skimming incidents has fallen and the number of incidents reported in 2017 is the lowest since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were up 6% when compared with 2016 (up from €332 million to €353 million).  Within these totals international skimming losses rose by 5% (up from €267 million to €280 million) and domestic skimming losses were up 21% (from €53 million to €64 million).

ATM related physical attacks rose 21% when compared with 2016 (up from 2,974 to 3,584 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were up 9% (up from 988 to 1,081 incidents).  Losses due to ATM related physical attacks were €31 million, a 37% drop from the €49 million reported during 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss for a robbery is estimated at €16,899 per incident, the average cash loss for a ram raid or burglary attack is €12,804 and the average cash loss per explosive or gas attack is €12,591.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)