EAST has published its first European Fraud Update for 2019. This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 47th EAST meeting held in Lisbon on 6th February 2019.
Payment fraud issues were reported by 20 countries. Three countries reported phishing attacks. One of them reported that the fraudsters are managing to obtain online banking credentials and one time passwords (OTPs) for cash withdrawals at ATMs, as well as managing to make minor purchases through digital payment apps. Another country reported criminals taking remote control of people’s computers and then gaining access to their bank account(s). This has led to a consumer awareness campaign highlighting that, in addition to never asking for a customer’s PIN, banks will also never ask for remote PC access to be allowed. One country reported that, since mobile operators started to implement new services, there has been a growing trend of SIM card duplication. The SIM cards of phones used for financial transaction authorisation are duplicated, ensuring that the original phone does not work. This means that the OTPs are sent to the duplicate phone, not the genuine one.
ATM malware and logical attacks were reported by 8 countries. Three of the countries reported ATM related malware and one of them advised that a new malware variant ‘HelloWorld’ was found. Eight countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.
Card skimming at ATMs was reported by fourteen countries. One country reported the first use of a mini M2 – Throat Inlay Skimming Device. Two countries reported skimming related arrests. Skimming attacks on other terminal types were reported by 5 countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations and two reported attacks using POS terminals. To date in 2019 EAST EGAF has published three related Fraud Alerts.
Six countries reported cash trapping attacks, one of them reporting that criminals continue to switch their focus from transaction reversal fraud (TRF) attacks to cash trapping.
Ram raids and ATM burglary were reported by 8 countries and 9 countries reported explosive gas attacks. Nine countries also reported solid explosive attacks, and this type of attack continues to spread with 4 countries reporting such attacks for the first time. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts. EAST EGAP has also just published new Terminal Physical Attack Definitions and Terminology to help industry and law enforcement when reporting attacks against ATMs and other terminals. These can be downloaded from the EAST website.
The full Fraud Update is available to EAST Members (National and Associate).