47th EAST Meeting hosted by SIBS in Lisbon

The 47th Meeting of EAST National Members was hosted by SIBS at the SANA Metropolitan Hotel in Lisbon on 6th February 2019. National country crime updates were provided by 21 countries, and a global update by HSBC.  Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2019 will be produced in early March, based on the national country crime updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST Publishes European Fraud Update 3-2018

European FraudEAST has published its third European Fraud Update for 2018. This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 46th EAST meeting held in London on 9th October 2018.

Payment fraud issues were reported by fourteen countries. Seven countries reported card-not-present (CNP) as a key fraud driver. One country reported merchant manipulation of settlement files to force through authorisations on POS terminals – once the forced transaction is through on a card the merchant cashes out using it. One country reported malware related to two APT attacks – some Chinese criminals are under observation in connection with them. Another country reported impersonation fraud relating to bill payments – possibly involving collusive postal workers. To date in 2018 the EAST Payments Task Force (EPTF) has published six Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps, CNP fraud and Technological fraud. The EPTF has recently published payment terminology and definitions.

ATM malware and logical security attacks were reported by seven countries.  Four of the countries reported ATM related malware and six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published eleven related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  The overall trend is downward, as the recently published EAST European Payment Terminal Crime Report covering January to June 2018 highlights.  The usage of M3 – Card Reader Internal Skimming devices was reported by four countries and one country reported the use of M2 – Throat Inlay Skimming Devices.  Skimming attacks on other terminal types were reported by five countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country reported that a series of shimming devices at POS terminals had been detected and taken down.  To date in 2018 EAST EGAF has published twelve related Fraud Alerts.

Year to date International skimming related losses were reported in 44 countries and territories outside SEPA and in 6 within SEPA.  The top three locations where such losses were reported remain Indonesia, the USA and India.

Six countries reported incidents of Transaction Reversal Fraud (TRF), one of which reported a new attack variant where the criminals use a ‘chip-on-a-strip’.  To date in 2018 EAST EGAF has published five related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries and eight countries reported explosive gas attacks, one of which reported that two people had been sent to hospital due to related smoke inhalation.  Five countries reported solid explosive attacks.  The spread of such attacks has long been of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  One such attack resulted in the death of a person, the first time that this has been reported.  To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published seven related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

46th EAST Meeting hosted by LINK in London

EASTThe 46th Meeting of EAST National Members was hosted by the LINK scheme in London on 9th October 2018. National country crime updates were provided by 18 countries, and a global update by HSBC.  Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Europol gave a presentation which included information on the latest Internet Organised Crime Threat Assessment (IOCTA) 2018.

Presentations were also given by the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).  An update was given by the EAST Payments Task Force (EPTF).

EAST Fraud Update 3-2018 will be produced later this month, based on the national country crime updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST Publishes European Fraud Update 2-2018

FraudEAST has published its second European Fraud Update for 2018.  This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 45th EAST meeting held in The Hague on 6th June 2018.

Payment fraud issues were reported by fifteen countries.  Seven countries reported card-not-present (CNP) as a key fraud driver.  Two countries reported attempted ‘Forced Post’ fraud, possible when some point of sale (POS) terminals allow the ‘force sale’ functionality.  One country reported a new form of malware on android mobile phones, distributed with a fake application uploaded from third-party android stores.  Another country reported cases of SIM swap fraud, where fraudsters authorise a bank transfer by switching the customer’s mobile phone number over to a new SIM and intercept the authorisation message.  To date in 2018 the EAST Payments Task Force (EPTF) has published five Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps and CNP fraud.

ATM malware and logical security attacks were reported by nine countries.  Five of the countries reported ATM related malware.  In addition to Cutlet Maker (used for ATM cash-out) a new variant called WinPot has been reported – this is used to check how many banknotes are in an ATM.  Six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published seven related Fraud Alerts. To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by fourteen countries.  For the first time one country reported the arrest of a Chinese national in connection with such attacks.  The usage of M3 – Card Reader Internal Skimming devices remains most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Six countries reported such attacks.  One country reported the use of M2 – Throat Inlay Skimming Devices.  Skimming attacks on other terminal types were reported by five countries, four of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  To date in 2018 EAST EGAF has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 31 countries and territories outside SEPA and in 3 within SEPA.  The top three locations where such losses were reported remain Indonesia, the USA and India.

Three countries reported incidents of Transaction Reversal Fraud (TRF), two of which reported new attack variants.  To date in 2018 EAST EGAF has published four related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries.  Six countries reported explosive gas attacks, one of which reported such attacks against ATS machines for the first time.  Another reported that explosive gas attacks against ATMs have started for the first time.  Five countries reported solid explosive attacks.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

Cross-border e-Commerce Police action leads to 95 arrests

Police forces across Europe have arrested 95 professional fraudsters and members of internet-based criminal networks in a successful cross-border e-Commerce Action (eComm 2018).

The joint law enforcement operation, coordinated by the European Cybercrime Centre (EC3) from Europol’s headquarters in The Hague, was supported by 28 countries and ran from 4 to 15 June 2018. It received the direct assistance from merchants, logistic companies, and banks and payment card schemes. Europol also supported national authorities on-the-spot by providing analytical services in their investigations.

The main goal was to target online fraud through a coordinated law enforcement action within the European Union (EU) and beyond, followed by an awareness-raising campaign. This action also marks the start of several investigations with more arrests expected in the next few months. The activity was inspired by a similar UK pilot conducted in collaboration with Visa.

The suspects arrested during the operation were responsible for more than 20 000 fraudulent transactions with compromised credit cards, with an estimated value exceeding EUR 8 million.

The e-commerce action focused on combating card-not-present (CNP) fraud, to help create a safer online environment for customers worldwide by sharing information and developing best practices between law enforcement and the private sector. It promotes the hashtag  #BuySafePaySafe: tips to avoid becoming a fraud victim.

For more information visit Europol’s website.

Rui Carvalho, Chair of the EAST Payments Task Force (EPTF), represents EAST at Europol’s e-Commerce actions.

 

EAST Publishes European Fraud Update 1-2018

EAST Fraud Update 1-2018EAST has just published its first European Fraud Update for 2018.  This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 44th EAST meeting held in Frankfurt on 7th February 2018.

Payment fraud issues were reported by fifteen countries.  Seven countries reported increases in card-not-present (CNP) fraud related to ecommerce merchants in China.  Phishing activity was reported by four countries and one of them reported phishing attacks through advertisements placed on social media sites.  The EAST Payments Task Force (EPTF) issued a first Payment Alert in January 2018.  This covered a phishing email sent to employees of banking and financial institutions, which contained malware intended to exploit the local network and gain access to Swift services.

ATM malware and logical security attacks were reported by ten countries.  Five of the countries reported ATM related malware and one country reported the first successful Cutlet Maker cash-out attack in Western Europe.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.  Seven countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by sixteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks.  Skimming attacks on other terminal types were reported by five countries, all of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country also reported the use of card shimming devices at POS terminals.  To date in 2018 EAST EGAF has published three related Fraud Alerts.

Year to date International skimming related losses were reported in 40 countries and territories outside SEPA and in 7 within SEPA.  The top three locations where such losses were reported remain the USA, Indonesia and India.

Five countries reported incidents of Transaction Reversal Fraud (TRF).  Two countries reported a continued increase in such attacks and two countries reported new modus-operandi.  To date in 2018 EAST EGAF has published two related Fraud Alerts.

Ram raids and ATM burglary were reported by ten countries and, to date in 2018, the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published one related ATM Physical Attack Alert.  Eight countries reported explosive gas attacks and six countries reported solid explosive attacks.  The spread of such attacks is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

EAST supports Europol Strategic Payment Card Fraud Meeting

On 20-21 November 2017, Europol’s European Cybercrime Centre (EC3), with the support of EAST, hosted an international meeting with a specific focus on combating payment card fraud across Europe and beyond.

In its sixth occurrence since it was first organised in Singapore in 2015, this meeting was held for the first time at Europol’s headquarters in The Hague, bringing together representatives from 3 regions of the world: 8 EU Member States (Portugal, Greece, France, Denmark, Spain, Romania, Bulgaria and Italy), Latin America (Argentina, Dominican Republic, Chile, Colombia and AMERIPOL) and Asia (Malaysia, Philippines, Thailand and ASEANAPOL).

The EAST presentation focused on combating payment card fraud from the perspective of the private sector – EAST Executive Director Lachlan Gunn gave an overview of EAST and presented the latest threats, criminal methodologies and crime and fraud statistics.  EAST Development Director Rui Carvalho, who chairs the EAST Payments Task Force (EPTF), covered the latest payment crime trends as reported at the 43rd EAST Meeting.

The latest European Central Bank Report estimates €1.44 billion losses in Payment card fraud in 2013 The overall losses were up 8%. Card Not Present (CNP) fraud has experienced significant increases in Europe in the last years and although Card Present Fraud (CP) within the EU decreased during the last years still remain significant as the EMV (chip and pin) protection has not yet been fully implemented. In fact, organised crime groups set up permanent bases in overseas locations where Chip is not implemented cashing out compromised European cards.

EAST has supported all the Europol Strategic Meetings on Payment Card Fraud held in the ASEAN and LATAM regions.

 

EAST Publishes European Fraud Update 3-2017

Fraud UpdateEAST has published its third European Fraud Update for 2017.  This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 43rd EAST meeting held in Edinburgh on 4th October 2017.

Payment fraud issues were reported by eleven countries.  One country reported that a fake P2P website was used to get funds illegally, which are then transferred to genuine cards for cash withdrawal.  Card-Not-Present (CNP) fraud shows a significant increase in fake websites, such as ticketing sites.  Data acquired through social engineering is used immediately by criminals to make fund transfers to money mule accounts.  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by seven countries.  To date in 2017 EAST has published fourteen related Fraud Alerts.  Two of the countries reported ATM related malware and all seven reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by thirteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Four countries reported such attacks and, to date in 2017, EAST has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 53 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

Six countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a continued increase in such attacks and two countries reported a new modus-operandi.

Ram raids and ATM burglary were reported by ten countries and eight countries reported explosive gas attacks.  To date in 2017 EAST has published eleven related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

43rd EAST Meeting hosted by LINK Scheme

43rd EAST MeetingThe 43rd Meeting of EAST National Members was hosted by the LINK Scheme in Edinburgh on 4th October 2017.  National country crime updates were provided by 20 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

A presentation on Card Not Present (CNP) Fraud was given by Police Scotland and updates were provided by the EAST Payments Task Force (EPTF), the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 3-2017 will be produced later this month, based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

The 43rd EAST Meeting was the first meeting of EAST National Members as the ‘European Association for Secure Transactions’.  At the EAST FCS Forum on 8th June 2017 EAST, formerly known as the European ATM Security Team, changed its name.

ECB reports an overall increase in Card Fraud, although fraud at ATMs is down

ECB_EN_RGBThe European Central Bank (ECB) has just published its 4th Report on Card Fraud, covering 2013.  The report analyses developments in fraud related to card payment schemes (CPSs) in the Single Euro Payments Area (SEPA) and covers almost the entire card market.

The total value of fraudulent transactions conducted using cards issued within SEPA and acquired worldwide amounted to €1.44 billion in 2013, which represented an increase of 8% from 2012. In relative terms (i.e. as a share of the total value of transactions) fraud rose by 0.001 percentage point to 0.039% in 2013, up from 0.038% in 2012.  66% of the value of fraud resulted from card-not-present (CNP) payments (i.e. payments via the internet, post or telephone), 20% from transactions at POS terminals and 14% from transactions at ATMs.

The increase was due to CNP fraud, which saw €958 million in fraud losses in 2013. ATM and POS fraud fell –  card fraud committed at ATMs was down 13.7% when compared to 2012, the first time in four years that ATM fraud fell, while fraud committed at POS terminals was down by 7.9%.

The lower level of ATM fraud was due mainly to a substantial decrease in card-not-received and counterfeit fraud for this category. Counterfeit fraud accounted for 45% of the value of fraud at ATMs and POS terminals, while fraud using lost or stolen cards made up 43%. As observed in previous years, counterfeit fraud was predominant for transactions acquired in countries outside SEPA.

The full report can be downloaded from the ECB website.