EAST Publishes European Fraud Update 3-2017

Fraud UpdateEAST has published its third European Fraud Update for 2017.  This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 43rd EAST meeting held in Edinburgh on 4th October 2017.

Payment fraud issues were reported by eleven countries.  One country reported that a fake P2P website was used to get funds illegally, which are then transferred to genuine cards for cash withdrawal.  Card-Not-Present (CNP) fraud shows a significant increase in fake websites, such as ticketing sites.  Data acquired through social engineering is used immediately by criminals to make fund transfers to money mule accounts.  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by seven countries.  To date in 2017 EAST has published fourteen related Fraud Alerts.  Two of the countries reported ATM related malware and all seven reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by thirteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Four countries reported such attacks and, to date in 2017, EAST has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 53 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

Six countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a continued increase in such attacks and two countries reported a new modus-operandi.

Ram raids and ATM burglary were reported by ten countries and eight countries reported explosive gas attacks.  To date in 2017 EAST has published eleven related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

43rd EAST Meeting hosted by LINK Scheme

43rd EAST MeetingThe 43rd Meeting of EAST National Members was hosted by the LINK Scheme in Edinburgh on 4th October 2017.  National country crime updates were provided by 20 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

A presentation on Card Not Present (CNP) Fraud was given by Police Scotland and updates were provided by the EAST Payments Task Force (EPTF), the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 3-2017 will be produced later this month, based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

The 43rd EAST Meeting was the first meeting of EAST National Members as the ‘European Association for Secure Transactions’.  At the EAST FCS Forum on 8th June 2017 EAST, formerly known as the European ATM Security Team, changed its name.

ECB reports an overall increase in Card Fraud, although fraud at ATMs is down

ECB_EN_RGBThe European Central Bank (ECB) has just published its 4th Report on Card Fraud, covering 2013.  The report analyses developments in fraud related to card payment schemes (CPSs) in the Single Euro Payments Area (SEPA) and covers almost the entire card market.

The total value of fraudulent transactions conducted using cards issued within SEPA and acquired worldwide amounted to €1.44 billion in 2013, which represented an increase of 8% from 2012. In relative terms (i.e. as a share of the total value of transactions) fraud rose by 0.001 percentage point to 0.039% in 2013, up from 0.038% in 2012.  66% of the value of fraud resulted from card-not-present (CNP) payments (i.e. payments via the internet, post or telephone), 20% from transactions at POS terminals and 14% from transactions at ATMs.

The increase was due to CNP fraud, which saw €958 million in fraud losses in 2013. ATM and POS fraud fell –  card fraud committed at ATMs was down 13.7% when compared to 2012, the first time in four years that ATM fraud fell, while fraud committed at POS terminals was down by 7.9%.

The lower level of ATM fraud was due mainly to a substantial decrease in card-not-received and counterfeit fraud for this category. Counterfeit fraud accounted for 45% of the value of fraud at ATMs and POS terminals, while fraud using lost or stolen cards made up 43%. As observed in previous years, counterfeit fraud was predominant for transactions acquired in countries outside SEPA.

The full report can be downloaded from the ECB website.

Europol supports EU Project to fight Payment Card Fraud

ec3_logo_17Europol’s European Cybercrime Centre (EC3) has supported an 18-month EU-funded project against payment card fraud, initiated by UK authorities, which has resulted in the arrest of 59 individuals, 32 prosecutions and 17 convictions as well as the disruption of five organised crime groups misusing electronic payments.

During the final meeting for Project Sandpiper on 30th January 2014, it was stressed that a total of 52,812 compromised card numbers were recovered during the operations, with estimated savings to the banking industry of over GBP 23 million. The EU-based criminals were misusing financial credentials in mainly remote overseas destinations.

Head of the European Cybercrime Centre, Troels Oerting, said: “The criminal networks involved in this sophisticated electronic payment crime have been taken down as a result of many months of hard work by police officers and prosecutors in the European Union…… We continue our fight against this crime. The criminals continue to develop new methods for stealing our identities, money and ideas online, and we have to continue and further develop operations like Sandpiper and Skynet.”

The phenomenon of card-not-present (CNP) fraud is on the rise, accounting for 60% of all fraud losses on cards issued in the European Union, according to card fraud statistics published by the European Central Bank (ECB) in February 2014. A new EU-funded project, code-named Skynet, has been launched to focus on international cooperation to combat online CNP fraud. Six EU Member States are involved in the project.

EC3 at Europol provided analytical support and organised regular coordination meetings on the Sandpiper project at its headquarters. In addition, Europol’s information and analysis systems were used to exchange and cross-check the intelligence received from Member States. Operations and projects such as Sandpiper and Skynet demonstrate the crucial role of the exchange of information and intelligence through Europol’s channels and the importance of international coordination of such operations.

pcm_1With many people becoming a victim of payment card fraud every year, Europol recognises the need to inform the public about basic fraud prevention methods when using a payment card, whether it is a debit, credit, prepaid or any other value card.  An information leaflet has been provided for cardholder use.

Visit the Europol website for more information.