Corporate Network Attacks

Corporate Network AttacksIn August 2020 EAST published Central/Host Fraud definitions which cover corporate attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal.  These definitions were produced by the EAST Expert Group on All Terminal Fraud (EGAF).

The compromise of a corporate network is the first step with these types of incidents.  This can be done by external attackers as well as by internal employees of the institution.  Attackers typically try to get access to this critical infrastructure, enabling the three different Corporate Networks Attacks shown below.

  • Card Processing
  • Fund Transfer
  • Remote Malware Distribution and Control

The third one relates to control of a financial institution’s network leading to illegitimate file distribution in order to install and execute ATM specific malware.  The different malware Modus Operandi actually used within the corporate network attack can be Jackpotting (also known as ATM Cash-out), Man-in-the-Middle (MITM) and SW-Skimming.  These are described in EAST’s Terminal Fraud Definitions.

In October 2020 The PCI Security Standards Council (PCI SSC) released a bulletin ‘The Threat Of ATM Cash-Outs Payment Security’.

EAST Executive Director Lachlan Gunn speaks to Jeremy King, the PCI SSC Regional Head for Europe and Otto de Jong, Chair of EAST EGAF and DBNL Anti-Fraud Officer for ING.

Lachlan Gunn:  Thank you both for agreeing to speak today on this key issue.

Why did EAST produce Central/Host Fraud Definitions?

Otto de Jong:  It is vital that the way that corporate network attacks are described is consistent to allow law enforcement and industry responders to accurately report what they are seeing in a way that allows for standardisation of reporting.  This optimises the ability of organisations to mitigate and defend against the evolving threats and helps law enforcement when conducting follow up investigations to such crimes.  The aim is for these fraud definitions to be adopted globally by the Industry and Law enforcement when describing or reporting payment terminal fraud.  The INTERPOL Financial Crimes Unit is recommending the usage of EAST definitions for Payment Card Fraud, and we hope that other law enforcement agencies will do the same.

Why did the PCI Security Standards Council issue an industry threat bulletin on ATM Cash-outs?

Jeremy King: We have heard from many of our stakeholders in the European payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.

Otto de Jong:  This is indeed timely.  The most recent EAST Payment Terminal Crime Report shows that ‘cash-out’ through black box attacks is a growing threat.  ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks.

What businesses are at risk of this devious attack?

Jeremy King: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple countries throughout Europe and around the world as the result of this highly organised, well-orchestrated criminal attack.

Otto de Jong: In addition to financial institutions and payment processors, recent corporate network attacks have demonstrated that this is also a threat to key infrastructure companies like utility companies, universities, hospitals and so on.   This year the corporate network attack threat is evolving from targeting the payment system (cash out or swift transactions) to ransomware attacks (bitcoins).

What are some detection best practices to detect these threats before they can cause damage?

Jeremy King: Since ATM ‘cash-out’ attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools

Otto de Jong: Monitoring systems can also be compromised.  Checking of related monitoring mechanisms, such as globally operated by card schemes, can be helpful to identify this kind of attack.

What are some prevention best practices to stop this attack from happening in the first place?

Jeremy King: The best protection to mitigate against ATM ‘cash-outs’ is to adopt a layered defence that includes people, processes, and technology. Some recommendations to prevent ATM ‘cash-outs’ include:

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS

Otto de Jong: In addition, every institution with an IT infrastructure should perform a threat risk assessment to spot weakness in their system.  This should be evaluated on an annual basis.  Performing penetration tests annually by independent assessors must be part of such an assessment.

Lachlan Gunn:  That concludes the Q&A session.  Many thanks again to you both.  Hopefully this will help to further raise awareness of the risks posed by corporate network attacks, what can be done to detect them, how to protect against them and also how to classify attacks to allow for accurate reporting and follow up by law enforcement and the industry.

The Future of ATMs

EAST Executive Director Lachlan Gunn presented at a webinar on the ‘Future of ATMs’ organised by The South African Banking Risk Information Centre (SABRIC) on Friday 26th June 2020.  SABRIC is the EAST National Member for South Africa.  The webinar was chaired by Mr Ronnie Zonke of SABRIC and was attended by representatives of the banking and financial sector in South Africa.

The EAST presentation, entitled ‘ATMs in Europe’ covered:

  • European ATM Deployment
  • European ATM Crime Overview (Pre COVID-19)
  • Latest ATM Crime Trends
  • The future for ATMs

This was followed by a presentation by Mike Lee, CEO of ATMIA, covering what is a Next Gen ATM and why it is so important to the future of financial services, and one by Patrick Johnson, Deputy Head Currency for Currency Management at the South African Reserve Bank, entitled ‘The Future of ATM’s in a time of crisis’ and covering:

  • What are the current banknote growth trends and the impact this will have on ATM’s?
  • How important have ATM’s been during COVID-19 and what happened during lockdown?
  • What will the future of ATM’s hold in an uncertain future?

Terminal Fraud Update – EAST FCS Seminars 2019

Terminal Fraud

Act now to save your place for the Terminal Fraud Seminar that will be held by the EAST Expert Group on All Terminal Fraud (EGAF) on 9th October 2019.

Terminal Fraud TERMINAL FRAUD SEMINAR- PROGRAMME UPDATE

  • EAST Executive Director Lachlan Gunn will share the latest Terminal Fraud Statistics published by EAST, covering the period January to June 2019;
  • Veronica Borgogna of BANCOMAT S.p.A will provide a national threat assessment for Italy
  • and Ben Birtwistle of RBS will provide a national threat assessment for the UK

The national threat assessments will cover card compromise and logical/malware attacks

This interactive event follows the basic structure of EAST EGAF Member meetings.  Attendance at EAST EGAF meetings is limited, as it is a working group, and this event enables a wider participation and the opportunity for all attendees to engage with the Group and its organizers.

ATM Physical Attacks

The EAST FCS Seminars will be co-located with RBR’s ATM & Cyber Security 2019 event, although separate registration is required.


2019 EAST FCS ATM Physical Attack Seminar Sponsor

Additional sponsorship opportunities are still available

EAST assists Europol-ASEAN Strategic Payment Card Fraud Meeting

Payment Card Fraud - 5th Strategic MeetingEAST presented at the 5th Strategic Meeting on Payment Card Fraud held in Hanoi, Vietnam on 29-30 May 2018.  EAST Executive Director Lachlan Gunn gave an overview on Terminal Fraud and Payment Fraud as seen by the industry in Europe and highlighted the issue of related fraud migration to China and the ASEAN region.

The growing presence of chip cards in the European Union (EU) has seen an increase in fraudulent payments with European cards at ATMs in Asian countries. Organised crime groups from Europe set up cells in Asia, creating an illegal network, which resulted not only in a higher number of fraud cases, but also in an increase of violence and serious incidents where members of criminal organisations were killed.

The Payment Card Fraud Meeting was aimed at consolidating and strengthening cooperation under the EURASEAN Investigative Network on Payment Card Fraud to provide an adequate and effective answer to this criminal phenomenon. This network, led by Europol, is supported by both ASEANAPOL and INTERPOL, law enforcement officers from EU Member States and 10 ASEAN countries (Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam) with the assistance of EAST representing the private sector.

The EURASEAN network, established last year, has been increasingly efficient and boosted several investigations that led to arrests between Bulgaria and Vietnam, France and Thailand and Romania and Indonesia. International cooperation, based on the exchange of information, technical support and strategies, whereby organised criminal groups active in Asia and Europe were disrupted, fugitives detected, false ID documents seized and criminal assets recovered.

In the fight against fraudulent payments and cybercrime, law enforcement agencies are not the only ones involved: a fundamental role is also played by the private sector. Stopping cyber fraud in the financial sector requires dealing directly with the private sector.  EAST has been closely working with Europol since 2004 and has had working relationships with ASEANAPOL and INTERPOL since 2015.

The trusted relationships established between Europol, ASEANAPOL and INTERPOL are a crucial factor in strengthening security and, ultimately, protecting EU citizens.

The meeting was financed by EMPACT (European multidisciplinary platform against criminal threats) and led by Romania. Bulgarian authorities led the action on cooperation with Asian countries.

EAST has supported all five of the Strategic Meetings on Payment Card Fraud held to date in the ASEAN region, as well as related meetings held in Europe and Latin America.

EAST supports Europol Strategic Payment Card Fraud Meeting

On 20-21 November 2017, Europol’s European Cybercrime Centre (EC3), with the support of EAST, hosted an international meeting with a specific focus on combating payment card fraud across Europe and beyond.

In its sixth occurrence since it was first organised in Singapore in 2015, this meeting was held for the first time at Europol’s headquarters in The Hague, bringing together representatives from 3 regions of the world: 8 EU Member States (Portugal, Greece, France, Denmark, Spain, Romania, Bulgaria and Italy), Latin America (Argentina, Dominican Republic, Chile, Colombia and AMERIPOL) and Asia (Malaysia, Philippines, Thailand and ASEANAPOL).

The EAST presentation focused on combating payment card fraud from the perspective of the private sector – EAST Executive Director Lachlan Gunn gave an overview of EAST and presented the latest threats, criminal methodologies and crime and fraud statistics.  EAST Development Director Rui Carvalho, who chairs the EAST Payments Task Force (EPTF), covered the latest payment crime trends as reported at the 43rd EAST Meeting.

The latest European Central Bank Report estimates €1.44 billion losses in Payment card fraud in 2013 The overall losses were up 8%. Card Not Present (CNP) fraud has experienced significant increases in Europe in the last years and although Card Present Fraud (CP) within the EU decreased during the last years still remain significant as the EMV (chip and pin) protection has not yet been fully implemented. In fact, organised crime groups set up permanent bases in overseas locations where Chip is not implemented cashing out compromised European cards.

EAST has supported all the Europol Strategic Meetings on Payment Card Fraud held in the ASEAN and LATAM regions.

 

EAST presents at NCR Fraud & Security Summit

Fraud & Security SummitEAST Executive Director Lachlan Gunn presented at the 5th Annual NCR Fraud & Security Summit, held in London on 9th October 2017.  The event allowed security experts from around the world to share experiences and information on a wide array of security topics such as emerging threats, trends, solutions and innovations.

Lachlan Gunn (pictured on the right with NCR’s Charlie Harrow) gave an overview of EAST and its new structure, before delivering an update on the payment fraud and crime situation in Europe.  He referred to statistics from EAST’s recently published European Payment Terminal Crime Report which highlighted a significant increase in logical (black box) attacks.

The Agenda included presentations that covered NCR’s Security Startegy, expanding logical protection to the Network, contactless and new technologies, protecting ATMs from physical attacks, ATM attack trends and an update on the new NCR 80 Series ATMs.

3rd EAST FCS Forum – the most successful yet!

EAST FCS ForumThe sun has set on another successful EAST Financial Crime & Security (FCS) Forum which was held for the second time at the Grand Hotel Amrâth Kurhaus, in Scheveningen, The Hague. Feedback from delegates has been hugely positive.  This year marked a new format which included plenary sessions covering expert information from global regions: Asia-Pacific (ASEAN), Latin America, USA, Russia and Europe. 19 expert speakers travelled from 14 countries around the world to share their knowledge of ATM crime prevention.

In addition an afternoon of breakout sessions was held covering topics related to ATM and payment terminal fraud, and to ATM physical attacks.

Networking opportunities were abundant – a welcome cocktail the evening before the event, ensured all delegates were comfortable to kick off the Forum having met with their peers in a relaxed environment. Exhibitors enjoyed increased traffic through the exhibition hall, giving demos to attendees during coffee breaks, lunch and demonstration sessions.

 

Day One of the EAST FCS Forum opened with keynote speaker Steven Wilson, Head of the Europol Cyber Crime Centre (EC3) who spoke about the multi-faceted approach to countering cybercrime and the success of public private partnerships, especially the cooperation between EC3, non-EU States and EAST members.

Lachlan Gunn, Executive Director EAST, provided relevant statistics from the EAST European ATM Crime Report. He also announced a name change for EAST which is now the European Association for Secure Transactions. A milestone for EAST which has mainly focused on issues facing the ATM industry thus far, but which will now look at all threats against payment terminals (ATM, SST and POS), as well the security of payments and transactions.

Lachlan was followed by presenters from ASEANAPOL, the US Secret Service, the Russian Mastercard Members Association, and from the Latin American Association of Operators Electronic Funds Transfer and Information Services (ATEFI), who all gave the audience the most current information on activity in their regions.

In the afternoon breakout sessions Otto de Jong, EAST EGAF Chair, led discussions which covered R&D by fraudsters on EMV and old school ATM Fraud, and Graham Mott, EAST EGAP Chair, facilitated discussions on banknote degradation, physical attack types and countermeasures and traditional attacks.

The day closed out nicely with a BBQ by the beach!

Day Two kicked off with Group-IB providing an overview on the evolution of logical attacks on financial institutions. This was followed by a case study on Black Box attacks from NCR Czech Republic and an update from ING Netherlands on the evolution of gas and solid explosive attacks. There was a case study on countering such explosive attacks from the UK’s West Midlands Regional Organised Crime Unit, and the final talk of the day came from Rui Carvalho, Development Director EAST, who is building the EAST Payments Task Force and provided an overview on current and future activities for EAST.

In her closing address, conference Chairman Úna Dillon, Development Director of EAST, summarised the two-day conference by noting the importance of cross-border public-private sector cooperation in the fight against financial crime – stressing the need for private sector industry stakeholders to collaborate with law-enforcement agencies. She added that whilst EAST delivered the conference, the people charged with building the event are also deeply involved in the collaborative work already going on. Their ‘on-the-ground’ involvement means the EAST FCS Forum agenda will always be relevant and current.

This 3rd EAST FCS Forum has proven to be a successful platform in bringing together the perfect mix of banking representatives, security experts, law enforcement, payments associations, government agencies and many other stakeholders in the ATM and payment crime prevention sector  –  the dialogue and learning from  across Europe, the USA, Latin America, Russia and Asia-Pacific will no doubt help all participants to better detect and prevent current and future financial crime threats.

The event could not have taken place without the support of sponsors, exhibitors, speakers and delegates. EAST hugely appreciates the participation of all who took part and thanks everyone for their contribution to making the event a success.

Overall sponsor of the EAST FCS Forum 2017 was 3SI Security Systems.

Other sponsors and exhibitors included, the ATM Security Association, ACG, BVK, GMV, MIB, Startech Ltd. and TMD Security.

EAST changes name

EAST

 

 

EAST is changing its name to the European Association for Secure Transactions (EAST).  The announcement was made by EAST Executive Director Lachlan Gunn at the EAST Financial Crime and Security (FCS) Forum in The Hague.  The name change is in line with a new strategic direction for EAST.

EASTEAST was formed in 2004 to focus on ATM security when card skimming was a rising issue in Europe.  Since then there have been significant changes in the payment landscape, which continues to evolve at great speed.  EAST will continue to report on ATM crime issues as part of a wider reporting structure, which will be broadly split into Terminal Security and Payment Security.  The core strength of EAST is the National Member platform, backed up by interaction with Associate Members, and this change will enable EAST to keep serving all its members as their needs change.

The EAST Expert Group on All Terminal Fraud (EGAF) will continue to focus on fraud at all terminal types, and the EAST Payments Task Force (EPTF) is focussed on the security of payments and transactions.  The EAST Expert Group on ATM and ATS Physical Attacks (EGAP) will continue to be mainly ATM focussed, to help counter the growing threat of solid explosive and explosive gas attacks.

EAST has national representation from the following 26 European countries:  Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Malta, Poland, Portugal, Romania, Slovakia, Spain, Sweden, Switzerland, United Kingdom.  EAST is still seeking national representative members from:  Estonia, Iceland, Latvia, Lithuania and Slovenia.

Brazil, Canada, Indonesia, Mexico, Russia, Serbia, South Africa, Turkey, Ukraine and the United States are represented at EAST as non-SEPA members and EAST is seeking to establish links with parties in any country, able to share national incident and loss statistics for terminal related fraud and physical attacks.  For more information contact us.

Third Strategic Meeting on Payment Card Fraud

3rd Strategic Meeting on Payment Card Fraud

EAST presented at the Third Strategic Meeting on Payment Card Fraud (PCF) at the Electronic Transactions Development Agency (ETDA) in Bangkok, Thailand.

This event, which was organised by Europol’s European Cybercrime Centre (EC3) on 13-14 December 2016, provided the law enforcement community with a comprehensive overview of payment card issues such as compromising payment card data, skimming, ATM cashing out, e-commerce and airline frauds. The event, which was co-organised with ASEANAPOL and INTERPOL with the support of the Romanian National Police and the Royal Thai Police, was hosted by the ETDA (public organisation), and the Ministry of Digital Economy and Society.

Thirty law enforcement officers from four EU Member States (Austria, France, Greece, and Romania) and their ASEAN counterparts (Brunei, Cambodia, Indonesia, Malaysia, Myanmar, Philippines, Singapore, and Thailand) participated in the two-day meeting. The private sector was represented by EAST, the Bank of Thailand, representatives from the Thai commercial banks and LiquidNexxus. The ThaiCERT – ETDA facilitated cooperation between the law enforcement community and the Computer Emergency Response Teams (CERTs).

EAST Executive Director Lachlan Gunn gave an overview of the European ATM Fraud situation and highlighted the issue of losses in the ASEAN region faced by European card issuers.

3rd Strategic PCF MeetingThe aim of the event was to discuss operational achievements in the area of combating cyber fraud and to agree on the steps to follow with regard to security of non-cash means of payment. It focused on the exchange of expertise in the area of prevention and combating ATM/POS fraud, data compromising, ATM malware, and eCommerce fraud. A specific action plan concerning further cross-regional cooperation between European and Asian law enforcement was devised, following recent successful operations between the two parties.

As a result of discussions at the event, and to strengthen inter-regional industry communication to combat terminal and payment security, EAST is in follow up communication with the banking sectors in Indonesia and Thailand.

In March 2016 EAST supported the Second Strategic Meeting on Payment Card Fraud which was held at the Royal Malaysian Police College in Kuala Lumpur, Malaysia.  The meeting was hosted by Europol, INTERPOL and ASEANOPOL with the financial support of the Romanian authorities.

In November 2015 EAST supported the First Strategic Meeting on Payment Card Fraud which was held in the INTERPOL Global Complex for Innovation (IGCI) and was co-hosted by Europol and INTERPOL with the financial support of the Romanian authorities.

In October 2015 EAST participated in a two-day meeting in Bogota (Colombia) to discuss payment card fraud overseas and money withdrawals in Latin America.

ATM Explosive Attacks surge in Europe

european-atm-crime-report-h1-2016In a European ATM Crime Report covering the first six months of 2016 EAST has reported that ATM explosive attacks were up 80% when compared to the same period in 2015.

A total of 492 explosive attacks were reported, up from 273 during the same period in 2015.  While the majority were explosive gas attacks, 110 were solid explosive attacks.  EAST Executive Director Lachlan Gunn said, “This rise in explosive attacks is of great concern to the industry in Europe as such attacks create a significant amount of collateral damage to equipment and buildings as well as a risk to life.  The EAST Expert Group on Physical Attacks (EGAP) is working to analyse the attacks and to share intelligence best practice information across the industry and law enforcement that can help to mitigate the threat.”

Overall ATM related physical attacks rose 30% when compared with H1 2015 (up from 1,232 to 1,604 incidents).  Losses due to ATM related physical attacks rose 3% to €27 million (up from €26.3 million in 2015).  The average cash loss for a ram raid or burglary attack is estimated at €17,327, the average cash loss per explosive attack is €16,631 and the average cash loss for a robbery is €20,017.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

EAST also reported a 28% increase in ATM related fraud attacks, up from 8,421 in H1 2015 to 10,820 in H1 2016.  This rise was mainly driven by a 281% increase in Transaction Reversal Fraud (up from 1,270 to 4,840 incidents).  The downward trend for card skimming continues with 1,573 card skimming incidents reported, down 21% from 1,986 in H1 2015.

Losses due to ATM related fraud attacks were up 12% when compared with H1 2015 (up from €156 million to €174 million).  This rise was largely driven by an 8% rise in international skimming losses (up from €131 million to €142 million).  The Asia-Pacific region (particularly Indonesia) and the USA are where the majority of such losses were reported.  Domestic skimming losses rose 24% over the same period.

The number of ATM logical attacks reported continues to rise.  28 incidents were reported (all ‘cash out’ or ‘jackpotting’ attacks), up from just 5 during the same period in 2015.  Related losses were €0.4 million.

A summary of the report statistics under the main headings is in the table below:

h1-2016-crime-report-summary-stats

The full Crime Report is available to EAST Members (National and Associate).