Corporate Network Attacks

Corporate Network AttacksIn August 2020 EAST published Central/Host Fraud definitions which cover corporate attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal.  These definitions were produced by the EAST Expert Group on All Terminal Fraud (EGAF).

The compromise of a corporate network is the first step with these types of incidents.  This can be done by external attackers as well as by internal employees of the institution.  Attackers typically try to get access to this critical infrastructure, enabling the three different Corporate Networks Attacks shown below.

  • Card Processing
  • Fund Transfer
  • Remote Malware Distribution and Control

The third one relates to control of a financial institution’s network leading to illegitimate file distribution in order to install and execute ATM specific malware.  The different malware Modus Operandi actually used within the corporate network attack can be Jackpotting (also known as ATM Cash-out), Man-in-the-Middle (MITM) and SW-Skimming.  These are described in EAST’s Terminal Fraud Definitions.

In October 2020 The PCI Security Standards Council (PCI SSC) released a bulletin ‘The Threat Of ATM Cash-Outs Payment Security’.

EAST Executive Director Lachlan Gunn speaks to Jeremy King, the PCI SSC Regional Head for Europe and Otto de Jong, Chair of EAST EGAF and DBNL Anti-Fraud Officer for ING.

Lachlan Gunn:  Thank you both for agreeing to speak today on this key issue.

Why did EAST produce Central/Host Fraud Definitions?

Otto de Jong:  It is vital that the way that corporate network attacks are described is consistent to allow law enforcement and industry responders to accurately report what they are seeing in a way that allows for standardisation of reporting.  This optimises the ability of organisations to mitigate and defend against the evolving threats and helps law enforcement when conducting follow up investigations to such crimes.  The aim is for these fraud definitions to be adopted globally by the Industry and Law enforcement when describing or reporting payment terminal fraud.  The INTERPOL Financial Crimes Unit is recommending the usage of EAST definitions for Payment Card Fraud, and we hope that other law enforcement agencies will do the same.

Why did the PCI Security Standards Council issue an industry threat bulletin on ATM Cash-outs?

Jeremy King: We have heard from many of our stakeholders in the European payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.

Otto de Jong:  This is indeed timely.  The most recent EAST Payment Terminal Crime Report shows that ‘cash-out’ through black box attacks is a growing threat.  ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks.

What businesses are at risk of this devious attack?

Jeremy King: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple countries throughout Europe and around the world as the result of this highly organised, well-orchestrated criminal attack.

Otto de Jong: In addition to financial institutions and payment processors, recent corporate network attacks have demonstrated that this is also a threat to key infrastructure companies like utility companies, universities, hospitals and so on.   This year the corporate network attack threat is evolving from targeting the payment system (cash out or swift transactions) to ransomware attacks (bitcoins).

What are some detection best practices to detect these threats before they can cause damage?

Jeremy King: Since ATM ‘cash-out’ attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools

Otto de Jong: Monitoring systems can also be compromised.  Checking of related monitoring mechanisms, such as globally operated by card schemes, can be helpful to identify this kind of attack.

What are some prevention best practices to stop this attack from happening in the first place?

Jeremy King: The best protection to mitigate against ATM ‘cash-outs’ is to adopt a layered defence that includes people, processes, and technology. Some recommendations to prevent ATM ‘cash-outs’ include:

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS

Otto de Jong: In addition, every institution with an IT infrastructure should perform a threat risk assessment to spot weakness in their system.  This should be evaluated on an annual basis.  Performing penetration tests annually by independent assessors must be part of such an assessment.

Lachlan Gunn:  That concludes the Q&A session.  Many thanks again to you both.  Hopefully this will help to further raise awareness of the risks posed by corporate network attacks, what can be done to detect them, how to protect against them and also how to classify attacks to allow for accurate reporting and follow up by law enforcement and the industry.

Terminal Fraud Update – EAST FCS Seminars 2019

Terminal Fraud

Act now to save your place for the Terminal Fraud Seminar that will be held by the EAST Expert Group on All Terminal Fraud (EGAF) on 9th October 2019.

SESSION FOCUS – LOGICAL SECURITY UPDATE

This session will focus on logical attacks against ATMs. These can be split into two types – black box attacks and malware attacks.

Terminal FraudEAST EGAF Chair, Otto de Jong of ING Bank, will first present on black box attacks. These are a type of jackpotting attack. The criminals connect an unauthorised device (or black box) which sends dispense commands directly to the ATM cash dispenser in order to ‘Cash-Out’ the ATM. He will cover the latest developments for this type of attack methodology.

Terminal FraudThen Terence Devereux of Diebold Nixdorf will present an update on malware attacks. For these attacks the criminals use unauthorised software, or authorised software run in an unauthorised manner, on the ATM’s PC. These attacks are focussed on either jackpotting (most common), or card skimming, as follows:

  • Jackpotting: Targets control of the cash dispense function in order to ‘cash-out’ the ATM
  • Man-In-The-Middle (MitM): Targets communication between the ATM’s PC and the acquirer host system in order to falsify host responses and dispense cash without debiting the criminal’s account
  • SW-Skimming: Targets card and PIN data in order to create counterfeit cards for subsequent fraudulent transactions

This interactive event follows the basic structure of EAST EGAF Member meetings. Attendance at EAST EGAF meetings is limited, as it is a working group, and this event enables a wider participation and the opportunity for all attendees to engage with the Group and its organizers.

Terminal Fraud

The EAST FCS Seminars will be co-located with RBR’s ATM & Cyber Security 2019 event, although separate registration is required.


2019 EAST FCS ATM Physical Attack Seminar Sponsors

 

 

 

 

Additional sponsorship opportunities are still available

EAST presents at Mastercard Global Risk Leadership Conference

Otto de Jong from ING Netherlands and chair of the EAST Expert Group on All Terminal Fraud (EGAF) attended and presented at the ‘MasterCard Global Risk Leadership Conference – Europe’ in Albufeira, Portugal.  The focus of the event was the sharing of knowledge and best practices on key payment security issues, vulnerabilities, and innovative techniques to mitigate fraud.

On 26 September Otto de Jong (second from right in picture), together with representatives from MasterCard and MacAfee, gave a presentation on Cybersecurity Research Leadership and Cyber Attack Methods.  In his talk he gave an overview of EAST and covered rising card fraud threats from the perspective of the industry (ATM and POS terminal).

The Conference, which ran from 25 to 28 September 2017, was attended by stakeholders from the card payments industry in Europe (Issuers , Acquirers and Vendors).

EAST presents at INTERPOL Dialogue

EAST presents at INTERPOL DialogueOn 13th July 2017 Otto de Jong from ING Netherlands and chair of the EAST Expert Group on All Terminal Fraud (EGAF) attended and presented at the INTERPOL event Countering Cyber and Financial Crimes: A High-level Dialogue for a New Governance Architecture in Lyon, France.

Otto de Jong (second from right in the picture) gave an overview of EAST and covered ATM Crime and Card Fraud rising threats from the perspective of the private sector.

Nearly 190 representatives from law enforcement, financial, telecommunications and Internet sectors discussed cyber-enabled fraud issues and recommendations aimed at streamlining the global response in the face of escalating cyber and financial crime threats.

3rd EAST FCS Forum – the most successful yet!

EAST FCS ForumThe sun has set on another successful EAST Financial Crime & Security (FCS) Forum which was held for the second time at the Grand Hotel Amrâth Kurhaus, in Scheveningen, The Hague. Feedback from delegates has been hugely positive.  This year marked a new format which included plenary sessions covering expert information from global regions: Asia-Pacific (ASEAN), Latin America, USA, Russia and Europe. 19 expert speakers travelled from 14 countries around the world to share their knowledge of ATM crime prevention.

In addition an afternoon of breakout sessions was held covering topics related to ATM and payment terminal fraud, and to ATM physical attacks.

Networking opportunities were abundant – a welcome cocktail the evening before the event, ensured all delegates were comfortable to kick off the Forum having met with their peers in a relaxed environment. Exhibitors enjoyed increased traffic through the exhibition hall, giving demos to attendees during coffee breaks, lunch and demonstration sessions.

 

Day One of the EAST FCS Forum opened with keynote speaker Steven Wilson, Head of the Europol Cyber Crime Centre (EC3) who spoke about the multi-faceted approach to countering cybercrime and the success of public private partnerships, especially the cooperation between EC3, non-EU States and EAST members.

Lachlan Gunn, Executive Director EAST, provided relevant statistics from the EAST European ATM Crime Report. He also announced a name change for EAST which is now the European Association for Secure Transactions. A milestone for EAST which has mainly focused on issues facing the ATM industry thus far, but which will now look at all threats against payment terminals (ATM, SST and POS), as well the security of payments and transactions.

Lachlan was followed by presenters from ASEANAPOL, the US Secret Service, the Russian Mastercard Members Association, and from the Latin American Association of Operators Electronic Funds Transfer and Information Services (ATEFI), who all gave the audience the most current information on activity in their regions.

In the afternoon breakout sessions Otto de Jong, EAST EGAF Chair, led discussions which covered R&D by fraudsters on EMV and old school ATM Fraud, and Graham Mott, EAST EGAP Chair, facilitated discussions on banknote degradation, physical attack types and countermeasures and traditional attacks.

The day closed out nicely with a BBQ by the beach!

Day Two kicked off with Group-IB providing an overview on the evolution of logical attacks on financial institutions. This was followed by a case study on Black Box attacks from NCR Czech Republic and an update from ING Netherlands on the evolution of gas and solid explosive attacks. There was a case study on countering such explosive attacks from the UK’s West Midlands Regional Organised Crime Unit, and the final talk of the day came from Rui Carvalho, Development Director EAST, who is building the EAST Payments Task Force and provided an overview on current and future activities for EAST.

In her closing address, conference Chairman Úna Dillon, Development Director of EAST, summarised the two-day conference by noting the importance of cross-border public-private sector cooperation in the fight against financial crime – stressing the need for private sector industry stakeholders to collaborate with law-enforcement agencies. She added that whilst EAST delivered the conference, the people charged with building the event are also deeply involved in the collaborative work already going on. Their ‘on-the-ground’ involvement means the EAST FCS Forum agenda will always be relevant and current.

This 3rd EAST FCS Forum has proven to be a successful platform in bringing together the perfect mix of banking representatives, security experts, law enforcement, payments associations, government agencies and many other stakeholders in the ATM and payment crime prevention sector  –  the dialogue and learning from  across Europe, the USA, Latin America, Russia and Asia-Pacific will no doubt help all participants to better detect and prevent current and future financial crime threats.

The event could not have taken place without the support of sponsors, exhibitors, speakers and delegates. EAST hugely appreciates the participation of all who took part and thanks everyone for their contribution to making the event a success.

Overall sponsor of the EAST FCS Forum 2017 was 3SI Security Systems.

Other sponsors and exhibitors included, the ATM Security Association, ACG, BVK, GMV, MIB, Startech Ltd. and TMD Security.

EAST EGAF holds 12th Meeting

The EAST Expert Group on ATM FraudThe Twelfth Meeting of the EAST Expert Group on ATM Fraud (EAST EGAF) took place on Wednesday 18th January 2017 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global ATM crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from ATM Deployers, ATM Networks, ATM Vendors, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on ATM Skimming, ATM Card Trapping, ATM Cash Trapping, ATM Reversal Fraud and ATM Logical Fraud.

The focus of the Group is on topics and issues raised by EAST National Members, which represent 34 countries with a total deployment of 1,332,228 ATMs. Outputs from the group are presented to all meetings of EAST National Members.

In addition EAST EGAF generates EAST ATM Fraud Alerts for all EAST Members (National and Associate). In total 127 EAST ATM Fraud Alerts have been issued, 3 to date in 2017.

EAST Expert Group on ATM Fraud holds 11th Meeting

The EAST Expert Group on ATM Fraud - LogoThe Eleventh Meeting of the EAST Expert Group on ATM Fraud (EAST EGAF) took place on Wednesday 28th September 2016 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global ATM crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from ATM Deployers, ATM Networks, ATM Vendors, Security Equipment Vendors, Law Enforcement and Forensic Analysts.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on ATM Skimming, ATM Card Trapping, ATM Cash Trapping, ATM Reversal Fraud and ATM Logical Fraud.

The focus of EAST EGAF is on topics and issues raised by EAST National Members, which represent 34 countries with a total deployment of 1,332,228 ATMs. Outputs from the group are presented to all meetings of EAST National Members.

In addition EAST EGAF generates EAST ATM Fraud Alerts for all EAST Members (National and Associate). In total 115 EAST ATM Fraud Alerts have been issued, 40 to date in 2016.

EAST Expert Group on ATM Fraud holds 10th Meeting

The EAST Expert Group on ATM Fraud - LogoThe Tenth Meeting of the EAST Expert Group on ATM Fraud (EAST EGAF) took place on Wednesday 11th May 2016 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global ATM crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from ATM Deployers, ATM Networks, ATM Vendors, Security Equipment Vendors, Law Enforcement and Forensic Analysts.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on ATM Skimming, ATM Card Trapping, ATM Cash Trapping, ATM Reversal Fraud and ATM Logical Fraud.

The focus of EAST EGAF is on topics and issues raised by EAST National Members, which represent 34 countries with a total deployment of 1,332,228 ATMs. Outputs from the group are presented to all meetings of EAST National Members.

In addition EAST EGAF generates EAST ATM Fraud Alerts for all EAST Members (National and Associate). In total 93 EAST ATM Fraud Alerts have been issued, 18 to date in 2016.