EPTF holds Seventh Meeting

EPTFThe Seventh Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 15th April 2020.  Due to the Covid-19 situation it was conducted as a virtual meeting and 16 EPTF members participated.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers took part.

There was a detailed discussion on the impact of Covid-19 on fraud and updates were provided from Austria, France, Germany, the Netherlands, Norway, Portugal, Spain and the United Kingdom  Updates were also given by Europol, Group-IB and Trend Micro.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 213 EAST Associate Member Organisations from 53 countries and territories.

EAST Publishes European Fraud Update 1-2020

EAST has just published its first European Fraud Update for 2020. This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 2 non-SEPA countries, at the 50th EAST meeting held in Vienna on 12th February 2020.

Payment fraud issues were reported by eighteen countries. Seven countries reported CNP fraud occurring worldwide. One reported that the card data is either bought in bulk or obtained via card testing/BIN attacks. The attackers use scripts/bots (not real people) to conduct the fraud. Four countries reported BIN attacks. One reported that they are originating from the Middle East for the first time and another reported them in relation to both CP and CNP fraud, with losses reported in the USA, the UK and Brazil. Two countries reported Account Takeover Fraud, one of them in connection with SIM swapping.

Six countries reported phishing. One reported the use of fake emails by criminals to impersonate bank customers, claiming that their bank account details have changed. Another reported that online banking was targeted, and a third country reported phishing using social networks, with related fraud occurring in China. Three countries reported SMS phishing (Smishing). One of them reported this related to token validation transactions – the IP addresses are in Morocco and the fraud occurs in an EU country with losses via Western Union.

To date in 2020 the EAST Payments Task Force (EPTF) has published one related Payment Alert.

ATM malware and logical attacks were reported by twelve countries – one reported successful ATM malware attacks where ‘Cutlet Maker’ was used, and ten reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To date in 2020 the EAST Expert Group on All Terminal Fraud (EGAF) has published one related Fraud Alert.

Card skimming at ATMs was reported by ten countries, and the downward trend continues. Six countries reported the usage of ‘M3 – Card Reader Internal Skimming devices’, and the usage of ‘M1 – Overlay Skimming Devices’ and ‘M2 – Throat Inlay Skimming Devices’ was also reported. Skimming attacks on other terminal types were reported by eight countries. Four reported attacks on unattended payment terminals (UPTs) at petrol stations, and three reported attacks at railway ticket machines. To date in 2020 EAST EGAF has published four related Fraud Alerts.

Year to date International skimming related losses were reported in 14 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Five countries reported card trapping attacks, one of them reporting a new method that allows several cards to be captured in one attack. Three countries reported transaction reversal fraud (TRF) incidents. To date in 2020 EAST EGAF has published two related Fraud Alerts.

Ram raids and ATM burglary were reported by eleven countries and eleven countries reported explosive gas attacks, one of which resulted in a fatality. Eight countries reported solid explosive attacks. The usage of Triacetone Triperoxide (TATP) for solid explosive attacks continues to increase across Europe. Mixing TAPT is a complicated procedure that requires good knowledge of the chemicals, as there is a danger of setting off an unexpected explosion. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.
To date in 2020 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published two related Physical Attack Alerts.

The full European Fraud Update is available to EAST Members (National, Global and Associate).

50th EAST Meeting hosted by PSA in Vienna

The 50th EAST Meeting (National Members) was hosted by Payment Services Austria (PSA) in Vienna on 12th February 2020. The meeting was chaired by Martine Hemmerijckx of Worldline NV/SA, who co-founded EAST with Lachlan Gunn, EAST Executive Director, in 2004.

This was a milestone meeting and the last in the current format as, in June 2020, EAST will hold its 1st Global Congress.  In recognition of her work in founding and supporting EAST, and on behalf of the EAST Board and members, Lachlan presented Martine with an award.

National country crime updates were provided by 20 countries, and a global update by HSBC.  Topics covered included payment fraud and the continuing evolution of payment technology and related threats, terminal related fraud attacks, malware and logical attacks, and ATM related physical attacks.

The Criminal Intelligence Service Austria presented on the prevention of e-commerce fraud.  The European Cybercrime Centre (EC3) at Europol gave a presentation on forthcoming Europol activities for 2020, with a specific focus on Carding Action Week (CAW) .  This was followed by a presentation from the Gulf Cooperation Council Police (GCCPOL) that gave an update on payment and fraud issues seen by their 6 member countries.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2020 will be produced later this month, based on the national country crime updates provided at the 50th EAST Meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST Publishes European Fraud Update 3-2019

European FraudEAST has just published its third European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 49th EAST Meeting held in London on 8th October 2019.

Payment fraud issues were reported by seventeen countries. Social engineering is a key concern. Seven countries reported phishing attacks. One of them stated that fraudsters are using phishing to get targets for fake web campaigns where consumers can win money, and another reported fake web surveys aimed at getting consumer data. In one country the quality of vishing calls is improving, where the people making the spoof calls are very believable and often have local accents from the customer’s home area. Impersonation fraud was reported by four countries – in one of them police officers are impersonated, and another reported spoof calls being received by customers from bank call centres.

Card Not Present (CNP) fraud was reported by six countries. One of them reported CNP fraud at digital media players. Contactless fraud was reported by two countries – in one of them it is related to lost and stolen cards, and in the other card present (CP) transactions are being made at small merchants up to the allowed limit. To date in 2019 the EAST Payments Task Force (EPTF)  has issued five related Payment Alerts.

ATM malware and logical attacks were reported by five countries – one reported a new way of getting malware onto an ATM, that did not succeed, and four reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published seven related Fraud Alerts.

Card skimming at ATMs was reported by thirteen countries. Overall skimming incidents in Europe continue to decline. Three countries reported the usage of ‘M3 – Card Reader Internal Skimming devices’, and the most recent variants continue to be made of transparent plastic. To date in 2019 EAST EGAF has published thirteen related Fraud Alerts. Year to date International skimming related losses were reported in 41 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Four countries reported card trapping attacks, one of them reporting such attacks at fake terminals, designed to resemble lobby door opening devices at bank branches.

Ram raids and ATM burglary were reported by nine countries and twelve countries reported explosive gas attacks. After one such attack collateral damage of over €200,000 was reported. Six countries reported solid explosive attacks. The usage of Triacetone Triperoxide (TATP) for solid explosive attacks is increasing across Europe. This explosive is also known as the ‘Mother of Satan’. Mixing TAPT is a complicated procedure that requires good knowledge of the chemicals, as there is a danger of setting off an unexpected explosion.

The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published nine related Physical Attack Alerts.

The full European Fraud Update is available to EAST Members (National and Associate).

EPTF holds Sixth Meeting

EPTFThe Sixth Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 13th November 2019 at the Banking & Payments Federation Ireland (BPFI) in Dublin.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and was attended by key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers.

Presentations or updates were given by EuropolEVRY Norge AS, HSBCPLUSCARD Gmbh, and SIBS.  There was also a detailed discussion on fraud and payment crime reporting, with a focus on how EAST can help national representatives by creating an updated template for this.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 213 EAST Associate Member Organisations from 53 countries and territories.

49th EAST Meeting hosted by LINK in London

The 49th EAST Meeting (National Members) was hosted by the LINK Scheme in London on 8th October 2019. National country crime updates were provided by 20 countries, and a global update by HSBC.  Topics covered included payment fraud and the continuing evolution of payment technology and related threats, terminal related fraud attacks, malware and logical attacks, and ATM related physical attacks.

The European Cybercrime Centre (EC3) at Europol gave a presentation on the ‘Genesis’ dark web marketplace where cyber-criminals are selling digital fingerprints (bots).  This was followed by a presentation from the INTERPOL Financial Crimes unit on ATM and payment crime.

The Gulf Cooperation Council Police (GCCPOL) then shared an update on payment and fraud issues seen by their 6 member countries. In recognition of their first attendance at an EAST Meeting, GCCPOL representative Major Mohammed Khalid Alabsi presented the current Chair of EAST, Ms Veronica Borgogna (BANCOMAT SpA), with a mementoe of the occasion.  EAST Executive Director Lachlan Gunn said: “We are delighted to be strengthening our relationship with the GCC and the Arab States of the Gulf, another step forward in enhancing the global value of our National Member platform.”

Presentations were also given by the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).  An update was given by the EAST Payments Task Force (EPTF).

EAST Fraud Update 3-2019 will be produced later this month, based on the national country crime updates provided at the 49th EAST Meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST Publishes European Fraud Update 2-2019

FraudEAST has published its second European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 48th EAST meeting held at Europol in The Hague on 5th June 2019.

Payment fraud issues were reported by 18 countries. To date in 2019 the EAST Payments Task Force (EPTF) has issued 4 related Payment Alerts.

Two countries reported mobile wallet fraud in relation to Apple Pay. One reported that mobile wallets are fast becoming the new money mules – fraudsters are enrolling cards that are not yet associated to a specific wallet. Another country reported that fraudsters are obtaining security codes through phishing, with which they can then install a mobile banking app on their own smartphone, using the victim’s data. One country reported that fraudsters are increasingly using mobile call centres to call customers from numbers that appear to be genuine, and then are pretending to be bank security staff. This enables them to obtain key personal information and data.

Five countries reported fake websites, mainly in China and other Asian countries – customers place orders for goods, which are never fulfilled, or for services which are never provided. One country reported that the quality of fake websites and fake emails is constantly improving, with fewer language errors and better design and formatting.

ATM malware and logical attacks were reported by 6 countries. They all reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. In most cases the attacks were unsuccessful. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published 5 related Fraud Alerts.

Card skimming at ATMs was reported by eighteen countries. Five countries reported the continued usage of M3 – Card Reader Internal Skimming devices. The most recent variants are made of transparent plastic. Skimming attacks on other terminal types were reported by six countries, three of which reported such attacks on railway ticket machines. To date in 2019 EAST EGAF has published 8 related Fraud Alerts.

Year to date International skimming related losses were reported in 37 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Eight countries reported cash trapping attacks, two of them reporting decreases in such attacks. Five countries reported card trapping attacks, two of them reporting that such attacks are increasing.

Ram raids and ATM burglary were reported by 10 countries and 9 countries reported explosive gas attacks, 4 of which reported that such attacks are increasing. Seven countries reported solid explosive attacks, two of which are seeing increases in such attacks, and one reported an attack carried out by criminals armed with assault rifles. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published 7 related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

48th EAST Meeting hosted by Europol in The Hague

The 48th EAST Meeting (National Members) was hosted by Europol at their Headquarters in The Hague on 5th June 2019. Presentations were made by the European Cybercrime Centre (EC3) and the European Serious Organised Crime Centre (ESOCC).

National country crime updates were provided by 18 countries, and a global update by HSBC. Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were also given by the EAST Payments Task Force (EPTF), the EAST Expert Group on All Terminal Fraud (EGAF) and the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 2-2019 will be produced later this month, based on the national country crime updates provided at the meeting. EAST Fraud Updates are available on the EAST Website to EAST Members.

48th EAST Meeting

EAST Presents at first P3 CyberFraud Training

EAST Development Director Rui Carvalho participated at the first P3 CyberFraud training on 8th May 2019. The event, which was organised by the European Cyber Crime and Fraud Investigators (ECCFI), ran from 7-9 May 2019 and took place in Fleming’s Conference Hotel in Vienna. It was the first training session of the P3 Cyberfraud Project, which is funded by the ‘European Union Internal Security Fund – Police’.

The majority of the participants were from Law Enforcement Agencies and there was representation from some key private organisations. There were 71 registered participants from 24 countries. Rui Carvalho was actively involved in the discussion and gave a presentation from the EAST perspective entitled “Stats and Trends on Terminal and Payment Fraud”.

ECCFI is a registered, non-profit association. In addition to supporting the P3 Cyberfraud Project, the purpose of ECCFI is to promote cyber security in Europe, especially secure payment methods. In addition to cyber security, the purpose is to assure online security by bringing together different authorities as well as the private sector security professionals.

EAST is an Associate Partner of ECCFI and the EAST Payments Task Force (EPTF), chaired by Rui Carvalho, has a specific focus in this area.

EPTF holds Fifth Meeting

EPTF

The Fifth Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 17th April 2019 at the Banking & Payments Federation Ireland (BPFI) in Dublin.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and was attended by key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors, Payment Providers and Solution Providers.

EPTFPresentations or updates were given by BANCOMAT S.p.A, Diebold Nixdorf,  EURO Kartensysteme GmbHEuropol, EVRY Norge AS, Fiducia & GAD, Group-IB, ING, INTERPOL, JP Morgan Chase, Payment Services Austria, PLUSCARD Gmbh, and Trend Micro.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 210 EAST Associate Member Organisations from 53 countries and territories.