EAST has published its second European Fraud Update for 2017. This is based on country crime updates given by representatives of 21 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 42nd EAST meeting held at Europol on 7th June 2017.
Payment fraud issues were reported by ten countries. One country reported a new fraud type where the card Primary Account Number (PAN) is compromised in China, leading to fraud in China. In these cases the CPP is sometimes detected, but most of the time it is not. Another country reported data compromise due ‘vishing’ attacks (voice phishing), ‘phishing’ websites and ‘SMiShing’ (SMS phishing). The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.
ATM malware and logical security attacks were reported by fifteen countries. To date in 2017 EAST has published ten related Fraud Alerts. Two of the countries reported ATM malware and fourteen reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. Five countries reported ‘black box’ attacks for the first time, further indication that this attack type is continuing to spread. To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’. It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks. This is available in four languages: English, German, Italian and Spanish.
Card skimming at ATMs was reported by nineteen countries. The usage of M3 – Card Reader Internal Skimming devices continues to spread. This type of device is placed at various locations inside the motorised card reader behind the shutter. Nine countries reported such attacks and, to date in 2017, EAST has published six related Fraud Alerts.
International skimming related losses were reported in 49 countries and territories outside of the Single Euro Payments Area (SEPA) and in 9 within SEPA. The top three locations where such losses were reported are the USA, Indonesia and the Philippines.
Skimming attacks on other terminal types were reported by ten countries and five countries reported such attacks on unattended payment terminals (UPTs) at petrol stations. Two countries reported the usage of card reader internal shimming devices at POS terminals.
Eight countries reported incidents of Transaction Reversal Fraud (TRF). One country reported a significant increase in such attacks and two countries reported such attacks for the first time.
Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks. To date in 2017 EAST has published nine related ATM physical attack alerts. The use of solid explosives continues to spread and six countries reported such attacks. This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.
The full Fraud Update is available to EAST Members (National and Associate).