EAST FCS ATM Physical Attacks Seminar 2019

ATM Physical Attacks

ATM Physical AttacksAn EAST FCS ATM Physical Attacks Seminar was held on 9th October 2019 in London, co-located with RBRs ATM & Cyber Security 2019 Conference. The interactive event followed the basic structure of work group meetings held by the EAST Expert Group on ATM & ATS Physical Attacks (EGAP). This group, which meets twice a year, provides a platform for law enforcement and private sector experts to come together and share attack information, trends and statistics in a structured manner.

ATM Physical AttacksThe event was chaired by Sarah Staff of SaferCash.  EAST Executive Director Lachlan Gunn gave an overview of EAST and EGAP, highlighting new definitions produced by the group, before presenting the latest ATM Physical Attack Statistics from the H1 2019 European Payment Terminal Crime Report.

Miguel-Angel Villanueva-Guijarro of Europol then gave a high level view of the ATM physical attack situation across Europe and how Europol is structured to handle cross-border cases.  This was followed by threat assessments from Europe and South Africa:

  • France – Guillaume Bourez – OCLDI
  • Netherlands – Marc Wosten – Dutch National Police
  • Spain – Daniel Zorzo Lopez – Guardia Civil
  • South Africa – Gregory Singh – SABRIC
  • United Kingdom – Neil Smyth – Metropolitan Police Service

These were followed by a presentation on banknote infrared (IR) recognition by David Milner of EURICPA and Niels Riedel of the ECB.  This covered, from the perspective of the ECB, the current position with regard to how banknote sorting machines will detect banknotes with IR markers, as well as a look at the future.

ATM Physical AttacksThe event concluded with a Question and Answer session chaired by Sarah Staff and with Daniel Zorzo Lopez, Miguel-Angel Villanueva-Guijarro, Marc Wosten, Gregory Singh and David Milner on the Panel.

Attendance at the regular EAST EGAP work group meetings is limited and this event enabled active participation and input from a much wider pool of expertise.

More information on the event can be found on the EAST Events Website


2019 EAST FCS ATM Physical Attack Seminar Sponsors

 

 

 

EAST Publishes European Fraud Update 2-2019

FraudEAST has published its second European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 48th EAST meeting held at Europol in The Hague on 5th June 2019.

Payment fraud issues were reported by 18 countries. To date in 2019 the EAST Payments Task Force (EPTF) has issued 4 related Payment Alerts.

Two countries reported mobile wallet fraud in relation to Apple Pay. One reported that mobile wallets are fast becoming the new money mules – fraudsters are enrolling cards that are not yet associated to a specific wallet. Another country reported that fraudsters are obtaining security codes through phishing, with which they can then install a mobile banking app on their own smartphone, using the victim’s data. One country reported that fraudsters are increasingly using mobile call centres to call customers from numbers that appear to be genuine, and then are pretending to be bank security staff. This enables them to obtain key personal information and data.

Five countries reported fake websites, mainly in China and other Asian countries – customers place orders for goods, which are never fulfilled, or for services which are never provided. One country reported that the quality of fake websites and fake emails is constantly improving, with fewer language errors and better design and formatting.

ATM malware and logical attacks were reported by 6 countries. They all reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. In most cases the attacks were unsuccessful. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published 5 related Fraud Alerts.

Card skimming at ATMs was reported by eighteen countries. Five countries reported the continued usage of M3 – Card Reader Internal Skimming devices. The most recent variants are made of transparent plastic. Skimming attacks on other terminal types were reported by six countries, three of which reported such attacks on railway ticket machines. To date in 2019 EAST EGAF has published 8 related Fraud Alerts.

Year to date International skimming related losses were reported in 37 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Eight countries reported cash trapping attacks, two of them reporting decreases in such attacks. Five countries reported card trapping attacks, two of them reporting that such attacks are increasing.

Ram raids and ATM burglary were reported by 10 countries and 9 countries reported explosive gas attacks, 4 of which reported that such attacks are increasing. Seven countries reported solid explosive attacks, two of which are seeing increases in such attacks, and one reported an attack carried out by criminals armed with assault rifles. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published 7 related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

Physical ATM Attack Prevention

On 22/23 January 2019 EAST presented at and participated in the EUCPN / Europol Conference on Prevention of ATM Physical Attacks.  A direct output from the event is a recommendation paper on how to prevent such attacks, based on discussions held at the conference. This paper can be downloaded here.  The paper covers:

  • Preventing Physical ATM AttacksFACTORS DETERMINING THE SUCCESS OF
    A PHYSICAL ATM ATTACK
  1. Vulnerability of ATMs
  2. Set- up of an ATM attack
  3. The experience and know- how of the perpetrators
  • NEED FOR A PREVENTIVE APPROACH
  • PREVENTION
  1. Assess the situation
  2. Develop a preventive approach
  3. Implement preventive measures
  4. Reduce the rewards
  5. Increase the risk
  6. Increase the effort
  7. Parallel measures
  • CONCLUSIONS

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP) focuses on preventing such attacks and provides a secure platform where experts from Law Enforcement and the Industry come together to discuss the above.  On 9th October 2019 EAST EGAP will be holding an open FCS Seminar on ATM Physical Attacks for which registration is now open.  This will include an interactive discussion session on ‘Physical Attack Types and Counter-Measures

EAST Publishes European Fraud Update 1-2019

European Fraud Update 1-2019EAST has published its first European Fraud Update for 2019.  This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 47th EAST meeting held in Lisbon on 6th February 2019.

Payment fraud issues were reported by 20 countries.  Three countries reported phishing attacks. One of them reported that the fraudsters are managing to obtain online banking credentials and one time passwords (OTPs) for cash withdrawals at ATMs, as well as managing to make minor purchases through digital payment apps.  Another country reported criminals taking remote control of people’s computers and then gaining access to their bank account(s).  This has led to a consumer awareness campaign highlighting that, in addition to never asking for a customer’s PIN, banks will also never ask for remote PC access to be allowed.  One country reported that, since mobile operators started to implement new services, there has been a growing trend of SIM card duplication.  The SIM cards of phones used for financial transaction authorisation are duplicated, ensuring that the original phone does not work.  This means that the OTPs are sent to the duplicate phone, not the genuine one.

ATM malware and logical attacks were reported by 8 countries.  Three of the countries reported ATM related malware and one of them advised that a new malware variant ‘HelloWorld’ was found.  Eight countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  One country reported the first use of a mini M2 – Throat Inlay Skimming Device.  Two countries reported skimming related arrests.  Skimming attacks on other terminal types were reported by 5 countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations and two reported attacks using POS terminals.  To date in 2019 EAST EGAF has published three related Fraud Alerts.

Six countries reported cash trapping attacks, one of them reporting that criminals continue to switch their focus from transaction reversal fraud (TRF) attacks to cash trapping.

Ram raids and ATM burglary were reported by 8 countries and 9 countries reported explosive gas attacks.  Nine countries also reported solid explosive attacks, and this type of attack continues to spread with 4 countries reporting such attacks for the first time.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.  EAST EGAP has also just published new Terminal Physical Attack Definitions and Terminology to help industry and law enforcement when reporting attacks against ATMs and other terminals.  These can be downloaded from the EAST website.

The full Fraud Update is available to EAST Members (National and Associate).

EAST FCS ATM Physical Attacks Seminar 2018

An EAST FCS ATM Physical Attacks Seminar was held on 10th October 2018 in London, co-located with RBRs ATM & Cyber Security 2018 Conference.  The interactive and successful event followed the basic structure of work group meetings held by the EAST Expert Group on ATM & ATS Physical Attacks (EGAP).  This group, which meets twice a year, provides a platform for law enforcement and the private sector to come together and share attack information, trends and statistics in a structured manner.

An introduction to EGAP by the Chair, Graham Mott, was followed by a presentation by EAST Development Director Rui Carvalho, covering the latest EAST physical attack statistics from the H1 2018 European Payment Terminal Crime Report.  This highlighted that ATM related physical attacks were up 21% (from 1,696 to 2,046 incidents).  Attacks due to ram raids and ATM burglary were up 26% (from 470 to 590 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 2% (from 481 to 490 incidents).  Losses due to ATM related physical attacks were €15.1 million, a 24% increase from the €12.2 million reported during the same period in 2017.

Gertjan Kaijen of Europol then gave a high level view of the ATM Physical attack situation across Europe which was followed by national law enforcement updates from the following countries:

  • France – by Gilles Weintz of the Gendarmerie Nationale
  • Netherlands – by Niels Uljee of the Dutch Police
  • Portugal – by Bruno Sergio Nobre Viegas of the Policia de Seguranca Publica
  • Spain – by Daniel Zorzo Lopez of the Guardia Civil
  • UK – by Neil Smyth of the Metropolitan Police Service

These were followed by a talk from Marco Spoldi of MIB on the Italian experience of ATM Physical attacks, sharing what has been done in Italy to counter them.

ATM physical attacksThe Seminar concluded with a Question and Answer session chaired by Graham Mott and with Rui Carvalho, Gertjan Kaijen, Bruno Ricardo (Feerica), Daniel Zorzo Lopez and Adrian Roberts (West Midlands Police) on the Panel.

Attendance at the regular EAST EGAP work group meetings is limited and this event enabled active participation and input from a much wider pool of expertise.  Due to the positive response received from delegates, this ATM Physical Attacks Seminar is expected to be repeated in 2019.

More information on the event, which was sponsored by Feerica and Lockpoint, can be found on the EAST Events Website


2018 EAST FCS ATM Physical Attack Seminar Sponsors

 

EAST Publishes European Fraud Update 2-2017

EAST has published its second European Fraud Update for 2017.  This is based on country crime updates given by representatives of 21 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 42nd EAST meeting held at Europol on 7th June 2017.

Payment fraud issues were reported by ten countries.  One country reported a new fraud type where the card Primary Account Number (PAN) is compromised in China, leading to fraud in China.  In these cases the CPP is sometimes detected, but most of the time it is not.  Another country reported data compromise due ‘vishing’ attacks (voice phishing), ‘phishing’ websites and ‘SMiShing’ (SMS phishing).  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by fifteen countries.  To date in 2017 EAST has published ten related Fraud Alerts.  Two of the countries reported ATM malware and fourteen reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  Five countries reported ‘black box’ attacks for the first time, further indication that this attack type is continuing to spread.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by nineteen countries.  The usage of M3 – Card Reader Internal Skimming devices continues to spread.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Nine countries reported such attacks and, to date in 2017, EAST has published six related Fraud Alerts.

International skimming related losses were reported in 49 countries and territories outside of the Single Euro Payments Area (SEPA) and in 9 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and the Philippines.

Skimming attacks on other terminal types were reported by ten countries and five countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.  Two countries reported the usage of card reader internal shimming devices at POS terminals.

Eight countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a significant increase in such attacks and two countries reported such attacks for the first time.

Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks.  To date in 2017 EAST has published nine related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Publishes European Fraud Update 1-2017

European Fraud Update 1-2017EAST has just published its first European Fraud Update for 2017.  This is based on country crime updates given by representatives of 19 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 41st EAST meeting held in Oslo, Norway on 8th February 2017.

Card skimming at ATMs was reported by eighteen countries.  The usage of M3 – Card Reader Internal Skimming devices continues.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks and EAST has recently published four related ATM Fraud Alerts.

International skimming related losses were reported in 45 countries and territories outside of the SEPA and in 9 within SEPA.  The top three locations where such losses were reported remain the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country reported the use of an M3 – Card Reader Internal Skimming Device at a public transport ticket machine, the first time this has been seen.

One country reported a new form of crime, ‘Cash-in’ or ‘Cash Deposit’ fraud.  The criminals deposit fake banknotes into ATMs (where the cash deposit function is available) and then credit their cards or other accounts.

ATM malware and logical security attacks were reported by eight countries all involving the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  EAST has recently published seven related ATM Fraud Alerts.  To help counter such attacks Europol has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  This is available in four languages: English, German, Italian and Spanish.

Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks.  The use of solid explosives continues to spread and seven countries reported such attacks.

Payment fraud issues were reported by five countries.  One country reported an increase in both vishing and phishing attacks and another reported criminal abuse of the chargeback system.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Publishes European Fraud Update 3-2016

east-european-fraud-update-3-2016EAST has just published its third European Fraud Update for 2016. This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 6 non-SEPA countries, at the 40th EAST meeting held in Bucharest, Romania on 12th October 2016.

Card skimming at ATMs was reported by nineteen countries. The usage of M3 – Card Reader Internal Skimming devices continues. This type of device is placed at various locations inside the motorised card reader behind the shutter.  Seven countries reported such attacks.

International skimming related losses were reported in 57 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA. The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and six countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

ATM malware and logical security attacks were reported by eight countries all involving the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To help counter such attacks the Europol document ‘Guidance and Recommendations regarding Logical attacks on ATMs’ is now available in four languages: English, German, Italian and Spanish.

Ram raids and ATM burglary were reported by nine countries and eleven countries reported explosive gas attacks, four of them seeing big increases in such attacks.  The use of solid explosives continues to spread and six countries reported such attacks.

Payment fraud issues were reported by eight countries. Two of them reported data breaches and one updated on contactless card fraud. One country reported fraud relating to a popular games console and another fraud related to advertising on social media.

The full Fraud Update is available to EAST Members (National and Associate).

EAST publishes European Fraud Update 2-2016

EAST - EUROPEAN FRAUD UPDATE 2 - 2016EAST has just published its second European Fraud Update for 2016. This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 6 non-SEPA countries, at the 39th EAST meeting held at Europol in The Hague on 8th June 2016.

Card skimming at ATMs was reported by eighteen countries.  An emerging trend is the usage of M3 – Card Reader Internal Skimming devices.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks.

The trend of losses due to skimming occurring outside of EMV Chip liability shift areas continues.  International losses were reported in 52 countries and territories outside of the Single Euro Payments Area (SEPA) and in 9 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and Jamaica.

Skimming attacks on other terminal types were reported by nine countries and eight countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

ATM malware and logical security attacks were reported by five countries – three of them reported the successful usage of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter such attacks the Europol document ‘Guidance and Recommendations regarding Logical attacks on ATMs’ is now available in three languages: English, German and Spanish.

Ram raids and ATM burglary were reported by ten countries and eight countries reported explosive gas attacks.  The use of solid explosives continues to increase and five countries reported such attacks.

For the first time this European Fraud Update also includes information on Payment Fraud, with nine countries reporting related issues.  Three of them reported data leakage from hotel booking sites and one country reported contactless card fraud.

The full Fraud Update is available to EAST Members (National and Associate) and Subscribers.

EAST Publishes European Fraud Update 1-2016

EAST - EUROPEAN FRAUD UPDATE 1 - 2016EAST has just published its first European Fraud Update for 2016. This is based on country crime updates given by representatives of 19 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 38th EAST meeting held in Stockholm on 10th February 2016

Card skimming at ATMs was reported by twenty countries. Criminal usage of M2 – Throat Inlay Skimming Devices appears to be increasing. This type of device is placed inside the card reader throat in front of the shutter. Three countries reported such attacks.

The trend of losses due to skimming occurring outside of EMV Chip liability shift areas continues. International losses were reported in 44 countries and territories outside of the Single Euro Payments Area (SEPA) and in 3 within SEPA. The top three locations where such losses were reported remain the USA, Indonesia and the Philippines.

Skimming attacks on other terminal types were reported by twelve countries and seven countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

Fifteen countries reported cash trapping attacks and five countries reported transaction reversal fraud (TRF) incidents.

ATM malware and logical security attacks were reported by three countries – two of them reported the successful usage of ‘black-box’ devices to allow the unauthorised dispensing of cash.

Ram raids and ATM burglary were reported by ten countries and ten countries also reported explosive gas attacks, one of them for the first time. One country reported the use of explosive liquid (nitro-glycerine) to blow open an ATM safe – the first time that this has been reported to EAST.

The full Fraud Update is available to EAST Members (National and Associate) and Subscribers.