2019 EAST FCS Seminars – Programme Announcement

EAST FCS

The programme for the 2019 EAST FCS Seminars is now available.

Two concurrent seminars will be held on 9th October 2019:

EAST FCS Terminal Fraud Seminar (organised by the EAST Expert Group on All Terminal Fraud (EGAF)

This interactive event follows the basic structure of EAST EGAF Member meetings.  An introduction to the Group will be followed by a presentation of the latest EAST Fraud Statistics (H1 2019) and a high-level overview of the European situation by Europol.  Then a session will then focus on the terminal fraud situation in four countries/regions, followed by a short discussion.  This will be followed by a practical demonstration of Project Checkcard, aimed at checking the validity of EMV cards, followed by a session topic still tbc.  Attendance at EAST EGAF meetings is limited due to the size of the Group and this event enables a wider participation and the opportunity for all attendees to engage with the Group and its organizers.

EAST FCS ATM Physical Attacks Seminar (organised by the EAST Expert Group on ATM & ATS Physical Attacks (EGAP)

This interactive event follows the basic structure of EAST EGAP Member meetings.  An introduction to the Group will be followed by presentation of the latest EAST Physical Attack Statistics (H1 2019) and recent attack definitions, and a high-level overview of the European situation.  Then a session will focus on the ATM physical attack situation in five countries, which will be followed by a session on banknote infrared recognition.  The event will conclude with a Q&A session on all attack types and counter-measures.  Attendance at EAST EGAP meetings is limited, as it is a working group, and this event enables a wider participation and the opportunity for all attendees to engage with the Group and its organizers.

HIGHLIGHTS FROM THE TERMINAL FRAUD SEMINAR

Otto de Jong, of ING Bank and Chair of EAST EGAF, will host the Terminal Fraud Seminar and chair the discussion on Threat Assessments – Europe;

Tobias Wieloch, of Europol’s European Cybercrime Centre (EC3), will provide an overview of terminal fraud in Europe from Europol’s perspective;

Arnt Olav Rottereng, of EVRY ATM Services, will update on the terminal fraud situation in the Nordics;

and Tobias Heckmann, Software Developer at the University of Applied Sciences Bingen, will present and demonstrate Project CheckCard, an investigation tool designed to assist law enforcement to validate whether or not a smart card is genuine.

 

ATM Physical Attacks in Europe on the increase

ATM physical attacksEAST has just published a European Payment Terminal Crime Report covering 2018 which reports that ATM physical attacks have risen for the fourth consecutive year.

ATM related physical attacks rose 27% when compared with 2017 (up from 3,584 to 4,549 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were down 3% (down from 1,081 to 1,052 incidents).  Explosive attacks remain a cause for concern as the number of countries reporting them has risen from ten in 2017 to eleven in 2018.  Such attacks result in extensive collateral damage and can pose a risk to life.

Losses due to ATM related physical attacks were €36 million, a 16% increase from the €31 million reported during 2017.  The average cash loss per explosive or gas attack is estimated at €17,103, the average cash loss for a robbery is estimated at €13,682 per incident and the average cash loss for a ram raid or burglary attack is estimated at €13,198.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

EAST Executive Director Lachlan Gunn said, “The success rate for solid explosive attacks is of particular concern – we estimate that the average cash loss per solid explosive attack is €27,065.  Such attacks continue to spread geographically with two countries reporting them for the first time in early 2019.  Our Expert Group on ATM and ATS Physical Attacks (EGAP) is actively monitoring the situation and provides a cross-border platform for the industry and law enforcement to share related intelligence and measures that can be taken to mitigate the risks.”

Payment terminal related fraud attacks fell 36% when compared with 2017 (down from 20,971 to 13,511 incidents).  This fall was mainly driven by a 26% decrease in card skimming incidents (down from 2,556 to 1,883 incidents) and by a 66% fall in transaction reversal fraud incidents (down from 14,098 to 4,843 incidents).

Losses due to payment terminal related fraud attacks fell 30% when compared with 2017 (down from €353 million to €247 million).  Within these totals international skimming losses fell by 27% (down from €280 million to €205 million) and domestic skimming losses were down 44% (from €64 million to €36 million).

A total of 157 ATM malware and logical attacks were reported, down from 192 in 2017, an 18% decrease.  156 of the attacks were logical attacks where equipment typically referred to as a ‘black box’ is used to send dispense commands directly to the ATM cash dispenser in order to cash-out the ATM.  Related losses were down 70%, from €1.52 million to €0.45 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National and Associate)

EAST Publishes European Fraud Update 1-2019

European Fraud Update 1-2019EAST has published its first European Fraud Update for 2019.  This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 47th EAST meeting held in Lisbon on 6th February 2019.

Payment fraud issues were reported by 20 countries.  Three countries reported phishing attacks. One of them reported that the fraudsters are managing to obtain online banking credentials and one time passwords (OTPs) for cash withdrawals at ATMs, as well as managing to make minor purchases through digital payment apps.  Another country reported criminals taking remote control of people’s computers and then gaining access to their bank account(s).  This has led to a consumer awareness campaign highlighting that, in addition to never asking for a customer’s PIN, banks will also never ask for remote PC access to be allowed.  One country reported that, since mobile operators started to implement new services, there has been a growing trend of SIM card duplication.  The SIM cards of phones used for financial transaction authorisation are duplicated, ensuring that the original phone does not work.  This means that the OTPs are sent to the duplicate phone, not the genuine one.

ATM malware and logical attacks were reported by 8 countries.  Three of the countries reported ATM related malware and one of them advised that a new malware variant ‘HelloWorld’ was found.  Eight countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  One country reported the first use of a mini M2 – Throat Inlay Skimming Device.  Two countries reported skimming related arrests.  Skimming attacks on other terminal types were reported by 5 countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations and two reported attacks using POS terminals.  To date in 2019 EAST EGAF has published three related Fraud Alerts.

Six countries reported cash trapping attacks, one of them reporting that criminals continue to switch their focus from transaction reversal fraud (TRF) attacks to cash trapping.

Ram raids and ATM burglary were reported by 8 countries and 9 countries reported explosive gas attacks.  Nine countries also reported solid explosive attacks, and this type of attack continues to spread with 4 countries reporting such attacks for the first time.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.  EAST EGAP has also just published new Terminal Physical Attack Definitions and Terminology to help industry and law enforcement when reporting attacks against ATMs and other terminals.  These can be downloaded from the EAST website.

The full Fraud Update is available to EAST Members (National and Associate).

2019 EAST FCS Seminars – Save The Date!

The 2019 EAST Financial Crime & Security (FCS) Seminars will be held on Wednesday 9th October 2019, at the Park Plaza, Victoria, London, UK.  Save the date!  Register now to get the Early Bird Registration Rate and save £100 on the Standard Registration Rate! (see current 2019 prices here)

Early Registration deadline – Monday 19th August 2019

Two concurrent seminars will be held:

To view last year’s EAST FCS programme and speakers or to check the venue details please visit our events website: www.east-events.org

These events will be co-located with RBR’s ATM & Cyber Security 2019 event, although separate registration is required.

FCS Seminars

EAST Publishes European Fraud Update 3-2018

European FraudEAST has published its third European Fraud Update for 2018. This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 46th EAST meeting held in London on 9th October 2018.

Payment fraud issues were reported by fourteen countries. Seven countries reported card-not-present (CNP) as a key fraud driver. One country reported merchant manipulation of settlement files to force through authorisations on POS terminals – once the forced transaction is through on a card the merchant cashes out using it. One country reported malware related to two APT attacks – some Chinese criminals are under observation in connection with them. Another country reported impersonation fraud relating to bill payments – possibly involving collusive postal workers. To date in 2018 the EAST Payments Task Force (EPTF) has published six Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps, CNP fraud and Technological fraud. The EPTF has recently published payment terminology and definitions.

ATM malware and logical security attacks were reported by seven countries.  Four of the countries reported ATM related malware and six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published eleven related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  The overall trend is downward, as the recently published EAST European Payment Terminal Crime Report covering January to June 2018 highlights.  The usage of M3 – Card Reader Internal Skimming devices was reported by four countries and one country reported the use of M2 – Throat Inlay Skimming Devices.  Skimming attacks on other terminal types were reported by five countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country reported that a series of shimming devices at POS terminals had been detected and taken down.  To date in 2018 EAST EGAF has published twelve related Fraud Alerts.

Year to date International skimming related losses were reported in 44 countries and territories outside SEPA and in 6 within SEPA.  The top three locations where such losses were reported remain Indonesia, the USA and India.

Six countries reported incidents of Transaction Reversal Fraud (TRF), one of which reported a new attack variant where the criminals use a ‘chip-on-a-strip’.  To date in 2018 EAST EGAF has published five related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries and eight countries reported explosive gas attacks, one of which reported that two people had been sent to hospital due to related smoke inhalation.  Five countries reported solid explosive attacks.  The spread of such attacks has long been of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  One such attack resulted in the death of a person, the first time that this has been reported.  To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published seven related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

EAST FCS ATM Physical Attacks Seminar 2018

An EAST FCS ATM Physical Attacks Seminar was held on 10th October 2018 in London, co-located with RBRs ATM & Cyber Security 2018 Conference.  The interactive and successful event followed the basic structure of work group meetings held by the EAST Expert Group on ATM & ATS Physical Attacks (EGAP).  This group, which meets twice a year, provides a platform for law enforcement and the private sector to come together and share attack information, trends and statistics in a structured manner.

An introduction to EGAP by the Chair, Graham Mott, was followed by a presentation by EAST Development Director Rui Carvalho, covering the latest EAST physical attack statistics from the H1 2018 European Payment Terminal Crime Report.  This highlighted that ATM related physical attacks were up 21% (from 1,696 to 2,046 incidents).  Attacks due to ram raids and ATM burglary were up 26% (from 470 to 590 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 2% (from 481 to 490 incidents).  Losses due to ATM related physical attacks were €15.1 million, a 24% increase from the €12.2 million reported during the same period in 2017.

Gertjan Kaijen of Europol then gave a high level view of the ATM Physical attack situation across Europe which was followed by national law enforcement updates from the following countries:

  • France – by Gilles Weintz of the Gendarmerie Nationale
  • Netherlands – by Niels Uljee of the Dutch Police
  • Portugal – by Bruno Sergio Nobre Viegas of the Policia de Seguranca Publica
  • Spain – by Daniel Zorzo Lopez of the Guardia Civil
  • UK – by Neil Smyth of the Metropolitan Police Service

These were followed by a talk from Marco Spoldi of MIB on the Italian experience of ATM Physical attacks, sharing what has been done in Italy to counter them.

ATM physical attacksThe Seminar concluded with a Question and Answer session chaired by Graham Mott and with Rui Carvalho, Gertjan Kaijen, Bruno Ricardo (Feerica), Daniel Zorzo Lopez and Adrian Roberts (West Midlands Police) on the Panel.

Attendance at the regular EAST EGAP work group meetings is limited and this event enabled active participation and input from a much wider pool of expertise.  Due to the positive response received from delegates, this ATM Physical Attacks Seminar is expected to be repeated in 2019.

More information on the event, which was sponsored by Feerica and Lockpoint, can be found on the EAST Events Website


2018 EAST FCS ATM Physical Attack Seminar Sponsors

 

Card fraud losses fall to 13 year low

EAST has just published a European Payment Terminal Crime Report covering the first six months of 2018 which reports that losses due to card fraud at payment terminals have fallen to the lowest level since 2005.

Total losses of €107 million were reported and the decrease is primarily due to a fall in losses due to card skimming (down from €118 million to €104 million). Overall payment terminal related fraud incidents were down 43% (from 11,934 to 6,790). Within this total card skimming incidents were down 19% (from 1,221 to 985) and well below the peak of 5,743 incidents reported during the same period in 2010.

EAST Executive Director Lachlan Gunn said, “The significant drop in card skimming incidents and losses reflects the continued effectiveness of EMV, as well as the work that has been put in by payment terminal deployers and card issuers with regard to counter-measures such as geo-blocking, fraud monitoring capabilities and fraud detection. Europe led the way with EMV, which is now a global standard, and all stakeholders in the payment card industry are benefitting from the increased security.”

Logical attacks against ATMs were down 46% (from 114 to 61) and all the reported ‘jackpotting’ attacks were ‘black box’ attacks.  Related losses were down 83% (from €1.51 million to €0.25 million) reflecting the fact that many of these attacks are unsuccessful.

ATM related physical attacks were up 21% (from 1,696 to 2,046 incidents).  Attacks due to ram raids and ATM burglary were up 26% (from 470 to 590 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 2% (from 481 to 490 incidents).  Losses due to ATM related physical attacks were €15.1 million, a 24% increase from the €12.2 million reported during the same period in 2017.

The average cash loss per explosive or gas attack is estimated at €14,748, the average cash loss for a robbery is €14,613 per incident and the average cash loss for a ram raid or burglary attack is €12,275.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

card fraud

The full Crime Report is available to EAST Members (National and Associate)

ATM Physical Attacks

ATM Physical attacks remain a significant issue for ATM owners and other stakeholders (both public and private sector) in Europe and elsewhere, with explosive attacks (gas and solid explosive) of particular concern.  On 10th October 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EAST EGAP) will hold an open Financial Crime & Security (FCS) Seminar in London to focus on the issue.  EAST EGAP is chaired by Graham Mott of the LINK Scheme.

EAST Executive Director Lachlan Gunn said ‘EAST EGAP was formed as a working group in 2014 and will hold its 10th Meeting on Tuesday 4th September 2018 in The Hague.  Attendance at EAST EGAP meetings is restricted in accordance with the group’s Terms of Reference, which makes the coming FCS Seminar in October a great opportunity for all those affected by, or concerned about, ATM physical attacks to engage with EAST’.

This interactive event follows the basic structure of EAST EGAP Member meetings.  An introduction to the Group will be followed by presentation of the latest EAST Physical Attack Statistics (H1 2018).  Then Gertjan Kaijen of Europol will give an update on the ATM physical attack situation in Europe, which will be followed by Law Enforcement updates from several of the key European markets.  After a networking break there will a session on the steps taken in Italy to counter ATM explosive attacks (gas and solid), and the event will conclude with a Q&A session on all attack types and counter-measures.  The event is co-located with RBR’s ATM & Cyber Security 2018 Conference.  See the full programme here.

Attendance at EAST EGAP meetings is limited, as it is a working group, and this EAST FCS Seminar enables wider participation and the opportunity for all attendees to engage with the Group and its organisers.


The Seminar is sponsored by:

 

 

EAST Publishes European Fraud Update 2-2018

FraudEAST has published its second European Fraud Update for 2018.  This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 45th EAST meeting held in The Hague on 6th June 2018.

Payment fraud issues were reported by fifteen countries.  Seven countries reported card-not-present (CNP) as a key fraud driver.  Two countries reported attempted ‘Forced Post’ fraud, possible when some point of sale (POS) terminals allow the ‘force sale’ functionality.  One country reported a new form of malware on android mobile phones, distributed with a fake application uploaded from third-party android stores.  Another country reported cases of SIM swap fraud, where fraudsters authorise a bank transfer by switching the customer’s mobile phone number over to a new SIM and intercept the authorisation message.  To date in 2018 the EAST Payments Task Force (EPTF) has published five Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps and CNP fraud.

ATM malware and logical security attacks were reported by nine countries.  Five of the countries reported ATM related malware.  In addition to Cutlet Maker (used for ATM cash-out) a new variant called WinPot has been reported – this is used to check how many banknotes are in an ATM.  Six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published seven related Fraud Alerts. To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by fourteen countries.  For the first time one country reported the arrest of a Chinese national in connection with such attacks.  The usage of M3 – Card Reader Internal Skimming devices remains most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Six countries reported such attacks.  One country reported the use of M2 – Throat Inlay Skimming Devices.  Skimming attacks on other terminal types were reported by five countries, four of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  To date in 2018 EAST EGAF has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 31 countries and territories outside SEPA and in 3 within SEPA.  The top three locations where such losses were reported remain Indonesia, the USA and India.

Three countries reported incidents of Transaction Reversal Fraud (TRF), two of which reported new attack variants.  To date in 2018 EAST EGAF has published four related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries.  Six countries reported explosive gas attacks, one of which reported such attacks against ATS machines for the first time.  Another reported that explosive gas attacks against ATMs have started for the first time.  Five countries reported solid explosive attacks.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Publishes European Fraud Update 1-2018

EAST Fraud Update 1-2018EAST has just published its first European Fraud Update for 2018.  This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 44th EAST meeting held in Frankfurt on 7th February 2018.

Payment fraud issues were reported by fifteen countries.  Seven countries reported increases in card-not-present (CNP) fraud related to ecommerce merchants in China.  Phishing activity was reported by four countries and one of them reported phishing attacks through advertisements placed on social media sites.  The EAST Payments Task Force (EPTF) issued a first Payment Alert in January 2018.  This covered a phishing email sent to employees of banking and financial institutions, which contained malware intended to exploit the local network and gain access to Swift services.

ATM malware and logical security attacks were reported by ten countries.  Five of the countries reported ATM related malware and one country reported the first successful Cutlet Maker cash-out attack in Western Europe.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.  Seven countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by sixteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks.  Skimming attacks on other terminal types were reported by five countries, all of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country also reported the use of card shimming devices at POS terminals.  To date in 2018 EAST EGAF has published three related Fraud Alerts.

Year to date International skimming related losses were reported in 40 countries and territories outside SEPA and in 7 within SEPA.  The top three locations where such losses were reported remain the USA, Indonesia and India.

Five countries reported incidents of Transaction Reversal Fraud (TRF).  Two countries reported a continued increase in such attacks and two countries reported new modus-operandi.  To date in 2018 EAST EGAF has published two related Fraud Alerts.

Ram raids and ATM burglary were reported by ten countries and, to date in 2018, the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published one related ATM Physical Attack Alert.  Eight countries reported explosive gas attacks and six countries reported solid explosive attacks.  The spread of such attacks is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).