Black Box attacks increase across Europe

Black BoxEAST has just published a European Payment Terminal Crime Report covering the first six months of 2020 which reports a sharp increase in Black Box attacks on European ATMs.

ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks. A Black Box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, in order to ‘cash-out’ or ‘jackpot’ the ATM. Related losses were up from less than €1,000, to just over €1 million.

EAST Executive Director Lachlan Gunn said, “Overall crime at terminals has decreased during the lockdown phase of the pandemic. While this rise in Black Box attacks is of concern, most such attacks remain unsuccessful. Our Expert Group on All Terminal Fraud (EGAF) is focussed on addressing this issue, with close cooperation between industry partners and law enforcement. In January 2019 EGAF worked with Europol to update a document, published by Europol, entitled ‘Guidance & recommendations regarding logical attacks on ATMs’. This is currently available in English, French, German, Russian, Spanish and Turkish”.

Terminal related fraud attacks were down 66% (from 10,723 to 3,631 incidents). Card skimming fell to another all-time low (down from 731 to 321 incidents) and transaction reversal fraud (TRF) at ATMs decreased by 97% (down from 3,405 to just 108 incidents). Total losses of €109 million were reported, down 12% from the €124 million reported during the same period in 2019.

ATM related physical attacks were down 23% (from 2,376 to 1,829 incidents). Attacks due to ram raids and ATM burglary were down 34% (from 610 to 405 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 0.4% (from 503 to 505 incidents). Losses due to ATM related physical attacks were €12.6 million, an 11% increase from the €11.4 million reported during the same period in 2019. This increase was driven by a rise in losses due to explosive and gas attacks, which were up 49% from €5.1 million to €7.6 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)

 

EAST EGAF holds 21st Meeting

The 21st Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 16th September 2020.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Otto de Jong of ING Bank.

The meeting was attended by 28 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud (TRF).

Presentations were made by Europol, INTERPOL, Damage Control, Diebold Nixdorf, Group-IB, KAL, Mastercard and NCR.

Experts from the following organisations also contributed to the meeting:  Bits A/S, Cardtronics, Cennox,  Dutch Payments Association, Fiducia & GAD, GMV, NatWest Group, TietoEVRY, TMD Security, TrendMicro.

An increasing number of TRF incidents are being reported and, to help mitigate the risk, EAST EGAF has produced a general Security Alert about the threat, which was ratified by the meeting.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 247 EAST Fraud Alerts have been issued, 22 to date in 2020. Since 2013 there have been 15 Fraud Alerts issued relating to TRF.

EAST Publishes TRF Alert

A Security Alert relating to Transaction Reversal Fraud (TRF) has just been published by the EAST Expert Group on All Terminal Fraud (EGAF).

TRF is the unauthorised physical manipulation of an ATM cash withdrawal which makes it appear to the ATM system that cash has not been dispensed despite the criminal gaining access to, and taking the cash. This causes a reversal message to be generated and sent to the card issuing organisation, ultimately resulting in a free cash withdrawal.  Criminals will typically use prepaid cards, or stolen or skimmed cards making it difficult to detect the identity of the perpetrator .

TRF exploits weaknesses in the hardware, application software, or transaction handling at the host.  TRF does not involve a legitimate customer.  A definition of TRF can be found on this website.

Information provided by EAST members, and shared through Alerts and Reports, shows that criminals are increasingly using TRF throughout Europe and in other parts of the world.

This Security Alert, which provides a description of TRF (Key MOs and Typical Execution) along with Guidelines to mitigate the risk, is available to EAST Members (National, Global and Associate).

 

TRF fraudster jailed in Ireland after causing nearly €13,000 of damage

Damien Ionut (34), a Romanian national, has received a three year prison sentence in connection with a series of transaction reversal fraud (TRF) attacks on ATMs in the Republic of Ireland that caused nearly €13,000 of damage.  He was part of a group of men who targeted ATMs in counties Louth, Kildare, Wicklow, Meath, Westmeath and Dublin.  He also has 30 previous convictions for TRF attacks on ATMs in eight other European countries (Belgium, Czech Republic, Denmark, France, Italy, Romania, Spain, United Kingdom). According to police sources the total cash amount taken by Ionut in the five-week period was €5,980. Some of the attacks did not succeed but the total amount of damage caused was €12,881.  The attacks took place during October and November 2019.

Ionut was sentenced at Dublin Circuit Criminal Court on Friday 1st May 2020.  Police told the court that Ionut’s typical MO was as follows:

  • A legitimate “chip and pin” card is used to make a small cash withdrawal. When the cash dispenser shutter opens to dispense the cash, the criminal places a clip device behind it.
  • Then he uses the same card to request a much larger cash withdrawal, averaging €500. The ATM presents the cash behind the shutter, ready for delivery to the customer. However before the cash is dispensed, the ATM presents the bank card back to the user. The criminal quickly switches the real card for a dummy one, which is retracted by the ATM (which assumes the customer has left without it).
  •  As a result the ATM does not debit the customer’s bank account and attempts to recover the cash from behind the cash dispense shutter.
  • The clip placed behind the shutter prevents this from happening and the criminal then uses a chisel to break open the shutter and takes the cash.

More details of the case can be found in a related article published by the Irish Times

The EAST Expert Group on All Terminal Fraud (EGAF) focuses on the prevention of TRF and has produced a standard definition for TRF which can be seen in the below image.

TRF

EAST EGAF has produced definitions for all terminal fraud types, along with the related criminal benefits.  These can be seen on the Terminal Fraud Definitions page of this website.

 

 

Terminal fraud attacks increase in Europe

terminal fraudEAST has just published a European Payment Terminal Crime Report covering 2019 which reports that terminal fraud attacks were up 35%.

Terminal related fraud attacks rose from 13,511 to 18,217 incidents, mainly driven by an 87% increase in ATM transaction reversal fraud attacks (up from 4,843 to 9,054 incidents), while card skimming incidents fell 21% to an all-time low (down from 1,883 to 1,496 incidents).

EAST Executive Director Lachlan Gunn said, “Despite the overall rise in terminal fraud incidents, total reported losses were almost unchanged. Transaction reversal fraud losses did rise from €2.6 million to €5.2 million, but the continued drop in skimming incidents has helped to keep the overall loss position stable.”

Total losses of €249 million were reported, up 1% from the €247 million reported in 2018. Overall losses due to card skimming were unchanged and losses due to card trapping were down by 14% (from €2.9 million to €2.5 million).

ATM related physical attacks were up 0.5% (from 4,579 to 4,571 incidents). Attacks due to ram raids and ATM burglary were down 11% (from 1,256 to 1,122 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were down 7% (from 1,052 to 977 incidents). Losses due to ATM related physical attacks were €22 million, a 39% decrease from the €36 million reported in 2018.

The average cash loss for a robbery is estimated at €20,369 per incident, the average cash loss per explosive or gas attack is €10,735 and the average cash loss for a ram raid or burglary attack is €9,377. These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A total of 140 ATM malware and logical attacks were reported, down from 157 in 2018, an 11% decrease. All the reported attacks were ‘cash out’ or ‘jackpotting’ attacks. In 118 attacks equipment typically referred to as a ‘black box’ was used, and malware was used in the other 22 attacks. Related losses were up 142%, from €0.45 million to €1.09 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)

EAST EGAF holds 20th Meeting in Amsterdam

The 20th Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 15th January 2020 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong from ING Bank and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

This was a milestone meeting and, in recognition of his work in founding and supporting EGAF, as well as his 16 years of active support for EAST, Otto was presented with an award by Ms Veronica Borgogna of BANCOMAT S.p.A, the current Chair of EAST.

Presentations were made by Europol (AP Cyborg), Geldmaat, Damage Control and Fiducia & GAD IT AG.

The EGAF Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 227 EAST Fraud Alerts have been issued, 2 to date in 2020.

EAST EGAF holds 19th Meeting in Amsterdam

EAST EGAFThe Nineteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 18th September 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 219 EAST Fraud Alerts have been issued, 18 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is still open and more information can be found on the EAST Events website.

New EAST Fraud Definitions now available in Russian

EAST Terminal Fraud Definitions are now available in the Russian language.  At the end of 2018 EAST upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  In the upgraded definitions each applicable criminal benefit is highlighted next to each terminal fraud type.

The translation was carried out by two EAST National Member organisations – the Ukrainian Interbank Payment Systems Member Association “EMA”  and the MasterCard Members Association (MCMA).

These fraud definitions are used by EAST when issuing Fraud Alerts, or when compiling the statistics and other information for European Payment Terminal Reports and Fraud Updates.  The aim is for these Terminal Fraud Definitions, as well as the related criminal benefits, to be adopted globally when describing or reporting payment terminal fraud.  This translation into Russian is another step forward towards achieving this.

Below is the  definition for Card Skimming in the Russian language.

The definitions have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

EAST EGAF holds 18th Meeting in Amsterdam

EGAFThe Eighteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 8th May 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 210 EAST Fraud Alerts have been issued, 9 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is now open and more information can be found on the EAST Events website.

EAST Upgrades Terminal Fraud Definitions

EAST has upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This information is now available on the EAST website.

The EAST Expert Group on All Terminal Fraud (EGAF) has identified six ways by which criminals achieve their targets from the different terminal fraud types as shown below:

In the upgraded Terminal Fraud Definitions each applicable criminal benefit is highlighted next to each terminal fraud type.  The defined Terminal Fraud Types are: Card Skimming; Card Shimming; Eavesdropping; Card Trapping; Cash Trapping; Transaction Reversal Fraud (TRF); Malware; and Black Box.

Below is the definition for Card Skimming which highlights that skimming enables criminals to: Create counterfeit cards; make card-not-present (CNP) purchases; use fake cards in-store; and sell compromised data.

fraud definitions - card skimming

EAST Executive Director Lachlan Gunn said “This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses. The EGAF Chair, Otto de Jong, and his team have produced something fresh and simple which we hope will be adopted globally by the Industry and Law enforcement when describing or reporting terminal fraud. In particular we would like to thank Ben Birtwistle of NatWest Bank plc, along with Claire Shufflebotham and Niek Westendorp of TMD Security, whose creative ideas and design made this latest upgrade possible.”

A summary of the upgraded fraud definitions and terminology is available on the EAST website along with a more detailed document for download.  These have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.