EAST EGAF holds 19th Meeting in Amsterdam

EAST EGAFThe Nineteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 18th September 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 219 EAST Fraud Alerts have been issued, 18 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is still open and more information can be found on the EAST Events website.

New EAST Fraud Definitions now available in Russian

EAST Terminal Fraud Definitions are now available in the Russian language.  At the end of 2018 EAST upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  In the upgraded definitions each applicable criminal benefit is highlighted next to each terminal fraud type.

The translation was carried out by two EAST National Member organisations – the Ukrainian Interbank Payment Systems Member Association “EMA”  and the MasterCard Members Association (MCMA).

These fraud definitions are used by EAST when issuing Fraud Alerts, or when compiling the statistics and other information for European Payment Terminal Reports and Fraud Updates.  The aim is for these Terminal Fraud Definitions, as well as the related criminal benefits, to be adopted globally when describing or reporting payment terminal fraud.  This translation into Russian is another step forward towards achieving this.

Below is the  definition for Card Skimming in the Russian language.

The definitions have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

EAST EGAF holds 18th Meeting in Amsterdam

EGAFThe Eighteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 8th May 2019 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 210 EAST Fraud Alerts have been issued, 9 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this is now open and more information can be found on the EAST Events website.

EAST Upgrades Terminal Fraud Definitions

EAST has upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This information is now available on the EAST website.

The EAST Expert Group on All Terminal Fraud (EGAF) has identified six ways by which criminals achieve their targets from the different terminal fraud types as shown below:

In the upgraded Terminal Fraud Definitions each applicable criminal benefit is highlighted next to each terminal fraud type.  The defined Terminal Fraud Types are: Card Skimming; Card Shimming; Eavesdropping; Card Trapping; Cash Trapping; Transaction Reversal Fraud (TRF); Malware; and Black Box.

Below is the definition for Card Skimming which highlights that skimming enables criminals to: Create counterfeit cards; make card-not-present (CNP) purchases; use fake cards in-store; and sell compromised data.

fraud definitions - card skimming

EAST Executive Director Lachlan Gunn said “This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses. The EGAF Chair, Otto de Jong, and his team have produced something fresh and simple which we hope will be adopted globally by the Industry and Law enforcement when describing or reporting terminal fraud. In particular we would like to thank Ben Birtwistle of NatWest Bank plc, along with Claire Shufflebotham and Niek Westendorp of TMD Security, whose creative ideas and design made this latest upgrade possible.”

A summary of the upgraded fraud definitions and terminology is available on the EAST website along with a more detailed document for download.  These have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

200 Fraud Alerts Issued by EAST

EAST has published its 200th Fraud Alert.  These Alerts are issued by EAST National Members, often with the support of Law Enforcement and other EAST Associate Members.  To date 28 countries have issued Fraud Alerts covering ATMs, Unattended Payment Terminals (UPTs) and Point of Sale (POS) Terminals.

EAST first started issuing Fraud Alerts in September 2013.  These Alerts provide valuable and timely intelligence to law enforcement agencies and the industry, allowing the spread of emerging threats and criminal methodologies to be tracked across the world.  While most of the Alerts have been issued by countries within the Single Euro Payments Area (SEPA), there have been some from Belarus, Mexico, Russia, Serbia, Turkey, Ukraine and the United States.

To date EAST Fraud Alerts issued have covered:  Black Box attacks (cash out / jackpotting); Card Shimming (S1 devices); Card Skimming (highlighting the spread of different devices such as M1, M2, M3, D2 and D3); Card Trapping; Cash Trapping; Deposit Fraud; Eavesdropping (highlighting the use of different MOs such as E2 and E3); EMV Shock Cards; Malware (cash out / jackpotting); Transaction Reversal Fraud; and Vandalism.  The table below shows a summary the Alerts issued:

Fraud Alerts

Definitions of the different fraud types and related terminology are available on this website.

The EAST Expert Group on All Terminal Fraud (EGAF) initiated the Fraud Alerts and conducts in-depth analysis of some of the emerging threats and devices.  Each Alert covers: the type of fraud; the country where discovered; the terminal type(s) affected; an indication as to whether or not the fraud was successful; a description of the device and the criminal MO; indication as to the device location; information on PIN compromise (if card skimming or card trapping); and any available images.

EAST also issues Payment Alerts and Physical Attack Alerts.

EAST Alerts contain sensitive information and are restricted to EAST Members (National and Associate).  They are classified as AMBER using the variant of the Traffic Light Protocol (TLP) adopted by EAST.

EAST EGAF holds 16th Meeting in Amsterdam

EGAFThe Sixteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 19th September 2018 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 195 EAST Fraud Alerts have been issued, 28 to date in 2018.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 10th October 2018.  Registration for this is now open and more information can be found on the EAST Events website.

EAST Publishes European Fraud Update 1-2018

EAST Fraud Update 1-2018EAST has just published its first European Fraud Update for 2018.  This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 44th EAST meeting held in Frankfurt on 7th February 2018.

Payment fraud issues were reported by fifteen countries.  Seven countries reported increases in card-not-present (CNP) fraud related to ecommerce merchants in China.  Phishing activity was reported by four countries and one of them reported phishing attacks through advertisements placed on social media sites.  The EAST Payments Task Force (EPTF) issued a first Payment Alert in January 2018.  This covered a phishing email sent to employees of banking and financial institutions, which contained malware intended to exploit the local network and gain access to Swift services.

ATM malware and logical security attacks were reported by ten countries.  Five of the countries reported ATM related malware and one country reported the first successful Cutlet Maker cash-out attack in Western Europe.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.  Seven countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by sixteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks.  Skimming attacks on other terminal types were reported by five countries, all of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country also reported the use of card shimming devices at POS terminals.  To date in 2018 EAST EGAF has published three related Fraud Alerts.

Year to date International skimming related losses were reported in 40 countries and territories outside SEPA and in 7 within SEPA.  The top three locations where such losses were reported remain the USA, Indonesia and India.

Five countries reported incidents of Transaction Reversal Fraud (TRF).  Two countries reported a continued increase in such attacks and two countries reported new modus-operandi.  To date in 2018 EAST EGAF has published two related Fraud Alerts.

Ram raids and ATM burglary were reported by ten countries and, to date in 2018, the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published one related ATM Physical Attack Alert.  Eight countries reported explosive gas attacks and six countries reported solid explosive attacks.  The spread of such attacks is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

EAST EGAF holds 15th Meeting in Amsterdam

The Fifteenth Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF) took place on Wednesday 17th January 2018 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

The focus of the Group is on topics and issues raised by EAST National Members, which represent 35 countries. Outputs from the group are presented to all meetings of EAST National Members.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 168 EAST Fraud Alerts have been issued, one to date in 2018.

EAST Publishes European Fraud Update 3-2017

Fraud UpdateEAST has published its third European Fraud Update for 2017.  This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 43rd EAST meeting held in Edinburgh on 4th October 2017.

Payment fraud issues were reported by eleven countries.  One country reported that a fake P2P website was used to get funds illegally, which are then transferred to genuine cards for cash withdrawal.  Card-Not-Present (CNP) fraud shows a significant increase in fake websites, such as ticketing sites.  Data acquired through social engineering is used immediately by criminals to make fund transfers to money mule accounts.  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by seven countries.  To date in 2017 EAST has published fourteen related Fraud Alerts.  Two of the countries reported ATM related malware and all seven reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by thirteen countries.  The usage of M3 – Card Reader Internal Skimming devices is most prevalent.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Four countries reported such attacks and, to date in 2017, EAST has published ten related Fraud Alerts.

Year to date International skimming related losses were reported in 53 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.

Six countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a continued increase in such attacks and two countries reported a new modus-operandi.

Ram raids and ATM burglary were reported by ten countries and eight countries reported explosive gas attacks.  To date in 2017 EAST has published eleven related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

ATM Black Box Attacks continue to rise

ATM black box attacksEAST has just published a European Payment Terminal Crime Report covering the first six months of 2017 which reports that ATM black box attacks took place in eleven countries.

A total of 114 such attacks were reported, up from 28 during the same period in 2016, a 307% increase.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were up 268%, from €0.41 million to €1.51 million.  EAST Executive Director Lachlan Gunn said, “This sees the continuation of a trend that we first reported in April of this year when we published full year statistics for 2016.  Our Expert Group on All Terminal Fraud (EGAF) is actively monitoring all logical threats against payment terminals and against the wider banking infrastructure.”

Overall payment terminal related fraud attacks rose 10% when compared with H1 2016 (up from 10,820 to 11,934 incidents).  This rise was mainly driven by an 88% increase in transaction reversal fraud (up from 4,840 to 9,081 incidents).  The downward trend for card skimming continues with 1,221 card skimming incidents reported, down 22% from 1,573 in H1 2016.  This is the lowest number of skimming incidents reported since EAST first began gathering data in 2004.

Losses due to payment terminal related fraud attacks were down 29% when compared with the same period in 2016 (down from €174 million to €124 million).  Within these totals international skimming losses fell 32% (down from €142 million to €96 million) and Domestic skimming losses fell 15% (down from €26 million to €22 million).

ATM related physical attacks rose 6% when compared with H1 2016 (up from 1,604 to 1,696 incidents).  Within this total ATM explosive attacks (including explosive gas and solid explosive attacks) were down 2% (down from 492 to 481 incidents).  Losses due to ATM related physical attacks were €12.2 million, a 55% drop from the €27 million reported during the same period in 2016.  Part of this decrease is due to the fact that one major ATM deploying country that used to report this data is currently unable to do so.

The average cash loss per explosive or gas attack is estimated at €14,575, the average cash loss for a robbery is €10,357 per incident and the average cash loss for a ram raid or burglary attack is €9,761.  These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A summary of the report statistics under the main headings is in the table below.

ATM Black Box Attacks

The full Crime Report is available to EAST Members (National and Associate)