On November 21st, a
security alert from NCR was issued describing a new form of Transaction Reversal Fraud (TRF) occurring in the UK, typically between 10 PM and midnight on any given day.
Contrary to previously reported TRF attacks in which cash is pried from the dispenser after a payment reversal is initiated due to the jamming of the card reader, this new method does not require any interaction with the card reader or the use of modified
cards. Instead, the fraudster manipulates the cash dispenser to activate a fault, which is subsequently reversed by the transaction host. The fraudster is then able to withdraw cash without the corresponding account being debited.
In this latest reported case, fraudsters in the UK are using multiple different cards to execute the attack, with Bank Identification Numbers (BINs) corresponding to issuers in Russia and Ukraine.
Transaction Reversal Fraud is becoming increasingly more common, with The Europe Association for Secure Transactions (EAST) recently reporting that TRF
is up 135% with total losses reaching 3.2 million euro in the first six months of 2019. Unlike logical ATM attacks, TRF is a sophisticated attack involving a sequence of events at the ATM that generates multiple error codes, an unnecessary payment reversal
and the removal of cash from the dispenser. These attacks can be tricky to isolate and detect before financial losses occur, especially if changes to the ATM host applications are required.
While it is impossible to prevent fraudsters from attempting Transaction Reversal Fraud, establishing centralized, real-time access to transaction reversal data, hardware events and errors could help detect these attacks in milliseconds. For example, if
an ATM device code error occurs and the ATM subsequently reverses the transaction, a customizable rules-based alert can trigger a workflow to shut down the targeted ATM within seconds. Although there may also be required changes to the ATM host applications
– a layered defence strategy will greatly reduce the risk of TRF.