The European ATM Security Team (EAST) has just published its first European Fraud Update for 2015.
This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 35th EAST meeting held at Consorzio BANCOMAT in Rome on 11th February 2015.
Card skimming at ATMs was reported by nineteen countries, with decreases reported by nine countries and increases by one country. Three countries reported card data compromise through wire-tapping or 'Eavesdropping'. Usage of card reader internal skimming devices appears to be increasing - these are inserted through the card reader throat and then sit inside the card reader capturing the data of cards that are subsequently inserted.
One country reported finding skimming devices that had been printed out from a 3D printer. A demonstration of 3D printing technology and how it can help validate anti-skimming technology will be given at the EAST Financial Crime and Security (FCS) Forum 2105 that will be held on 11th and 12th June 2015 in The Hague. For more information see https://www.european-atm-security.eu/attend-east-fcs-2015-to-see-how-3d-printing-can-help-validate-anti-skimming-technology/
The trend of losses due to skimming occurring outside of EMV* Chip liability shift areas continues. Such losses were reported in 46 countries and territories outside of the Single Euro Payments Area (SEPA) and in 8 within SEPA. The USA remains the top location for such losses, followed by Thailand and Indonesia.
Skimming attacks on other terminal types were reported by nine countries. Attacks on unattended payment terminals (UPTs) at petrol stations were seen in five countries, while two countries reported skimming attacks at railway or other transport ticket machines.
Europol's European Cybercrime Centre (EC3) has supported an 18-month EU-funded project against payment card fraud, initiated by UK authorities, which has resulted in the arrest of 59 individuals, 32 prosecutions and 17 convictions as well as the as well as the disruption of five organised crime groups misusing electronic payments. During the final meeting for Project Sandpiper on 30th January 2014, it was stressed that a total of 52,812 compromised card numbers were recovered during the operations, with estimated savings to the banking industry of over GBP 23 million. The EU-based criminals were misusing financial credentials in mainly remote overseas destinations.
Cash trapping attacks appear to be on the decrease, reversing a previously reported trend. Fourteen countries reported such attacks. The overall decrease can be attributed to the success of customer awareness campaigns and to preventative measures put in place at the ATMs. Compared to previous years the number of transaction reversal fraud attacks also appears to be decreasing.
ATM malware incidents were reported by three countries. These were ATM 'cash out' or 'jackpotting' attacks. In one of the countries it is believed that ATMs were infected either through USB 'drops', or remotely through the ATM network.
Ram raids and ATM burglary were reported by nine countries, with one of them reporting increases in this type of attack and another significant decreases. Nine countries reported explosive gas attacks, two of them reporting significant increases. A recently published and comprehensive press article on ATM gas attacks can be found at http://www.bloomberg.com/graphics/2015-atm-bombers/. Two countries also reported attacks on ATMs using solid explosives.
The full Fraud Update is available to EAST Members (National and Associate) and Subscribers and details of how to join or subscribe to EAST can be found at https://www.european-atm-security.eu
* EMV (also known as 'chip and PIN') is an industry standard for Smart Cards and card readers, supported by the European Payments Council and the major payment schemes