The European ATM Security Team (EAST) has reported that skimming losses relating to the usage of stolen European card data outside Europe have risen to the highest level seen since 2008.
EAST reported a 19% increase in ATM related fraud attacks, up from 15,702 to 18,738 in 2015. This increase was mainly driven by a significant rise in Transaction Reversal Fraud (TRF) attacks (up from 160 to 5,104) and a smaller rise in card trapping attacks (up from 5,298 to 6,352). TRF is possible in the EMV environment and trapped cards can be used (if the PIN has also been compromised). 4,131 card skimming incidents were reported, down 27% from 5,631 in 2014.
Losses due to ATM related fraud attacks were up 17% when compared with 2014 (up from €280 million to €327million). This rise was largely driven by a 15% rise in international skimming losses (up from €238 million to €274 million). The USA and the Asia-Pacific region are where the majority of such losses were reported. Domestic skimming losses rose 19% over the same period (up from €37 million to €44 million).
EAST Executive Director Lachlan Gunn said, "While regional card blocking, often known as geo-blocking, is effective at minimising international skimming losses when implemented, the continued rise of such losses is of concern to Europe. EAST is now working closely with Europol to increase awareness among experts in Asia-Pacific and the Americas about all types of non-cash means of payment, including card skimming, ATM malware, internet fraud and eCommerce fraud. Most recently we supported the Second Strategic Meeting on Payment Card Fraud. This event, which was organised by Europol’s European Cybercrime Centre (EC3) in Kuala Lumpur on 22-23 March 2016, provided the regional law enforcement community with a comprehensive overview of the ATM fraud and its migration to Asia, and the focus is now to establish a cross-regional network to assist international investigations."
ATM related physical attacks rose by 34% when compared with 2014 (up from 1,980 to 2,657 incidents). This is partly explained by a 9% increase in reported solid explosive and explosive gas attacks. 673 such attacks were reported, up from 619 in 2014. Nine countries reported such attacks, four of them countries with more than 40,000 ATMs installed. The number of reported robberies also increased, up from 60 in 2014 to 838 in 2015. This rise is partly due to the fact that more countries are now apply to provide such data.
Losses due to ATM related physical attacks rose 81% to €49 million (up from €27 million in 2014). The average cash loss for ram raids/ATM burglary was €17,830 per incident, and the average cash loss for an explosive or gas attack is €15,602 per incident. While around 40% of such attacks do not result in cash loss, collateral damage to equipment and buildings can be significant.
In 2014 EAST began to collect statistics for ATM Malware after the first incidents were reported in Western Europe. 15 incidents were reported in 2015, down from 51 in 2014. These were all ‘cash out’ or ‘jackpotting’ attacks. Related losses of €743,000 were reported, down from €1.23 million in 2014.
To counter the malware threat, the EAST Expert Group on ATM Fraud (EGAF) worked with the European Cybercrime Centre (EC3) at Europol to create ‘Guidance & recommendations regarding logical attacks on ATMs’, a document published by Europol in June 2015.