The European Association for Secure Transactions (EAST) has just published its first European Fraud Update for 2018.
This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 44th EAST meeting held in Frankfurt on 7th February 2018.
Payment fraud issues were reported by fifteen countries. Seven countries reported increases in card-not-present (CNP) fraud related to ecommerce merchants in China. Phishing activity was reported by four countries and one of them reported phishing attacks through advertisements placed on social media sites. The EAST Payments Task Force (EPTF) issued a first Payment Alert in January 2018. This covered a phishing email sent to employees of banking and financial institutions, which contained malware intended to exploit the local network and gain access to Swift services.
ATM malware and logical security attacks were reported by ten countries. Five of the countries reported ATM related malware and one country reported the first successful Cutlet Maker cash-out attack in Western Europe. To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts. Seven countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. To help counter these threats Europol, supported by EAST EGAF, has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’. It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks. This is available in four languages: English, German, Italian and Spanish.
Card skimming at ATMs was reported by sixteen countries. The usage of M3 - Card Reader Internal Skimming devices is most prevalent. This type of device is placed at various locations inside the motorised card reader behind the shutter. Five countries reported such attacks. Skimming attacks on other terminal types were reported by five countries, all of which reported such attacks on unattended payment terminals (UPTs) at petrol stations. One country also reported the use of card shimming devices at POS terminals. To date in 2018 EAST EGAF has published three related Fraud Alerts.
Year to date International skimming related losses were reported in 40 countries and territories outside SEPA and in 7 within SEPA. The top three locations where such losses were reported remain the USA, Indonesia and India.
Five countries reported incidents of Transaction Reversal Fraud (TRF). Two countries reported a continued increase in such attacks and two countries reported new modus-operandi. To date in 2018 EAST EGAF has published two related Fraud Alerts.
Ram raids and ATM burglary were reported by ten countries and, to date in 2018, the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published one related ATM Physical Attack Alert. Eight countries reported explosive gas attacks and six countries reported solid explosive attacks. The spread of such attacks is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.