41st EAST Meeting hosted by Bits AS in Norway

EAST National Members - badgeThe 41st Meeting of EAST National Members was hosted by Bits AS in Oslo, Norway on 8th February 2017.  National country crime updates were provided by 24 countries, and a global update by HSBC. Europol, the Norwegian Police and the Bundeskriminalamt (BKA) attended the meeting.

EAST Fraud Update 1-2017 will be produced later this month, based on the updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

The 42nd Meeting of EAST National Members will be held on 7th June 2017 in The Hague.  This will be immediately followed by the 3rd EAST Financial Crime & Security (FCS) Forum on 8th/9th June 2017, also in The Hague.  While this is an open event, places are limited.  Interested? Check out the Agenda and register now to secure your place.

CDC Device Location Terminology and ATM Fraud Definitions

Terminology for locations of CDC Devices at ATMs and ATM Fraud DefinitionsThe EAST Expert Group on ATM Fraud (EGAF) has updated its guidelines on standardising terminology for locations of Card Data Compromise (CDC) devices at ATMs and also the definitions used to report and classify ATM fraud.  The new information can be found on the EAST website on the pages Terminology for locations of CDC Devices at ATMs and ATM Crime Definitions.  EAST has made this information publicly available to promote the usage of both the location terminology and the ATM fraud definitions worldwide, in order to assist the industry and law enforcement agencies to consistently classify all CDC devices, and to standardise definitions used when reporting ATM crime.

The document ‘Standardisation of Terminology for locations of Card Data Compromise devices at ATMs’ has been updated; a  new location has been added – D3. Card Reader Internal Skimming Device – and several other minor amendments have also been made.  This terminology is used in all EAST ATM Fraud Alerts and Fraud Updates and anyone in the industry or law enforcement finding a CDC device at an ATM is encouraged to use the terminology when making a report.  The document is available for download on the EAST Intranet to EAST members (National and Associate),

EAST EGAF will host a breakout session on Day One of the EAST Financial Crime and Security (FCS) Forum which will be held in The Hague on 8th/9th June 2017.

ATM Malware Criminals Apprehended

Five members of an international organised criminal group (OCG) have been arrested and three of them convicted so far as a result of a complex operation led by law enforcement agencies from Europe and Asia, with the active support of Europol’s European Cybercrime Centre (EC3).  One arrest was made by the Romanian National Police, three arrests by the Taiwanese Criminal Investigation Bureau and one arrest by the Belarusian Central Office of the Investigative Committee.  EC3 assisted the investigation by providing analytical support, organising operational meetings in Europe and Asia as well as analysing the seized data/ equipment.

This OCG is responsible for carrying out highly-sophisticated ATM malware attacks against bank ATMs, which were made to dispense all the money they contained (known as cash-out or jackpotting).  The modus operandi employed was highly sophisticated and involved:

  • spear-phishing emails with attachments containing malicious programmes,
  • penetration of the banks’ internal networks,
  • compromising and controlling the network of ATMs,
  • special computer programmes which deleted most of the traces of the criminal activity, etc.

Related losses suffered by the affected banks are estimated at around EUR 3 million. In some cases, after the cashing-out, the stolen money was partially recovered from the criminals.

EC3A key factor for the successful dismantling of this international cybercrime syndicate was close police cooperation on the global level and deep involvement of the Europol Liaison Office at the INTERPOL Global Complex for Innovation (IGCI).

Steven Wilson, Head of EC3, said: “The majority of cybercrimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice.”  Mr Wilson will give the keynote address at the EAST Financial Crime and Security Forum which will be held in The Hague on 8th/9th June 2017.

To further strengthen international police cooperation the Third Strategic Meeting on Payment Card Fraud (PCF) was held last month at the Electronic Transactions Development Agency (ETDA) in Bangkok, Thailand.

Europol, working with the EAST Expert Group on ATM Fraud (EGAF), has published guidelines to help industry and law enforcement counter the threat presented by ATM logical and malware attacks.

EAST gains representation from Indonesia

Fraud Banking Investigation Halo BCA, PT Bank Central Asia, Tbk. (BCA) has just joined EAST as the National Member for Indonesia.  While EAST is focused on the Single Euro Payments Area (SEPA), BCA will participate as a non-SEPA member.  BCA deploys over 17,000 ATMs.

Since it was established in 1957, BCA has continued to grow. This has been the result of the dedicated teamwork of every single employee and the unflagging support of customers. In line with the commitment to be “Always by Your Side”, BCA continues to strive to earn the trust, and live up to the expectations, of all the Bank’s customers and other stakeholders in its drive to continue to achieve ongoing growth.

EAST has national representation from the following 26 European countries:  Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Malta, Poland, Portugal, Romania, Slovakia, Spain, Sweden, Switzerland, United Kingdom.  EAST is still seeking national representative members from:  Estonia, Iceland, Latvia, Lithuania and Slovenia.

Brazil, Canada, Indonesia, Russia, Serbia, South Africa, Turkey, Ukraine and the United States are represented at EAST as non-SEPA members and EAST is seeking to establish links with parties in any country, able to share national incident and loss statistics for ATM related fraud and physical attacks.  Interested parties should contact us through this website.

EAST EGAF holds 12th Meeting

The EAST Expert Group on ATM FraudThe Twelfth Meeting of the EAST Expert Group on ATM Fraud (EAST EGAF) took place on Wednesday 18th January 2017 at ING Domestic Bank in Amsterdam.

EAST EGAF is a regional expert group that focuses on regional and global ATM crime and fraud related issues, threats and counter-measures.

The meeting was chaired by Mr Otto de Jong and was attended by key representatives from ATM Deployers, ATM Networks, ATM Vendors, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on ATM Skimming, ATM Card Trapping, ATM Cash Trapping, ATM Reversal Fraud and ATM Logical Fraud.

The focus of the Group is on topics and issues raised by EAST National Members, which represent 34 countries with a total deployment of 1,332,228 ATMs. Outputs from the group are presented to all meetings of EAST National Members.

In addition EAST EGAF generates EAST ATM Fraud Alerts for all EAST Members (National and Associate). In total 127 EAST ATM Fraud Alerts have been issued, 3 to date in 2017.

Head of EC3 will give Keynote Address at EAST FCS 2017

Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3) will give the keynote address at the EAST Financial Crime and Security Forum (EAST FCS 2017) which will be held in The Hague on 8th/9th June 2017.

Europol set up EC3 in 2013 to strengthen the law enforcement response to cybercrime in the EU and thus to help protect European citizens, businesses and governments from online crime.

Cybercrime is a wide and varied problem and the EC3 is a key part of Europol’s, and the EU’s, response.  EC3 takes a three-pronged approach to the fight against cybercrime: forensics, strategy and operations.

EC3 recognises the severity of the threat presented by ATM logical and malware attacks and has prepared security guidelines regarding this new cyber threat to ATMs.  The production of this document was coordinated by the EAST Expert Group on ATM Fraud (EGAF), and is the first of its kind.  Versions are now available in English, German, Italian and Spanish.

Europol is actively developing international cooperation on combating payment fraud, which is one of the EU priorities within the EU Policy Cycle 2014-2017 for organised crime and serious international crime as endorsed by the Council of the EU.  As part of this EC3 has consistently undertaken a proactive approach, assisting EU law enforcement authorities (LEAs) to combat payment card fraud.  On 13th / 14th December 2016, EC3, together with ASEANAPOL and INTERPOL, and with the support of the Romanian National Police and the Royal Thai Police, organised the Third Strategic Meeting on Payment Card Fraud (PCF) in Bangkok Thailand.

Speaker Spotlight

Steven Wilson - EAST FCS 2017

In January 2016 Steven Wilson became the Head of EC3.

Prior to that he served for 30 years with Police Scotland, which included roles with Strathclyde Police, Scottish Crime and Drug Enforcement Agency and Her Majesty’s Inspectorate of Constabulary.  He has worked in a wide range of Senior Detective roles including major investigations, counter terrorism, covert policing, management of sex offenders, fugitives and witness protection.  He had responsibility for all aspects of cyber and cyber enabled crime in Scotland and sat on government, industry and academic groups.  He also represented Scotland on UK national and European cyber groups.

Book soon to ensure you don’t miss your opportunity to attend the event. Places are limited and registration priority will be given to EAST Members, National and Associate.  The early-bird registration discount will expire on Monday 16th January 2017.

Viewpoint: What is the highest risk for card-based payment transactions?

In a website research poll that ran from September to December 2016 cardholders were asked, in a card present scenario, which type of transaction they felt is least secure.  31% of respondents answered ‘using an ATM’, 29% ‘using a mobile phone’, 26% ‘using a retail payment terminal’ and 14% ‘using contactless technology’.  The poll results can be seen in the chart below.

Most people make card-based payment transactions on a regular basis.  When doing so trust in the security of the transaction is vital.  The industry consistently works to ensure that this trust is not-misplaced by monitoring transactions and by putting effective security measures in place.

That being said criminals continue to work at finding weak points in current security measures and in developing new ways to fraudulently obtain cash.  This results in ‘technology chase’ as both sides react to the actions of the other.

How safe you feel as a cardholder when making a card-based payment transaction is of paramount concern to the industry.  The EAST Payments Task Force (EPTF) is currently focusing on payment research.

The current website research poll, which closes at the end of April, is also on payment security and asks those who have had a payment card compromised for information on where the compromise took place.  To take it, and to see all past results, visit the ATM Research Page on this website.

Viewpoint: Are mobile phone payments safe?

The EAST Payments Task Force (EPTF) is currently focusing on payment research. In a website research poll on mobile phone payments that ran from May to August 2016 the question ‘Are you satisfied your payment details are safe when buying goods or services using your mobile phone?’ was asked.  58% of respondents were not satisfied, 28% were satisfied and 14% were completely satisfied.  The poll results can be seen in the chart below.

There are currently more than 7.8 billion mobile phones in use around the world. With the number of phones in operation now exceeding the number of people on the planet, banks and stores are using this facility to reach their customers and see the saturation of mobile phones as an opportunity to make the consumer payment experience a convenient and seamless one.

Consumers can now use NFC technology on their smart phone to make contactless payments in stores and to pay for goods and services using in-app payment tools or directly using the internet browser on the phone.

In making payments easier to manage and more accessible for consumers, there is an underlying risk that access to that information is also made easier for the criminal element, aiming to capture the payment data used by unsuspecting consumers.

While the industry continues to build solutions and barriers to this criminal activity the EPTF is examining consumer behaviour and this poll result is an indication of how consumers view the safety of their payment details when using mobile phones to pay for goods and services.

The current website research poll, which closes at the end of April, is also on payment security and asks those who have had a payment card compromised for information on where the compromise took place.  To take it, and to see all past results, visit the ATM Research Page on this website.

Message from the Executive Director

Another year is almost over.  On behalf of the Board I would like to thank all those who have worked so hard to provide information, time and resources to help us to meet our targets and objectives.  Some of the highlights are as follows:

EAST National Members - badgeWe held National Member meetings in Stockholm in February (our 38th Meeting co-hosted by Bankomat AB and the Pan-Nordic Card Association), in The Hague in June (our 39th Meeting hosted by Europol) and in Bucharest in October (our 40th Meeting hosted by the Romanian Banking Association – ARB).  In January The Polish Bank Association (ZBP) joined EAST as the new National Member for Poland, taking over from Bank Zachodni WBK.
The EAST Expert Group on ATM Fraud - Logo

The EAST Expert Group on ATM Fraud (EGAF), chaired by Otto de Jong, held three meetings in January, May and September, all hosted by ING in Amsterdam.  EGAF members assisted Europol to translate the co-produced document ‘Guidance & recommendations regarding logical attacks on ATMs’ into German, Italian and Spanish.

The EAST Expert Group on ATM Physical Attacks - LogoThe EAST Expert Group on ATM Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both hosted by the LINK Scheme in London.  In February EGAP published a document entitled ‘ATM Physical Security Guidelines’ and in October a document with lists of the Manufacturers of ATM Protective devices.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, continues to come together.  EAST has expanded its remit beyond ATMs to include all terminal types and the EAST focus is increasingly moving to Card Not Present (CNP) fraud issues which continue to rise.  A series of teleconferences have been held and the first face-to-face meeting is planned for 2017.

In March EAST supported Europol and represented the private sector at the Second Strategic Meeting on Payment Card Fraud (PCF) in Kuala Lumpur, Malaysia.  I participated in this two day meeting which was co-organised with ASEANAPOL, with the cooperation of INTERPOL and the support of the Romanian National Police and the Royal Malaysian Police.

In May EAST joined forces with the Latin American Association of Operators Electronic Funds Transfer and Information Services (ATEFI) in order to further strengthen cross border cooperation in combating all types of payment crime including payment card fraud, hi-tech crime and ATM cyber and physical attacks.

In June Úna Dillon presented at the 2nd Europol Training Course on Payment Card Fraud Forensics and Investigations, which was held at the National Spanish Police Academy, Ávila, Spain, and at the 37th member meeting of the European Association of Payment Service Providers for Merchants (EPSM), which was held in Dublin, Ireland.

In August Rui Carvalho presented at the SAS Fraud & Security Intelligence Customer Connect event held in the USA at the SAS World Headquarters in Cary, North Carolina.    .

In December I presented on behalf of the private sector at the Third Strategic Meeting on Payment Card Fraud (PCF) organised by Europol in Bangkok, Thailand.  The event was co-organised with ASEANAPOL and INTERPOL with the support of the Romanian National Police and the Royal Thai Police, and was hosted by the Electronic Transactions Development Agency (ETDA), and the Ministry of Digital Economy and Society.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European ATM Crime Reports and European Fraud Updates.  Our thanks go out to all the people and organisations that have shared information for the above, and for EAST ATM Fraud Alerts (49 sent out this year to date), and EAST ATM Physical Attack Alerts (3 sent out this year to date).

EAST Associate Members - badgeEAST Associate Membership continues to grow  both numerically and geographically.  We currently have 168 Associate Member organisations from 51 countries and territories. This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations

Lastly, registration is now open for our third Financial Crime and Security (FCS) Forum, EAST FCS 2017, which will be held on 8th/9th June 2017 in The Hague.  This event has an exciting new format which will include breakout sessions hosted by both EGAF and EGAP.  As I write early-bird registration discounts are still available.  It would be wonderful to meet you there.

On behalf of EAST, I would like to wish all readers a wonderful festive break and a very happy and fulfilling New Year.

Kind regards

Lachlan

Don’t miss the early registration discount for EAST FCS 2017

EAST FCS 2017

Registration is underway for the EAST Financial Crime & Security 2017 conference (EAST FCS 2017) which takes place at the Grand Hotel Amrâth Kurhaus in Scheveningen, The Hague, Netherlands on 8th / 9th June 2017.

This year the aim is to increase the networking opportunities as well as to provide the most up to date information on ATM security threats, fraud trends, solutions, best practices and the benefits of collaboration with local law enforcement agencies. We will also run several workshops where you can brainstorm together with senior executives from across the globe.

EAST FCS 2015 DelegatesWe have gathered some of the best known and expert speakers from all over the world including from Interpol (Asia), ATEFI (La Asociación Latinoamericana de Operadores de Servicios de Transferencia Electrónica de Fondos e Información   / The Latin American Association of Operators of Electronic Funds Transfer and Information Services), Banorte, U.S. Secret Service, MMA Russia, Citbank plus our esteemed colleagues who chair the EAST Expert Groups on Physical Attacks and Fraud; and many more. A fantastic line-up with plenty of time between sessions to meet with industry peers to discuss shared interests.

Places are limited so be sure to get in before the early bird discount deadline ends on 16th January 2017. To avoid missing out on your place at this prestigious industry event find our registration page here.

If you plan to stay at the venue, be sure to book the hotel during your FCS registration. We have negotiated an excellent rate with the Kurhaus which can be obtained by using the code E16ATM10ST16 under the ‘Group Code’ option on the hotel’s booking page.

This year we have also introduced a networking gala dinner. For only €30 on top of your registration fee, this is a great opportunity to build your network and grow your collection of global contacts. It takes place after Day One, on the evening of 8th June. The hotel promises an excellent dining experience and possibly even a table or two outside, weather permitting!

For relevant solution providers we have a few remaining sponsorship opportunities available. See here for more details on the best ways to reach your target market at this event.

For more overall details on EAST FCS 2017, please see the event’s page on our website.