Skimming

In the last year, only three Member States indicated an increase in the number of investigations into the skimming of payment cards at ATMs. All three instances related to Eastern European countries while in Western Europe the trend has either plateaued or is in decline. Overall, both PoS skimming and attacks via PoS network intrusion are in downturn across the majority of jurisdictions.

Skimmers continue to refine their tools with notable developments in miniaturisation and concealment techniques. Skimming devices are now often sufficiently small that they can be embedded inside the card readers, rendering them invisible to users.

Although ATM-related fraud incidents within the EU decreased by 26% in 2014, overall losses were up 13%⁴. This is mainly due to the cashing out of compromised cards in jurisdictions outside of the EU where EMV (chip and pin) protection has not yet been fully implemented, mainly the Americas and Southeast Asia - Indonesia and the Philippines in particular. Some OCGs set up permanent bases in these locations to facilitate their activities⁵.

ATM malware

There are several common malware-focused methods for attacking ATMs⁶:

• Software skimming malware, once installed on the ATM PC, allows the attacker to intercept card and PIN data at the ATM;
• Jackpotting is a technique which uses malware to take control of an ATM PC in order to direct the cash dispenser to dispense money;
• Black Boxing is a Jackpotting variant where the attacker uses their own PC to communicate with the cash dispenser to direct it to dispense cash;
• Man-in-the-Middle attacks manipulate communication between the ATM PC and the merchant acquirer’s host system and can, for example, trigger requests to withdraw money without debiting the card account. The malware must however be present in a high software layer of the ATM PC or within the acquirer's network.

Many of these attacks can potentially be prevented through a mix of security/technical measures such as securing the BIOS, disabling booting from external drives, hardening OS or equipping ATMs with alarm systems. Non-technical mitigation methods include limiting physical access to ATMs, surveillance and more frequent refilling cycles⁷.

Card-not-present (CNP) fraud

Payment card data are actively traded on criminal marketplaces and automated card shops. Bulk card data can be purchased cheaply, allowing re-sellers to profit from redistributing the card data in smaller, more refined batches. ‘End users’ of compromised card data (i.e. those committing CNP fraud) can purchase high value products and use criminal drop and reshipping services to receive their fraudulently obtained goods. These can then either be retained for personal use or monetised via buy-and-sell websites. In some cases this process is carried out by highly organised and experienced groups.

The majority of Member States have witnessed a shift towards CNP fraud as a result of the availability of compromised payment card details stemming from data breaches, social engineering attacks and data stealing malware. Another push towards online fraud is the success of law enforcement in targeting OCGs involved in card-present (CP) fraud, as well as the implementation of effective measures against CP fraud by the financial industry, including EMV, anti-skimming ATM slots and geoblocking.

According to card scheme operators Visa and Mastercard, 67%⁸ and 69%⁹ of losses respectively in 2014 occurred as a result CNP fraud, including online, postal and telephone orders. Often, however, incidents are reported at a local level, with crime data not collated at a national level. Moreover if this is then not shared at an international level, the linking of related crimes across multiple jurisdictions in order to initiate coordinated international investigations becomes problematic.

Proper implementation of 3D Secure¹⁰ and rigid internal anti-fraud procedures could mitigate this threat to some degree. However, some merchants, fearing the loss of customers who dislike having their shopping experience complicated, have instead demonstrated a preference to absorb the losses and invested little effort into tackling online fraud through implementing fraud screening technologies and secure e-commerce solutions.

Future threats and developments

The use of 3D printing to produce customised skimmers has already been documented in five EU countries and we are likely to see a progressive development in this area. The ATM skimming devices that used to be produced and distributed within organised crime groups are now traded on legitimate buy-and-sell websites, increasing their availability and convenience for the criminal customers. 3D printing will further lower the bar of entry into the crime, as offenders will increasingly trade schematics for the devices or share these on P2P networks.

The migration to EMV technology in the USA is expected to occur in autumn 2015, as merchants will be liable for losses from 1 October 2015. Similar initiatives are scheduled over the next two years in many other countries where criminals take advantage of a lack of EMV technology to abuse compromised cards. This is expected to lead to a significant decrease in skimming.

While there has been a lot of discussion regarding the security of emerging mobile and contactless payments, their rapid growth has not yet led to a notable increase in related fraud. According to Visa Europe, the fraud-to-sales ratio for contactless transactions remains at 0.01%¹¹. This is mirrored by law enforcement experience across Europe, with almost all Member States assessing the current threat level for mobile and contactless payment fraud as low to non-existent. However, as EMV technology is further adopted globally and options for card-present fraud diminish, we can perhaps expect growth in this area of fraud.

Several ATM manufacturers have previously proposed fingerprint and face recognition systems on ATMs in order to increase ATM security. Earlier this year, the world’s first fully functional ATM equipped with facial recognition was unveiled in China, having its biometric authentication based on facial feature and iris recognition¹². Whether this turns out to be a failure or a milestone in the development of ATM authentication remains to be seen.

Successful initiatives that bring together law enforcement and the private sector in order to combat industry related threats and often previously under-represented crime areas are becoming increasingly common and growing in impetus. As such initiatives expand in scope and scale, law enforcement will require increased capacity to deal with what is already a high volume crime.

Recommendations

• Law enforcement should seek to actively engage in multi-stakeholder initiatives such as Europol's Airline Action Days and E-commerce initiative in order to combat payment fraud in their jurisdiction.
• EU Member States should take advantage of the Europol Malware Analysis System (EMAS) by submitting samples of ATM and PoS malware in order to cross-reference them against those supplied by other Member States, and identify potential links to ongoing investigations.
• To mitigate the risk of ATM malware attacks, law enforcement should promote Europol’s ‘Guidance and Recommendations regarding Logical Attacks on ATMs’, at a national and international level, to banking and payments industry contacts.
• To combat the sale and abuse of compromised card data, law enforcement should focus on targets either running carding websites or active traders on those sites, particularly those who offer large numbers of recently compromised cards and have a long and successful transaction history.
• A concerted effort is required to collate data at a national and international level in order to identify the activity of OCGs involved in multi-jurisdictional payment card fraud.
• Law enforcement requires a common secure channel through which they can pass details of compromised card and account details discovered through the course of their investigations to partners in financial institutions and payment card schemes in order to prevent their subsequent use in fraud.
• Law enforcement should engage with providers of content sharing websites abused by criminals to sell or distribute compromised card data, to promote automated mechanisms for the removal of criminal content¹³.
• Law enforcement requires the tools, training and resources to deal with high volume crimes such as payment card fraud.
• Following the adoption of EMV technology in previously non-compliant jurisdictions, law enforcement and the payment industry should work together in order to predict where card-present fraud will migrate to and try to ensure that adequate prevention measures are in place.