Key threat - Card-present fraud

While skimming still represents a major threat it was reported to be in downturn in the majority of jurisdictions with no EU Member States experiencing an increase in number of investigations last year.

EMV (Chip and Pin) compliance has reached almost 100% across the EU, which prevents card-present fraud from becoming a more significant issue. Increasingly efficient prevention measures have gradually forced criminals to adapt and migrate their ‘cash out’ operations to non-EMV compliant jurisdictions. Skimmed data is mostly uploaded to blank cards and cashed out overseas, mainly by OCGs having a permanent presence in the Americas and South East Asia, with the USA, Indonesia and Philippines identified as the top three destinations. Skimming losses relating to the usage of compromised European card data outside Europe have risen to the highest level seen since 2008 . This geographical displacement has had negative repercussions for EU law enforcement as⁵⁴ it is often more complex and slower to obtain evidence.

However, card-present fraud can also be bi-directional in nature as demonstrated by several OCGs, which send their members to EU countries in order to purchase high value goods with forged cards using compromised details harvested overseas.

The abuse of cards overseas can be effectively mitigated by geoblocking⁵⁵, as evidenced in the countries where the majority of issuers put this into practice. However, geoblocking is far from being universally applied and consequently criminals may still abuse cards issued by non-compliant entities.

Several Member States reported other forms of card-present fraud, including shoulder surfing or card- and cash-trapping, as a recurring issue. However the general impact of the crime as well as the overall trends have a decreasing tendency throughout Europe.

Deep insert skimming attacks

As anti-skimming protection gets more efficient, criminals adapt their attack approaches. Standard ATM skimming protection and detection measures can be circumvented through the use of deep insert skimmers that are invisible to the users of the machine. Both law enforcement and ATM manufacturers across Europe have reported the discovery of such devices⁵⁶. This threat may be partially mitigated through the application of an ATM firmware update with a version that detects insertion of deep insert devices. However, adoption of this protection measure is not a simple task as there are 411 243 ATMs throughout Europe as of 2015⁵⁷.

Stages of organised ATM skimming

Key threat - ATM malware

The emergence and proliferation of ATM malware is a reminder that OCGs are developing new criminal opportunities by constantly shifting their attack vectors. There has been a confluence of factors resulting in the shift from skimming to more advanced attacks. Anti-skimming and other preventive measures, such as EMV and geoblocking, have rendered traditional card-present fraud more difficult. However, outdated and insecure ATM operating systems, coupled with a shift from custom to standard PC hardware components, has left ATMs more vulnerable to malware attacks.

Additionally, a large number of proprietary technologies in ATMs have been replaced with standardised APIs (Application Programming Interfaces) that allow interaction with ATM hardware regardless of model and type. While the hardware and software standardisation has brought a number of benefits for the financial institutions, it has made ATMs more attractive targets, as the same malware can be reused on multiple devices⁵⁸.

Although ATM malware has frequently been discussed as a growing problem, and the number of attacks has significantly increased since 2013, it is still vastly outnumbered by the number of skimming attacks. This is also reflected by the fact that only a limited number of countries reported active investigations into digitally facilitated ATM Attacks. Furthermore, the majority of these investigations related to the black boxing technique, where the attacker’s computer connects directly to the cash dispenser and issues dispensing instructions, and were not malware attacks.

Many of these attack vectors could be designed out in close cooperation with industry.

Key threat - e-commerce fraud

Statistics provided by the ECB indicate that 66% of total card fraud value is the result of card-not-present (CNP) transactions⁵⁹. This figure represents yet another increase on the previous year and is echoed by law enforcement experience.

The use of compromised credit card details is an increasingly high volume crime, with tens of thousands of criminal complaints in many EU countries. An increase in CNP fraud is apparent across almost all sectors; the purchases of physical goods, airline tickets, car rentals and accommodation with compromised cards have generally seen an increase throughout the EU.

In some cases, the offenders identify a vulnerability within a merchant’s payment process and exploit it before the merchant can identify and address the issue. Such an approach has led to huge losses for individual merchants.

The monetisation of fraudulently purchased goods has seen little variation compared to previous years. Once high value items are purchased, they are often reshipped through several layers of packet mules abroad, frequently to Eastern Europe and monetised through buy-and-sell websites.

Airline ticket fraud

Airline companies are among the most affected by CNP fraud. The airline industry is estimated to lose over one billion dollars per year⁶⁰ as a result of the fraudulent online purchases of flight tickets. Furthermore, individuals travelling on fraudulently purchased airline tickets are often involved in terrorism or other forms of serious organised crime including trafficking in human beings (THB) or drugs smuggling.

For most airline ticket fraud, the interval between ticket purchase and travel time is typically less than two days⁶¹. Often criminals will book a flight in the afternoon in order to fly the next day. Airlines are under pressure to develop efficient mechanisms to identify fraudulent transactions while keeping the impact on legitimate customers as low as possible. False positives resulting in mistaken cancellations are costly for airlines, as the denied travellers are entitled to compensation ranging from between €250 and €600⁶², with potential reputational damage on top of this.

Future threats and developments

In last year’s report we highlighted the first functional ATM equipped with facial recognition, unveiled in China. Weeks later, a major financial institution tested ATMs capable of performing retinal scans⁶⁴. It is unclear yet, however, how much need or appetite there is for such authentication technologies on ATMs, and therefore to what extent they will adopted globally.

The increasing implementation of geoblocking and 3D Secure⁶⁵, apart from their obvious positive impact, is likely to further displace fraud to countries and businesses that have not yet implemented these preventive measures. The 2015 IOCTA highlighted the liability shift of losses to merchants following the migration to EMV in the US. Consequently the top 100 merchants in the US, who collectively generate 80% of all face-to-face transactions, are now EMV enabled⁶⁶.

As the financial institutions increasingly issue EMV cards to their respective card bases, we can expect US merchants to be fully EMV compliant within two years. This will likely push card-present fraud to other jurisdictions or make criminals turn to CNP in search of the path of least resistance. However, this also increases the risk of attacks on the EMV technology, so further innovations are needed to keep that platform secure.

The possibility of compromising NFC transactions was explored by academia years ago and it appears that fraudsters have finally made progress in the area. Several vendors in the Darknet offer software that uploads compromised card data onto Android phones in order to make payments at any stores accepting NFC payments. Moreover, at least one Member State reports instances of OCGs using contactless cards purchased from individuals who then report the card as lost. The OCGs were able to reset the cards once they had reached the purchase limit thereby allowing continued spending.

Fraudulent use of NFC payments would have a number of unexpected consequences including the inability of merchants to confiscate the compromised card. Currently, when merchants detect a fraudulent transaction they are requested to seize the card. However, the confiscation may not be feasible when the compromised card data are recorded on the buyer’s smartphone.

Recommendations

• Successful initiatives targeting fraud in the airline industry should be replicated to cover additional sectors. Operations where offenders have to arrive at a physical location to benefit from fraudulent transactions, such as car rentals or other pre-ordered services, may be particularly effective.
• Where resources permit, law enforcement should consider embedding staff temporarily within the private sector and vice versa. This would improve cooperation and collaboration and provide law enforcement with valuable insights into how the industry operates, which may be beneficial for preventative and investigative purposes.
• Additional effort is required, through more focused information sharing within law enforcement and/or partnerships with private industry, to link cases of card fraud. This would facilitate the identification of organised crime groups involved in card fraud.
  • Looked at in isolation, the fragmented nature of card fraud means that it is often given a low priority
• A coordinated effort should be made by law enforcement to engage with countries where compromised cards are cashed out and where goods purchased with compromised cards are reshipped.
• Law enforcement should make greater use of the Europol Malware Analysis System (EMAS) by submitting ATM and PoS malware samples in order to identify links to other cases and improve a community-wide understanding of the threat.
• Investigators focusing on ATM crime should familiarise themselves with a comprehensive overview of the digital ATM threats called “ATM Malware on the Rise”, a joint EC3 and Trend Micro report on malware threats and specific types of malware in circulation.
• Industry should take action to design out security flaws from new and existing software and hardware.