This article in BankInfo Security is a fascinating digest of criminal financial crimes from enrolling stolen cards into Apple Pay to ATM hacking that includes blowing the ATM up. It includes pictures of card skimmers with instructions and links to a video of an ATM being blown up with gas:
“Fraudsters continue to get new tricks up their sleeves. Criminals are increasingly using Apple Pay, setting up mobile call centers to socially engineer victims as well as tricking consumers via look-alike but fake e-commerce sites that never fulfill orders, warns the European Association for Secure Transactions, based on reports from European countries as well as Ukraine and Russia.
See Also: Webinar | The Future of Adaptive Authentication in Financial Services
On June 5, representatives from 16 countries in the Single Euro Payments Area, as well as four other countries, attended an EAST meeting held at Europol headquarters in the Hague, Netherlands. Here’s a sample of the most recent fraud trends they’re seeing:
- Apple Pay mobile wallet fraud: Two countries reported cases of such fraud. “One reported that mobile wallets are fast becoming the new money mules – fraudsters are enrolling cards that are not yet associated to a specific wallet,” EAST reports. “Another country reported that fraudsters are obtaining security codes through phishing, with which they can then install a mobile banking app on their own smartphone, using the victim’s data.”
- Mobile call centers: One country told EAST that to trick users into divulging personal details or account information, fraudsters are calling consumers from call centers that appear to have genuine bank customer service telephone numbers and pretending to be legitimate bank staff.
- Fake websites: Sites in China and other Asian countries, in particular, are increasingly advertising goods for sale, but never fulfilling orders. “One country reported that the quality of fake websites and fake emails is constantly improving, with fewer language errors and better design and formatting,” EAST says.
- Card skimming: Skimming attacks were reported by 18 of the 22 countries, with five recovering M3 card reader internal skimming devices, the most recent versions of which are built from transparent plastic to make them tougher to detect. Six countries also reported skimming attacks that targeted devices other than ATMs, including railway ticket machines. Overall, EAST notes that skimming attacks are more common outside Europe, with the most losses occurring in Indonesia, India and the United States.
- Cash and card trapping: Attackers can also alter machines to trap cash or payment cards. Eight countries reported seeing cash-trapping attacks, although two said the incidence of such attacks has decreased. Five countries reported seeing card-trapping attacks, with two reporting that such attacks have been increasing.
- Physical attacks: 10 countries reported ram raids and ATM burglary attempts; nine countries reported explosive gas attacks, with four countries noting that the frequency of such attacks has been increasing; and seven countries saw solid explosive attacks, with two countries saying they’d been increasing. One country also reported seeing a solid explosive attack committed by “criminals armed with assault rifles,” EAST reports. “The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings” (see: Attackers ‘Hack’ ATM Security with Explosives).
- ATM malware and logical attacks: Six countries report seeing the use of “black box” devices to try and force ATMs into dispensing cash without authorization, in what’s known as a jackpotting attack. “In most cases the attacks were unsuccessful,” EAST says.
The countries that contributed information to the latest EAST fraud report were Austria, Czech Republic, Finland, France, Germany, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Portugal, Romania, Russia, Serbia, South Africa, Spain, Sweden, Switzerland, Ukraine and the United Kingdom.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
