Tuesday, 18 October 2011

ATM cash trapping attacks surge in Europe

According to data just published by the European ATM Security Team (EAST) there has been a surge in cash trapping activity during the first six months of 2011 - 6,797 incidents were reported, compared to just under 150 during the first six months of 2010.  That is a staggering increase.  What is cash trapping and why is this happening?

To steal cash criminals install a trap at the ATM's cash dispenser shutter so that when a cardholder makes a cash withdrawal, the transaction is completed as normal, but the cash does not appear. It remains hidden, retained by the trap which is removed by the criminals after the card holder has left the ATM.  Why is this happening?

I first picked up on this trend in March 2011 after EAST published a European Fraud Update.  When compared to card skimming, this is a high effort low return activity for fraudsters.  EAST has just reported 6,797 cash trapping attacks, with related losses of €0.49 million.  By comparison EAST reported 3,863 skimming incidents with related losses of €111 million - but skimming losses have declined for the past seven reporting periods, down from a peak of €315 million during the second six months of 2007.

A successful skimming incident can result in the compromise of multiple cards, from which the data is used to create counterfeits.  These can then be used to make cash withdrawals at any ATM that is not EMV (Chip and PIN) compliant, or to make purchases or payments.  The problem for the criminals is that the migration to EMV in Europe is nearing completion.  The vast majority of payment cards, ATMs and payment terminals are now EMV compliant.  So what?

So a counterfeit EMV card cannot be used at an EMV compliant payment terminal or ATM as it does not have a Chip.  Merchants or ATM deployers in the Single Euro Payments Area (SEPA) still using non-compliant terminals suffer financial penalties if fraudulent transactions are perpetrated at them.  Of the €111 million skimming related losses reported by EAST, €85 million were international i.e. took place outside the card issuer's national borders.  And the rest of the world is following Europe.  Most recently the U.S. has committed to doing the same, with MasterCard stating that by 19th April 2013 all U.S. ATMs should be EMV compliant.  Also, some European card issuers are blocking the usage of debit cards outside of EMV areas.

Which brings us back to cash trapping.  If you are going to steal cash (banknotes) at an ATM, EMV does not matter.  The genuine customer enters a PIN, a genuine transaction takes place, but the cash is trapped and the customer leaves without it.  The problem for the bad guys?  High effort low reward.  The risks are similar to card skimming, but the returns are negligible.  Any gain is limited to the transaction amount, and the traps must be physically harvested (unlike skimming where compromised data can be sent remotely by a blue tooth connection).

So yes, cash trapping is soaring in Europe and is a huge inconvenience to any cardholder denied cash from a genuine transaction.  But it smacks of a certain desperation in the criminal fraternity.  Why engage in this low reward activity?  The answer is perhaps the success of EMV.  The industry is now alerted to cash trapping and so additional counter-measures will almost certainly be rolled out to counter it.  It will be interesting to see what happens over the next year or so.............

You can read the full press release on the EAST Website and subscribers to the EAST Website can download the full European ATM Crime Report.

No comments:

Post a Comment