While sophisticated cyberattacks, such as those linked to banking Trojan Dridex, and high-profile mega-breaches, including the one that compromised London-based TalkTalk, get most of the attention, European fraud experts say less sophisticated attacks are far more common and pose a greater fraud risk.
At Information Security Media Group's Fraud Summit in London Oct. 27, Lachlan Gunn, executive director of the European ATM Security Team; Neira Jones, an independent cyber and payments security expert; and Jeremy King, the PCI Security Standards Council's international director, called attention to socially engineered schemes and other low-tech attacks as leading causes of fraud in Europe.
"The over-arching theme of the summit was that fraud is a global problem. And to fight it we have to have global collaboration."
What's more, they agreed that the breach of personal and financial data is more prevalent in the United Kingdom and Europe than it is in the U.S., even though fewer European breaches make the headlines. That's because data breach notification and disclosure laws in Europe are far more lax than those in the States.
The over-arching theme of the summit was that fraud, not surprisingly, is a global problem. And to fight it we have to have global collaboration and more transparent breach disclosure so that we can openly share information about the techniques and methods international attackers are using.
ATM Fraud Trends
Gunn, who discussed ATM fraud trend data from EAST for the first half of 2015, said low-tech ATM crimes linked to card and cash trapping, along with robberies and physical attacks, have overshadowed ATM skimming and malware attacks in Europe.
Skimming attacks are up in non-EMV-compliant markets, including the U.S. But in markets where EMV is more widely adopted, such as Europe, criminals are reverting to less sophisticated attack techniques that don't involve stealing card details electronically.
For example, fraudsters using card and cash trapping manipulate card readers and cash dispensers to "trap" cards when they are inserted or block cash from being dispensed. Frustrated ATM users then think the ATM has malfunctioned. In reality, however, fraudsters have trapped the cards or cash and are waiting nearby to retrieve one or the other when users walk away.
Other fraudsters are using old-fashioned techniques, including stealing ATMs or brute force attacks, like running into the ATM with a truck, prying it open or using explosives, to get cash.
EAST works closely with law enforcement to track these trends, Gunn noted. But he called on banks to do a better job of monitoring their machines as well.
Jones stressed that many fraudsters in Europe are using social engineering, rather than sophisticated cyberattacks, to commit their crimes.
Using a humorous video to demonstrate how readily the average consumer will provide a password to a stranger, Jones showed why username and password authentication has to go. Until we use biometrics and behavioral analytics for authentication, fraudsters will have the upper-hand, she contended.
Obviously, the techniques criminals use to socially engineer employees involve skill. But as we've seen with business email compromise and ransomware attacks, which are on an upswing globally, it really doesn't take much to con employees.
European Breaches Under-Reported
The high-profile beaches affecting Target and other major U.S. retailers captured global attention, fueling the misconception that the payments ecosystem in the U.S. is less secure than Europe. The reality, however, is likely quite the opposite, said PCI's King. And over the next 12 to 16 months, King predicts European businesses and banking institutions will be in for a rude awakening, as new regulations related to data security, privacy and breach notification take effect.
The EU Data Protection Directive and the Directive on Payment Services will impose beefed up breach notification requirements upon all European businesses. Once that happens, King said we can expect to see a significant uptick in the number of breaches reported in Europe - a number that could trump the U.S.