The Fraud Blog with Tracy Kitten

Card Not Present Fraud

Why Low-Tech Fraud Is a Growing Risk

Experts at London Summit Call for Global Collaboration in Fight Against Fraud
Why Low-Tech Fraud Is a Growing Risk
Lachlan Gunn, executive director, European ATM Security Team

While sophisticated cyberattacks, such as those linked to banking Trojan Dridex, and high-profile mega-breaches, including the one that compromised London-based TalkTalk, get most of the attention, European fraud experts say less sophisticated attacks are far more common and pose a greater fraud risk.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

At Information Security Media Group's Fraud Summit in London Oct. 27, Lachlan Gunn, executive director of the European ATM Security Team; Neira Jones, an independent cyber and payments security expert; and Jeremy King, the PCI Security Standards Council's international director, called attention to socially engineered schemes and other low-tech attacks as leading causes of fraud in Europe.

What's more, they agreed that the breach of personal and financial data is more prevalent in the United Kingdom and Europe than it is in the U.S., even though fewer European breaches make the headlines. That's because data breach notification and disclosure laws in Europe are far more lax than those in the States.

The over-arching theme of the summit was that fraud, not surprisingly, is a global problem. And to fight it we have to have global collaboration and more transparent breach disclosure so that we can openly share information about the techniques and methods international attackers are using.

ATM Fraud Trends

Gunn, who discussed ATM fraud trend data from EAST for the first half of 2015, said low-tech ATM crimes linked to card and cash trapping, along with robberies and physical attacks, have overshadowed ATM skimming and malware attacks in Europe.

Skimming attacks are up in non-EMV-compliant markets, including the U.S. But in markets where EMV is more widely adopted, such as Europe, criminals are reverting to less sophisticated attack techniques that don't involve stealing card details electronically.

For example, fraudsters using card and cash trapping manipulate card readers and cash dispensers to "trap" cards when they are inserted or block cash from being dispensed. Frustrated ATM users then think the ATM has malfunctioned. In reality, however, fraudsters have trapped the cards or cash and are waiting nearby to retrieve one or the other when users walk away.

Other fraudsters are using old-fashioned techniques, including stealing ATMs or brute force attacks, like running into the ATM with a truck, prying it open or using explosives, to get cash.

EAST works closely with law enforcement to track these trends, Gunn noted. But he called on banks to do a better job of monitoring their machines as well.

Social Engineering

Jones stressed that many fraudsters in Europe are using social engineering, rather than sophisticated cyberattacks, to commit their crimes.

Using a humorous video to demonstrate how readily the average consumer will provide a password to a stranger, Jones showed why username and password authentication has to go. Until we use biometrics and behavioral analytics for authentication, fraudsters will have the upper-hand, she contended.

Obviously, the techniques criminals use to socially engineer employees involve skill. But as we've seen with business email compromise and ransomware attacks, which are on an upswing globally, it really doesn't take much to con employees.

European Breaches Under-Reported

The high-profile beaches affecting Target and other major U.S. retailers captured global attention, fueling the misconception that the payments ecosystem in the U.S. is less secure than Europe. The reality, however, is likely quite the opposite, said PCI's King. And over the next 12 to 16 months, King predicts European businesses and banking institutions will be in for a rude awakening, as new regulations related to data security, privacy and breach notification take effect.

The EU Data Protection Directive and the Directive on Payment Services will impose beefed up breach notification requirements upon all European businesses. Once that happens, King said we can expect to see a significant uptick in the number of breaches reported in Europe - a number that could trump the U.S.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.