EAST (the European ATM Security Team) has just published a European ATM crime report covering the first 6 months of 2009. For the third consecutive 6 month reporting period, the overall number of fraud incidents (6,197) is relatively stable, showing a marginal increase of 1%. While card skimming incidents are down by 19% (from 5,693 to 4,629 incidents), card trapping incidents have increased by 640% (from 141 to 1,045 incidents). Losses due to card skimming are down by 30% (from €222 million to €156 million), while losses due to card trapping have risen nearly 900% (from €0.59 million to €5.8 million).
This indicates that the EMV* rollout at ATMs in Europe (now 92% complete) is helping to reduce skimming losses, and also that fraud counter-measures, fraud monitoring capabilities and fraud detection are improving.
The EAST report indicates that criminals have now started to capture EMV cards, as a captured EMV card can be used at EMV compliant ATMs and other payment terminals, until it is blocked by the issuing bank. EAST recommends that, if a card is retained by an ATM, the cardholder takes immediate action to inform his bank. Losses due to card trapping are still a fraction of skimming related losses, but EAST is recognising it as an emerging threat.
EAST Director and Coordinator, Lachlan Gunn said, "The fact that skimming incidents and losses appear to be finally decreasing is encouraging for the industry, after the major investment that has been put into EMV. As other parts of the world also roll out EMV, concern remains that the USA appears to have no plans to follow suit. A significant part of overall European losses now occur there. To reduce this risk, a debate is now opening as to how it can be mitigated, and next month EAST will be conducting a related website research poll.”
Data compromise from cases of hacking or other fraud at data processors is another emerging threat that EAST is monitoring. Initial cases have been reported in the Ukraine, the USA and the Dominican Republic. Card data obtained from such attacks can be used to create counterfeit cards for usage at ATMs which are not EMV compliant or where the card issuer allows fallback (if the PIN has also been obtained), for transactions at signature based POS terminals, or for card-not-present (CNP) transactions (if only the card number and expiry date have been obtained).
Physical attacks on European ATMs have risen by 12%, with small increases seen in both ram raids and robberies. While the cash losses for such attacks are well below fraud levels, the risks to people and the collateral damage to property continue to remain of great concern to the industry. The deployment of banknote ink/dye staining systems continues and EAST maintains a list of such systems for the benefit of the industry.
* EMV is an industry standard for Smart Cards and card readers, supported by the European Payments Council and the major payment schemes
The full report is available to EAST subscribers and details of how to subscribe to EAST can be found at their website.
(Background data on the report & EAST follow)
For further information please contact the EAST Co-ordinator, Lachlan Gunn: E: coordinator[.]eas-team.eu / T: +44 131 5100268.
EUROPEAN ATM CRIME REPORT 2009, Period: January to June 2009
The above release is based on a report prepared twice-yearly by EAST to provide an overview of the European ATM crime situation for law enforcement officers and EAST members, using statistics provided from 20 European states. The following countries, with an estimated total installed base of 356,302 ATMs, supplied full or partial information for this report:
Austria; Belgium; Cyprus;Finland; France; Germany; Greece; Ireland; Italy; Liechtenstein; Luxembourg; Malta; the Netherlands; Poland; Portugal; Slovakia; Spain; Sweden; Switzerland; the United Kingdom.
EAST intends to obtain such information from all 27 European Union states as well as from Iceland, Liechtenstein, Norway and Switzerland.
EAST has taken reasonable measures to develop the report this press release is based on and to report in a fair, reasonable, open, and objective manner. However, EAST makes no claims, promises, or guarantees about the completeness of the underlying data. In addition, as the information in the report has been passed to EAST by other parties, errors or mistakes may exist or be discovered. Neither EAST nor its members, authors, or agents shall be liable for any loss, damage, or claim with respect to any such information being provided. All such liabilities, including direct, special, indirect, or consequential damages, are expressly disclaimed and excluded.
Founded in 2004, EAST (european-atm-security.eu) is a ‘not-for-profit’ organisation whose members are committed to gathering information from, and disseminating EAST reports to ATM deployers and networks within their countries/regions. While the main focus of EAST is on ATMs, the group also focuses on all payment terminals that have a direct impact on crime perpetrated at ATM locations.
Our mission is to gather and provide information to the European ATM industry and to facilitate effective representation of ATM related security issues at relevant European central institutions, through a pan-European co-ordination of ATM security resources.
EAST has set up a framework network structure to improve co-operation with industry, law enforcement, and in particular Europol, in order to achieve awareness and better results in the fight against organised cross-border crime. Regular research polls are conducted through the EAST website.