ATM Attacks: Terminal Fraud Dives in Europe During Pandemic
Criminals continue to target ATMs with black boxes to run cash-out attacks and use explosives to get cash out of machines. But during the pandemic, most other types of attacks used to target ATMs, payment terminals and point-of-sale devices sharply declined, the European Association for Secure Transactions, also known as EAST, says in a new report.
See Also: Determining the Total Cost of Fraud
Whether such fraud trends will continue is uncertain, give that “2020 was a highly unusual year due to the COVID-19 pandemic, and crime and fraud patterns changed accordingly,” says Lachlan Gunn, executive director of EAST. “Despite national lockdowns and border closures, mobile organized crime groups continued to operate across Europe.”
The report from EAST is based on full-year 2020 information shared by 21 Western European nations, including the five most populous – Germany, the U.K., France, Italy and Spain. The 21 nations collectively count about 335,000 ATMs, 223,000 unattended payment terminals and 14.5 million point-of-sale terminals.
When comparing 2020 to the prior year, EAST found:
The report breaks down payment terminal crime into three categories: terminal-related fraud attacks, malware and logical attacks, and physical attacks.
Terminal-Related Fraud Attacks
The category of terminal-related fraud attacks includes card skimming, card trapping, ATM cash trapping and transaction reversal fraud. Compared to the previous year, in 2020, the total number of such attacks in Europe declined by 64% – from 18,217 to 6,523 incidents – although total reported losses declined by only 12%, from $300 million to $262 million.
ATM skimming attacks, in which thieves use a small device to copy card data, sometimes backed by a camera to record PIN codes, have been declining for the past decade as a result of wider use of the EMV smart payment card standard. “Since 2011, there has been a continuing shift away from high-tech skimming attacks to lower-tech card and cash trapping attacks, as well as to transaction reversal fraud,” EAST says.
Transaction reversal fraud means “the unauthorized, physical manipulation of an ATM cash withdrawal which makes it appear to the ATM system that cash has not been dispensed despite the criminal gaining access to and taking the cash,” EAST says. “This causes a reversal message to be generated and sent to the card-issuing organization, ultimately resulting in a free cash withdrawal. Criminals will typically use prepaid cards, or stolen or skimmed cards, making it difficult to detect the identity of the perpetrator.”
But such attacks in Europe declined markedly from 2019 to 2020 – from 9,054 incidents to just 250.
Malware and Logical Attacks
All malware and logical attacks seen in 2020 involved the use of black boxes, which EAST describes as “the connection of an unauthorized device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ or ‘jackpot’ the ATM.”
Total black box losses in Europe increased from $1.3 million in 2019 to $1.5 million in 2020. But “most such attacks remain unsuccessful,” EAST says (see: ‘Black Box’ and Physical Attacks Against ATMs Surge).
The number of physical attacks against European ATMs decreased from 4,571 in 2019 to 3,722 in 2020 – a 19% decline – although reported losses remained steady at $26.5 million.
“While it is good news to see such a significant fall in terminal fraud attacks, there is concern that explosive attacks at ATMs have only fallen by 6% and that related losses are up by 39%,” EAST’s Gunn says. “The average cash loss for a solid explosive attack is estimated at 28,218 euros ($33,938), and collateral damage to equipment and buildings can be significant. There are also major safety issues.”