31 Arrested in Spain and Bulgaria; Skimmers and Card-Forcing Equipment Seized Spanish police dismantle a micro camera installed in an ATM. (Source: Spanish National Police)
Police in Europe say they have dismantled a cross-border gang devoted to perpetrating payment card fraud that stole at least €500,000 ($560,000) from 3,000 individuals.
The gang has been operating since 2014, installing card-skimming devices on about 400 ATMs per year to copy and clone data on payment cards, Europe’s law enforcement intelligence agency, Europol, says in a news release.
“The forged cards were then used to make illegal transactions in 200 ATMs outside the European Union, mainly in the USA, the Dominican Republic, Malaysia, Indonesia, Vietnam, Peru, the Philippines and Costa Rica,” Europol says, noting that at least 3,000 EU citizens were affected by the criminal network.
In an effort to break up the criminal operation, Europol says arrests have been made of 31 suspects – 21 in Spain, nine in Bulgaria and one in the Czech Republic. “The suspects were in possession of equipment used to forge payment cards, payment card data readers-recorders, skimmers, micro cameras, devices to manipulate ATMs, as well as cash and numerous counterfeit cards,” Europol says (see Why Skimming Will Grow in 2017).
Police also conducted 48 house searches – 14 in Spain and 34 in Bulgaria.
Micro camera ATM modification uncovered by Spanish police as part of their investigation. (Source: Europol)
The effort involved a joint investigation team that included prosecuting and investigating authorities in Spain and Bulgaria, supported by criminal intelligence from Europol, as well as support from Eurojust, the EU agency that handles cross-border judicial cooperation relating to criminal matters.
“An entire criminal network was taken down and, as a result, is no longer able to defraud innocent victims, thanks to the joint efforts of the Spanish and Bulgarian prosecuting authorities, and the valuable support provided by their national desks at Eurojust,” says Francisco Jiménez-Villarejo, the national member for Spain at Eurojust.
— Policía Nacional (@policia) June 13, 2017
A Spanish National Police agent dismantles an attacker-modified ATM.
Europol couldn’t be immediately reached for comment on precisely when the arrests and searches were carried out.
But Steven Wilson, who heads Europol’s European Cybercrime Center – EC3 – says that operations of this nature are thanks to continuing investments in EU law enforcement intelligence sharing as well as buy-in from EU member states. “Police forces in the EU are utilizing Europol’s unique tools to ensure that electronic payment transactions are made safer,” he says. “We are continuously investing more resources into this vital support platform, and now we are seeing the results of this essential work.”
Card Skimming Attacks Decline
Arrests aside, the overall volume of skimming attacks in Europe has continued to decline. “The downward trend for card skimming continues with 3,315 card skimming incidents reported, down 20 percent from 4,131 in 2015,” the European Association for Secure Transactions says in an April report. “This is the lowest number of skimming incidents reported since 2005.”
Based on data collected by EAST in February from 19 European countries and five other countries that participate in the group – including Brazil, Canada, Russia and the United States are EAST members – 18 of those countries reported seeing card skimming attacks.
Alert: Deep Insert Skimmers
Five countries have also reported seeing continued use of internal skimming devices. “The read head on this type of device is placed at various locations inside the motorized card reader behind the shutter,” according to a teardown of card data compromise devices published by EAST. “This type of device is also sometimes referred to as a ‘deep insert’ skimming device.”
It’s not clear if the suspects arrested in Spain and Bulgaria have been accused of using deep-insert skimmers. But the devices were the focus of a February alert issued by ATM manufacturer NCR, saying it’s received reports of attacks utilizing such devices in the United States against ATMs built by multiple manufacturers, including NCR.
“A deep insert skimmer is different from a typical insert skimmer. This is a skimmer that is placed inside the card reader by insertion through the card slot,” NCR says. “Once in place, it is hidden from view to the consumer using the ATM. Use of deep insert skimmers has emerged because they cannot be detected or jammed by anti-skimming equipment designed to prevent fraud through skimmers attached on the ATM fascia.”
NCR recommends frequent, manual checks of ATMs by trained personnel to try and spot these types of skimmers, and the manufacturer has published a related guide.
Various third-party products are also available that purport to help block the use of these skimmers, but NCR says it does not endorse their use. “There are third-party hardware products available which can be fitted inside the card reader and are designed to inhibit placement of the deep insert skimmer,” it says. “NCR does not endorse any particular product.”
Instead, NCR says it plans to issue a hardware update this month for motorized card readers that it manufacturers that’s designed to block deep insert skimmers from being used.
Skimming: Beyond ATMs
Most skimming attacks target ATMs. But EAST says eight countries in February reported that they had recently seen skimmers being used against other devices. In particular, four countries reported that unattended payment terminals – UPTs – at petrol stations had been targeted with skimmers. In a first, one country also reported seeing an internal skimming device used on a public transport ticket machine, EAST says.
As seen in the alleged payment card fraud operation disrupted by authorities in Bulgaria and Spain, criminals who successfully obtain card data via skimming devices often attempt to use that data outside Europe. As of February, financial institutions in 45 countries that work with EAST, as well as 9 countries inside the Single Euro Payments Area, reported seeing losses due to skimming. The greatest skimming-related losses were seen in the United States, Indonesia and India, EAST reports.