Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Europol

The European Cybercrime Centre – one year on

What are the main future cybercrime threats on the horizon? And how has the European Cybercrime Center (EC3) contributed to protect European citizens and businesses since its launch in January 2013? 

These questions are at the core of an EC3 report presented today, and discussed at a conference organised by the Commission, with participants from law enforcement authorities, national and EU institutions and the private sector.

Criminal behaviour is changing fast, exploiting technological developments and legal loopholes. Criminals will continue to be creative and deploy sophisticated attacks to make more money, and we must be able to keep up with them. The expertise of the EC3 is helping us to fight this battle and boost European cooperation. Through several successful, far-reaching operations in the past year, the European Cybercrime Centre has already earned well-deserved fame amongst law enforcement agencies”, said Commissioner for Home Affairs Cecilia Malmström.

Troels Örting, Head of the European Cybercrime Centre added: “In the 12 months since EC3 opened we have been extremely busy helping EU law enforcement authorities to prevent and investigate cross-border cybercrime. I am proud and satisfied with our results so far, however we cannot rest on our laurels. I am especially worried about the increasingly complex forms of malware that are surfacing, along with more technologically advanced cyber-scams, and the so-called ‘sextortion’ of minors. We have only seen the tip of the iceberg, but EC3, backed by our valued stakeholders and partners, is dedicated to supporting Member States’ future frontline cybercrime operations.

According to a recent Eurobarometer

  • 12% of European internet users have had their social media or email account hacked
  • 7% have been the victim of credit card or banking fraud online

EC3 achievement highlights

The main task of the European Cybercrime Centre is to disrupt the operations of organised crime networks that commit serious and organised cybercrime (for more details, see MEMO/13/6 and infographics).Concretely, the EC3 supports and coordinates operations and investigations conducted by Member States’ authorities in several areas. Recent examples include:

High-tech crimes (cyber-attacks, malware)

In its first year, the EC3 assisted in the coordination of 19 major cybercrime operations, for instance: 

  • Two major international investigations (Ransom and Ransom II) were concluded, related to so-called Police Ransomware – a type of malware that blocks the victim’s computer, accusing the victim of having visited illegal websites containing child abuse material or other illegal activity. Criminals request the payment of a “fine” to unblock the victim’s computer, making the Ransomware look as if it comes from a legitimate law enforcement agency. Cybercriminals convince the victim to pay the ‘fine’ of around €100 through two types of payment gateways – virtual and anonymous. The criminals investigated by EC3 infected tens of thousands of computers worldwide, bringing in profits in excess of one million euros per year. 13 arrests were made (mainly in Spain) and the networks were broken up.
  • EC3 has also supported several international initiatives in the areas of botnet takedowns, disruption and investigation of criminal forums and malware attacks against financial institutions, such as the recent takedown of the ZeroAccess botnet together with Microsoft and high-tech crime units from the German BKA, Netherlands, Latvia, Luxembourg and Switzerland.

Online child sexual exploitation

At present, EC3 supports 9 large child sexual exploitation police operations within the European Union. In the first year of EC3, significant efforts – jointly with many Member States and non-EU cooperation partners – were put into combating the illegal activities of paedophiles engaged in the online sexual exploitation of children using hidden services.

EC3 is involved in many operations and joint investigations targeting the production and distribution of child abuse material on various internet platforms. It is providing ongoing operational and analytical support to investigations on the dark net, where paedophiles trade in illicit child abuse material in hidden forums, as well as to investigations into ‘sextortion’. Sextortion is the term given to the phenomenon where child abusers gain access to inappropriate pictures of minors and use the images to coerce victims into further acts or the abuser will forward the images to family and friends of the victim.

Payment fraud

The EC3 is currently providing operational and analytical support to 16 investigations, regarding payment fraud. In 2013 it supported investigations resulting in three different international networks of credit card fraudsters being dismantled: 

  • One operation led to the arrest of 29 suspects who had made a 9 million Euro profit by compromising the payment credentials of 30,000 credit card holders. 
  • The second network that was tackled resulted in 44 arrests during the operation (which followed 15 previous arrests; 59 arrests in total) in several Member States, two illegal workshops for producing devices and software to manipulate Point-of-Sale terminals dismantled, illegal electronic equipment, financial data, cloned cards, and cash seized. The organised crime group had affected approximately 36.000 bank/credit card holders in 16 European countries. 
  • The third operation targeted an Asian criminal network responsible for illegal transactions and the purchasing of airline tickets. Two members of the criminal gang, travelling on false documents, were arrested at Helsinki airport. Around 15,000 compromised credit card numbers were found on seized computers. The network had been using card details stolen from cardholders worldwide. In Europe, over 70,000 euros in losses were suffered by card holders and banks. 
  • An operation against airline fraudsters using fraudulent credit cards to purchase airline tickets was coordinated by the EC3 in 38 airports from 16 European countries. During the operation, more than 200 suspicious transactions were reported by the industry and 43 individuals were arrested (followed by another 74 arrests after the action day; 117 arrests in total). These were all found to be linked to other criminal activities, such as the distribution of credit card data via the internet, intrusions into financial institutions’ databases, other suspicious transactions, drug trafficking, human smuggling, counterfeit documents including IDs, and other types of fraud. Some of those detained were already wanted by judicial authorities under European Arrest Warrants.

Future threats and trends in cybercrime

Currently, around 2, 5 billion people worldwide have access to the internet and estimates suggest that around another 1, 5 billion people will gain access in the next four years. As our online life, with all its immense advantages, will continue to grow, so will our exposure to online crime. In its first yearly report, the EC3 looks at future cybercrime threats and trends. Among others, it points to the following: 

Growing ranks of criminals. The threshold for stepping into the business of cybercrime is becoming very low. Already now, a complete underground economy has developed, where all sorts of criminal products and services are traded, including, drugs, weapons, hired killings, stolen payment credentials and child abuse. Any kind of cybercrime can be procured even without technical skills – password cracking, hacking, tailor-made malware or DDoS attacks.

More demand. It is expected that the demand for and use of cybercrime services will increase, resulting in an even stronger growth of the development, testing and distribution of malware; building and deployment of botnets; theft and trade in payment credentials as well as money laundering services.

Increased sophistication. The development of more aggressive and resistant types of malware is expected. This includes ransomware with more advanced encryption complexity; more resilient botnets; and banking malware and Trojans with advanced sophistication, in order to circumvent protection measures by financial institutions.

Even more global. Due to rapidly spreading internet connectivity, cybercrime originating in Southeast Asia, Africa and South America will grow.

Going mobile. A shift of malware development is expected towards the operation on, and distribution through, mobile devices.

Smarter distribution. New ways of distributing aggressive and resistant types of malware are expected in the coming years. There is also an increasing, worrying trend of offering child abuse through live streaming, which leaves police without evidence unless intercepted at the time of transmission.

Increased need for money-laundering. Criminals will seek easy ways of cashing and laundering profits. Targeting large numbers of citizens and small to mid-sized companies for relatively small amounts is a scenario likely to continue. But also the use of payment credentials for online purchases will grow. The demand for e-currencies and other anonymous payment systems will rise further.

Targeting of cloud services. The hacking of cloud services becomes more and more interesting for criminals. It is expected that criminals will increasingly aim at hacking such services for the purpose of spying, retrieval of credentials and extortion.

To address these developments and fight a crime that by its very nature knows no borders or jurisdictions, the EC3 will continue to provide operational support to law enforcement agencies from EU Member States and from non-EU cooperation partners. It will further develop its expertise in training and capacity building, strategic analysis and digital forensic support.

Reproduced from http://europa.eu/index_en.htm

Advertisements

Europe’s Threat Landscape 2013 a report by ENISA

The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. 

Questions addressed are:

  • What are the top cyber-threats of 2013?
  • Who are the adversaries?
  • What are the important cyber-threat trends in the digital ecosystem?

Among the key findings is that cyber threats have gone mobile, and that adoption of simple security measures by end-users would reduce the number of cyber incidents worldwide by 50%.

The ENISA Threat Landscape presents the top current cyber threats of 2013 and identifies emerging trends. In 2013 important news stories news, significant changes and remarkable successes have left their footprint in the cyber-threat landscape. Both negative and positive developments have formed the 2013 threat landscape. In particular:

Negative trends 2013:

  • Threat agents have increased the sophistication of their attacks and of their tools.
  • Clearly, cyber activities are not a matter of only a handful of nation states; indeed multiple states have developed the capacity to infiltrate both governmental and private targets.
  • Cyber-threats go mobile: attack patterns and tools targeting PCs which were developed a few years ago have now migrated to the mobile ecosystem.
  • Two new digital battlefields have emerged: Big Data and the Internet of Things.

Positive developments in the cyber threat trends in 2013 include:

  • Some impressive law-enforcement successes. Police arrested the gang responsible for the Police Virus; the Silk Road operator as well as the developer and operator of Blackhole, the most popular exploit kit, were also arrested.
  • Both the quality and number of reports as well as the data regarding cyber-threats have increased
  • Vendors gained speed in patching their products in response to new vulnerabilities.

The top three threats:

  1. Drive-by-downloads
  2. Worms/Trojans
  3. Code injections.

Key open issues, identified are:

  • The end-users lack knowledge yet they need to be actively involved. Adoption of simple security measures by end-users would reduce the number of cyber incidents for 50% worldwide!
  • Numerous actors work on overlapping issues of threat information collection and threat analysis. Greater coordination of information collection, analysis, assessment and validation among involved organisations is necessary.
  • The importance of increasing the speed of threat assessment and dissemination, by reducing detection and assessment cycles has been identified.

The Executive Director of ENISA, Professor Udo Helmbrecht remarked: “This threat analysis presents indispensable information for the cyber security community regarding the top threats in cyber-space, the trends, and how adversaries are setting up their attacks by using these threats.”

The full report can be found here.

.

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals

Europol’s Situation Report for Credit Card Fraud 2012 summaries fraudulent activity for credit cards across Europe is a very interesting read. It explains how the criminals act and with what types of techniques and why the Law Enforcement Agencies struggle to catch them.

A summary of the Europol report is below.

  • The criminal market of payment card fraud within the European Union (EU) is dominated by well-structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders.
  • Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around €1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used to finance other criminal activities or start legal businesses.
  • The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud. Europol, gathering intelligence on fraudulent overseas transactions affecting the EU, as requested by competent authorities of Member States (MS), is not entitled to cooperate with non-EU police forces or request specific measures to help combat and prevent fraud against the EU.
  • The majority of illegal face-to-face card transactions affecting the European Union take place overseas, mainly in the United States. The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking, blocking overseas transactions using EU-issued cards unless they have been activated in advance.
  • Common European legal solutions for the security of on-line retail payments (internet, mobile), as well as the mandatory reporting of financial data breaches, should be considered to prevent fraud affecting EU citizens. Prevention and combating card-not-present (CNP) fraud requires specific regulations on the customer’s identification (3D secure protocol) and security of the on-line payment environment. The role of the European Central Bank and Europol is crucial to present the problems and propose specific solutions.

Security of non-cash means of payment is a key factor in the economic stability of the European Union

According to statistics, the total number of payment cards issued in the EU in 2011 reached 726,906,710

The value of legitimate non-cash transactions with EU cards exceeded 3000 billion euros. From a security perspective, EU industry has taken an important step forward by fully implementing the EMV (chip-embedded cards) standard for card-present (CP) transactions, and is advanced with the protection of on-line transactions through the strong identification of customers (3D secure).

Banking institutions are profit-making businesses, so reducing the illegal income of criminals is not always a priority for them when introducing new banking products or services.

Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards. With the current global nature in which the banking sector and non-cash transactions operate, security measures in place on a regional (EU) level are not sufficient and have been exploited by criminal networks.

The illicit activities and fraudulent transactions of OCGs performed outside the EU have affected the security and convenience of non-cash payments in Europe and have consequently caused substantial losses to the EU economy.

This report is based mainly on data provided by law enforcement agencies from EU Member States and some cooperating non-EU States. The figures and latest trends were identified based on information from

  • The European Central Bank
  • European Payments Council
  • European ATM Security Team (EAST)
  • Card schemes
  • Fuel Industry Card Fraud Investigation Bureau (FICFIB)
  • “Some” card issuers (note: why not all?)

Since criminals affect both physical transactions with payment cards (shops, ATMs), and the internet environment, for the purpose of this report payment card fraud is divided into card-present (CP) fraud and card-not-present (CNP) fraud.

The implementation of EMV (Chip and PIN) technology in the European Union is seen as the key driver to reducing domestic payment card fraud. It should be stressed that cardholders’ confidential data is more secure on a chip-embedded payment card than on a magnetic strip card. Chip-embedded cards support dynamic authentication, requiring dynamic values for each transaction, and cannot be easily copied. The EMV card is considered to be well protected against skimming.

As the EU banking industry migrates to the EMV environment, losses caused by illegal domestic transactions in the EU have gradually decreased since 2008. However, at the same time, the level of illegal transactions overseas has seen a sharp increase. In 2011, almost all fraudulent face-to-face transactions with EU cards took place overseas. This phenomenon is determined by the level of technical protection of EU payment card terminals, ATM and Point-of-Sale (POS) terminals are fully EMV compliant. In response, criminal networks have targeted the weak points of the system and have undertaken criminal activities using non-EMV compliant terminals overseas. Due to this phenomenon, and the lack of specific agreements on reimbursement of losses caused by less protected terminals, the majority of the loss burden caused by this fraud is on the EU card issuers, which are specific banks in the EU.

Europol note “there has been no specific solution to this problem proposed by the card industry”

There are several countries operating as a substantial market for illegal transactions with counterfeit EU cards. The problem of illegal transactions in the US has been reported to Europol by all 27 EU Member States. There are also other locations where criminal groups with EU origins are cashing counterfeit cards.

The top six locations are:

  1. United States
  2. Dominican Republic
  3. Colombia
  4. Russian Federation
  5. Brazil
  6. Mexico

This trend has led to a situation in which, even after huge investments by the EU banking industry to install hardware and software to accept EMV cards, the problem has become even bigger, as it is extremely difficult to prevent and investigate crimes committed outside of EU borders.

The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant.

As a short term solution, in October 2010 Europol and the European Central Bank recommended that all SEPA (European-issued) cards should be EMV (chip-embedded) only. The first Member State to follow this recommendation is Belgium, where debit cards have chips embedded and the magnetic strip is no longer active. This solution, called GeoBlocking, in practical terms limits the possibility to misuse debit cards in regions without Chip and PIN verification. The implementation of GeoBlocking has been extremely positive from a security point of view with significant falls in skimming incidents and skimming-related losses (a decrease to almost zero in Belgium).

It should be stressed that there are some constraints to such solutions. The baseline for branded cards is that the cards are accepted globally. From this perspective the chip-only cards are not in line with this policy. The use of GeoBlocked cards is also less convenient for card holders as the card must be activated every time before travelling to non-EMV compliant countries. According to a research poll carried out by EAST, 60% of customers would be in favour of the GeoBlocking solution, including 28% of respondents who would be happy to contact their banks to activate the magnetic strip on their cards, and 12% who would like to hold a chip-only card.

This compromise is the price that card issuers and card holders pay as a result of the criminal activities of organised networks. It can be concluded that organised criminal groups have already managed to affect the EU payment card market to the extent that the use of cards is not cheap for card issuers and is less convenient for cardholders.

Investigations into card-present (CP) fraud
Industry reported an increasing number of incidents against ATMs in the EU were 20,244 in 2011 compared to 12,383 in 2010.

The statistics include all types of attacks against ATMs, including

  • skimming
  • using stolen cards
  • physical traps to obtain cash

According to reports provided by EU law enforcement authorities, organised crime groups adjust their profiles and criminal techniques relatively quickly and smoothly. Not only can they produce skimming devices to bypass the latest anti-skimming technology but they also explore new possibilities, including cash traps, prepaid cards or malware, as a source of cash and card data.

Most criminal structures operate internationally so cross-border cooperation is a key to final success. Taking into account that suspects use specific countermeasures, corrupt police officers and hire the best lawyers, investigative measures in such cases are very difficult. The criminals’ use of sophisticated technical equipment forces investigative teams to cooperate closely with forensic experts, who can decode information and analyse seized electronic storage devices. Unfortunately, in most of these cases, investigative measures focus on the criminal activities taking place in the European Union. Law enforcement agencies and judicial authorities, being limited by legal provisions, time frames and financial restrictions, can rarely investigate fraudulent transactions performed overseas.

In practical terms, investigative measures rarely lead to dismantling the whole criminal structure. Judicial authorities press charges mainly for the part of the criminal activities that are performed in the EU, which is usually considered as the preparatory stage and not always associated with any financial losses. Consequently, in the majority of such cases the sentences are relatively lenient and suspects can leave jail on bail. Even if some criminals from an OCG are arrested for a period of time they can be easily replaced by others so that the criminal group is still active.

In June 2011 a global operation, ’Night Clone’ was brought to a successful conclusion with almost 70 suspects arrested in the EU and overseas. The operation had a very big impact and for several months, illegal activities of many other OCGs ceased.

Card-not-present (CNP) fraud
Payment card data is the ideal illicit internet commodity as it is internationally transferable. Europol, in its report on Internet Facilitated Organised Crime concluded that organised crime groups clearly benefit from globalisation, using foreign payment card data to purchase goods and services on-line. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers.

According to Europol’s intelligence, in 2011 around 60% of payment card fraud losses, totalling 900 million euros, were caused by card-not-present (CNP) fraud.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases the quantity of compromised card details is substantial, reaching hundreds of thousands or millions, enabling criminals to sell the bulk data on the internet.

So far most of the credit card numbers misused in the EU have come from data breaches in the US. However, since 2010, Europol have observed a growing number of financial data breaches against EU-based merchants and card processing centres. Most of the investigations into these breaches are based on information on illegal transactions carried out using compromised cards, as the reporting of such attacks by the affected companies is still a weak point.

A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities. Law enforcement agencies, even if aware of a breach, have difficulties finding information on, and links to, the point of compromise, stolen data and illegal transactions. The lack of legal provisions on reporting data breaches is not the only problem. One of the key factors making industry reluctant to report incidents to law enforcement authorities is the lack of trust in investigative possibilities as well as the need to maintain the reputations of the respective private entities. On the other hand, the lack of reporting leads to a small number of international investigations and a low level of prioritisation of such cases within LEAs. The problem ends up with the situation where, despite a dynamic increase in CNP fraud, it is not reflected in the statistics of cases reported and investigated by EU police forces. Consequently, since the problem is not reflected in police statistics, this phenomenon is not prioritised and it is difficult to initiate international cooperation in such cases.

From the security perspective, as with the security of face-to-face transactions, there is a lack of common global standards on the protection of card-not-present transactions. Major investments by EU industry have been made in the 3D secure protocol (MasterCard secure code; verified by VISA). However, despite this strong 3D secure verification, it is not a worldwide solution and, even on the EU level, not all on-line transactions are protected with it.

Investigations into CNP fraud and its initial stage data breach is typically very demanding. As identified by Verizon, such cases are usually quite large and complex, often involving numerous parties, inter-related incidents, multiple countries, and many affected assets. In addition to that, as stated earlier, the majority of such cases are not reported to LEAs, as industry mainly focuses on preventive measures rather than relying on the outcome of investigations. The results of internal inquiries are used to improve security measures and rarely focus on the identification of individuals responsible for the breaches.

As far as investigations into illegal on-line card transactions affecting the EU are concerned, they are mainly concerned with:

  • illegal ordering of high value goods on the internet
  • combating networks of mules set up to receive and transfer goods ordered on the internet
  • illegal transactions – purchases of services from travel companies/airlines
  • physical transactions with counterfeit credit cards – with data sourced from the internet
  • investigations into OCGs from the Baltic states and South East of Europe
  • the proper coordination of information – where possible, data breaches should be linked to illegal transactions
  • assets seizure – the network of mules shall be determined in order to localise the entry/exit points of goods

EU Member States reported many constraints and challenges faced during such investigations. The lack of legal provisions for reporting on-line incidents and data breaches, which are usually of an international nature, creates problems in individual cases under the responsibility of the respective MS, including the possibility to connect illegal transactions reported by other countries and decisions on the place of final prosecution. The global dimension and protection of financial and personal data is a major problem as far as the efficiency and time-frames of investigations are concerned. From a practical perspective, the involvement of Russian-speaking, well organised and hermetic structures cause huge problems with regards to infiltrating individuals and collecting evidence on their criminal activities. Since the majority of criminal activities are on-line, the best solution is to task specialised cybercrime teams with such cases.

As there is still little experience on such card-not-present fraud cases where data breaches and illegal transactions make EU companies and consumers the key targets the role of Europol is crucial, to analyse information and spread strategic and operational information, ultimately ensuring the efficiency of investigative measures.

Europol Summary of Credit Card Fraud in 2012
The financial crisis has had a big impact on the approach of private financial services companies and LEAs. Currently, all decisions are thoroughly scrutinised and assessed from an economic and ‘priority’ perspective.

Private industry focus on products and services which bring profit in the first instance. Such companies can accept a certain level of fraud without making any effort to identify the individuals responsible for that fraud. From the law enforcement perspective it is increasingly suggested that, since losses caused by payment card fraud can be easily covered by private industry, there is no point in investing resources on investigations. The problem is even bigger as investigations must be performed on an international level, so the investment must be higher and comes with no guarantee of final success or seizure of assets.

All that leads to the dangerous situation in which the illegal income for members of organised crime groups, reaching 1.5 billion euros a year, is not identified and recovered. It seems that the EU response to the payment card fraud problem is not harmonised or fully supported by all actors card schemes, card issuers, processing centres, law enforcement agencies and judicial authorities.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

Proper coordination of information processing and reporting to the involved countries is critical for efficient investigations. A centralised database is very important to link members of criminal networks, fraudulent incidents and investigations. Europol, having a specialised team with an existing operational database and a newly-created technical platform, can play an important role in such cases.

The missing links that remain are the legal solutions on cooperation with non-EU States and the communication of data with non-EU States and the communication of data with Private Industry.

You may also with to read

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: