THE EU CYBERSECURITY AGENCY

FINANCIAL
FRAUD IN THE
DIGITAL SPACE
November 2018

EUROPEAN AND GLOBAL PERSPECTIVE ON

ONLINE FRAUD

Today, more and more purchases are done through

online payments. The online world offers the
convenience and ease of buying goods or paying for
services through payments via your computer, tablet or
mobile phone.

However, the use of online payments is not without its

risks. Every year, the finance sector reports losses in the
billions. According to the UK National Audit Office (1),
individuals lost £10 Billion in 2016, which translates to
almost 2 million cyber-related fraud incidents. If current
trends continue, online fraud may overtake plastic fraud
by the year 2020. network allows banks to process international transfers
each day and is considered to be the backbone of
Based on a report from Worldpay (2), the EU will international money movement. An organized crime
continue to be amongst the leaders regarding the use of organization was able to obtain a bank employee’s
digital wallets and conducting mobile payments in the SWIFT logon, which they then used to take advantage
next three years. According to the report, digital wallets, of previously cancelled or rejected payment requests.
like PayPal and AliPay, are still considered to being the They were able to alter the amounts and destinations
norm for online purchases and their use will continue to on the transfer requests and reissue them. As a result,
grow making them the number one payment choice for the crime organization was able to withdraw money
online purchases in the next three years as meanwhile from specific bank branches at specific timing from the
the use of credit and debit cards will decrease. other side of the world as well as launder it in gambling
establishments across the border.
In 2015 and 2016, the practices of the Society for
Worldwide Interbank Financial Telecommunication In another attack early in August 2018, US $13.5 million
(SWIFT) came under SWIFT members’ scrutiny as they were stolen from India's Cosmos Bank (5). It was an
allowed for too much discretion on the use of the end attack that has exposed limitations in the measures
equipment, which was thought to be a vulnerability. banks use to defend against targeted cyber threats.
Allegedly, a Central bank in Asia that used the SWIFT The attack was a more advanced, well planned, and
network was involved in one of the major cyber-attacks, highly coordinated operation that focused on the bank’s
which led to the loss of 81 million dollars (4). The SWIFT infrastructure, effectively bypassing the four main

OPINION PAPERS 1
 THE EU CYBERSECURITY AGENCY

layers of defence. As a result, the details sent from the The Dark Web exists in the Internet, but requires
payment switch to authorize transactions were never specific software to access it, e.g. The Onion Router
forwarded to the core banking system, so the checks (ToR) or Invisible Internet Project (I2P). The idea behind
on card number, card status, PIN, etc. have never been this type of network is that access is anonymous and
performed. Instead, the request was handled by the untraceable, although reports exists that government
malicious proxy deployed by the attackers sending fake agencies were able to find a way to trace and find
responses and authorizing transactions. people using such services.

A similar attack was carried out against British Airways Hacking groups and hacking services can also be found
in August 2018 (6), when credit card data was stolen in the Dark Web. They offer different services like
by injecting code directly onto the company’s website, network penetrations and/or denial of service attacks on
which is also used by the mobile app. Through the behalf of someone who is willing to pay.
injected code, credit card data was transmitted to a
website controlled by the criminals. In the Dark Web payments are usually conducted
via cryptocurrencies, mainly because these types of
Stolen or compromised data usually is found in the Dark payments only require a unique identifier from both
Web where it is usually offered for sale in Dark Web sides. This unique identifier is not officially associated
marketplaces alongside other illegal content. Latest with any identity which makes payments difficult to
exploits, drugs and stolen sensitive data (credit cards, attribute to a specific person or organization.
identities) are some of the most common items that can
be found there.

CHALLENGES IN RESPONDING
TO ONLINE FRAUD
In this article, online fraud is considered to be any monetized (e.g. sold in underground market forums like
fraudulent activity done through any Internet related the Dark Web) or used for fraudulent payments. Stolen
means. Some key fraudulent schemes are using email, personal data of the user can be used for impersonation
websites or online communication messengers (e.g. attacks and for identity theft.
WhatsApp, Facebook Messenger) to conduct fraudulent
transactions or to trick victims into giving away their
personal information. In most cases, the criminals are Malware
looking for bank logins, credit card data, or personal
data that can be used to impersonate a victim. There Malware is any piece of software or code that has a
are a wide range of challenges that the financial system malicious intent. Once again, in 2017 malware is the
needs to tackle to protect against online fraud. They can most frequently encountered cyber threat, according
be split into technical and legal challenges. to the latest ENISA Threat Landscape (3). Also based
on that report, businesses have experienced far
more threats in 2017 than they had in 2016. Financial
2.1 TECHNICAL CHALLENGES malware still relies on web-based attacks. Most of the
known financial malware (i.e. Zeus, SpyEye, Carbanak,
and many others) take advantage of browser exploits
Phishing and social engineering such as the latest one called Disdain or utilize man-in-
the-browser techniques.
These schemes target the user by phishing emails and
social engineering exploiting different communication Uploading malware to Poinf-of-Sale (PoS) or automated
channels (e.g. phone, email, SMS) and data about the teller machines (ATMs) (e.g. Carbanak, Malum PoS)
user available in the public domain (e.g. social media exploits security weaknesses such as use of insecure
sites, search engines). The data sought by attackers access to PoS or ATM devices. Once the malware is
using social engineering are often credit card data installed on the terminal, the attacker can remotely steal
and personal data that the user knows about. Stolen payment data that transact through the card readers
credit/debit card or prepaid card details, can be either and conduct fraud.

OPINION PAPERS 2
 THE EU CYBERSECURITY AGENCY

Mobile devices threats The complexity of the financial ecosystem makes it

difficult to recognize new attack vectors, as well as
Mobile devices have become the norm today for attacks involving the abuse of connectivity between
making online payments. Most of the threats affecting multiple organizations in the system.
these devices are very similar to a desktop computer
or a laptop, but due to its size, mobile devices offer
additional opportunities for an attacker. Third party trust

Mobile devices usually do not offer the same protection Cloud services are an on-demand service model for IT
as desktop PCs as they rarely run an antivirus software, a provision often based on virtualization and distributed
firewall, etc. With the introduction of new mobile payment computing technologies. More and more financial
services , they will be a more interesting target for institutions are moving their systems into the cloud. The
attackers. Abusing a lost or stolen device to make online benefits of the cloud are very clear to the institutions –
transactions is a very common threat. Another could be, cost savings, flexibility and resilience, are just some of
installing malware on the device to tamper with or gain the key advantages.
access to mobile application for online transactions.
With cloud services, the security model changes.
Although the liability stays with the financial institution,
Payment systems compromise some of the security controls are with the cloud
provider and this brings additional security challenges.
Payment Service Providers (PSPs) offer terminals for One of the key challenges that we have seen in cloud
payments as well as aggregated payment services for adoption is isolation failure, which means that there is
merchants by processing data from different channels, no proper access to the resources. Another challenge
including face-to-face (card present) payments, online is the customer management interfaces of public cloud
payments and mobile/contactless payments. PSP providers, which are Internet accessible and mediate
payment gateways represent an interesting target for access to larger sets of resources (than traditional
attackers that seek to compromise the payment data hosting providers) and therefore pose an increased risk
in transit from the merchants to the different acquiring especially when combined with remote access and web
banks. Attackers might seek to compromise software browser vulnerabilities.
vulnerabilities, the payment gateways hosted at the
payment service providers for instance by exploiting
unauthorized access to payment gateways and 2.2 LEGAL AND POLICY CHALLENGES
weaknesses in enforcement of internal payment service
providers’ security controls and measures. It is often argued that law follows technology. Finance is
another area where this mantra holds true. In the rush
to deliver business models that cut costs, appear more
Network Attacks convenient and flexible, the opportunity for financial
fraud in the digital world increases. The deployment
Denial of Service and/or Distributed Denial of Service of new digital technologies continues to challenge law
(DoS/DDoS) attacks targeting the availability of any makers and regulators. A mobile phone being used as
internet-exposed services hosted by payment network a digital wallet for transactions of cryptocurrencies will
organization (banks, payment service providers, etc…) pose a challenge for most lawyers and law enforcement
can affect online payment services. These attacks might officials working in the digital ecosystem.
affect transactions that require real time access by
payment applications to the payment services. They may While the financial industry seeks to capitalise on the
also block the legitimate access for the consumers to use of digital technology and users follow as unwitting
their bank accounts, and thwart online payments. or unwilling participants, some basic questions remain
unanswered from the end user perspective. The end user
Man-In-The-Middle (MiTM) attacks against the POS and has been pushed to using online platforms and mobile
ATM terminals are enabled by weaknesses regarding apps that pose a challenge even to the most literate
the end-to-end encryption between the terminal and computer user. But what happens when something goes
the server. If encryption is not properly configured or wrong and money is mislaid, lost or stolen? Is there any
non-existent, information could be stolen and used insurance to cover the loss? And who is liable? Is it the
for abuse later. Attackers can also attempt to exploit app manufacturer, the financial institution that promoted
network security weaknesses such as a lack of firewalls these technologies, the security consultants who should
to protect the internal network or vulnerabilities in POS/ ensure that the technology is secure or the innocent end
ATM software and misconfigurations (e.g. not enforcing users who will be accused of negligence and may thus
minimum privileges to access terminals and servers). not be in a good position to defend themselves?

OPINION PAPERS 3
 THE EU CYBERSECURITY AGENCY

The concept of a zero-day software vulnerability is This type of issue is rarely communicated to end users.
mentioned scarcely and even more rarely understood While nobody is interested in undermining the need to
by many stakeholders in the digital financial transaction use digital financial services, the risks need to be fully
process. What this means is that the exploit may allow understood and addressed by all parties in an open and
the confiscation of passwords, control of end user transparent way across all Member States in Europe.
computers or mobiles at a time where there is no
defence. Money can be moved to any part of the world It is submitted that only when this type of challenge
in under a second. is addressed that the necessary confidence of all
stakeholders will be achieved and legislators and
regulators have a clear role to deliver in this area.

EU’S RESPONSE TO ONLINE FRAUD

The European Union has recognized online fraud as a of personal data, the European Banking Authority has
major challenge and has produced numerous policy published guidelines that aim at incident notifications, as
initiatives to address the problem: well as guidelines on security measures for operational
 Directive (EU) 2015/849 on preventing the use and security risks of payment services under Directive
of the financial system for money laundering or (EU) 2015/2366 (PSD2).
terrorist financing (4th Anti-Money Laundering
Directive) The Digital Single Market Strategy further acknowledges
the importance of a secure and trustworthy cyberspace.
 Directive (EU) 2015/2366 on payment services in
In order to support the needs of cybersecurity, the
the internal market (PSD2)
European Parliament and the Council approved the NIS
 Regulation (EU) 2016/679 on the protection of Directive concerning measures for a high common level
natural persons with regard to the processing of of security of network and information systems across
personal data and on the free movement of such the Union. The NIS Directive defines common security
data, and repealing Directive 95/46/EC (General Data measures in terms of incident reporting and security
Protection Regulation) measures for the Operators of Essential Services (OESs)
 Directive (EU) 2016/1148 on security of network and Digital Service Providers (DSPs). The NIS Directive
and information systems (the NIS Directive) came into force on August 2016.
 Proposal for Directive 2017/0226 on combating
fraud and counterfeiting of non-cash means The proposal for the Directive on combating fraud
of payment and replacing Council Framework (2017/0226) is considered a major milestone as its idea
Decision 2001/413/JHA is to strengthen the Digital Single Market Strategy and
stop the organized cyber criminals in the EU. Its main
The 5th Anti-Money Laundering Directive, which amends objective is preparation for new technology cyber-crimes
the 4th Anti-Money Laundering Directive was published and cross-border cooperation.
in the Official Journal of the European Union on 19 June
2018. The Member States must transpose this Directive The European Commission is pursuing the
by 10 January 2020. The new revisions will include implementation of the European Cybersecurity Strategy,
virtual currencies, digital wallets and crypto currency which, in combination with the European Agenda on
exchanges in its supervision. This inclusion is based security, provides a strategic framework for initiatives
on the increasing use of crypto currencies by criminal on cybersecurity and cybercrime. The European Union
organizations in cases like ransomware (Petya, NotPetya) works on different initiatives supporting and ensuring
and money laundering. cybersecurity, from enhancing the capabilities of the
Member States to supporting international cooperation
The EU institutions have shown a growing interest in on cybersecurity and cybercrime. The following main EU
the security of electronic payments. This interest has bodies specialized in these topics are:
materialised in the Directive 2015/2366/EU (17) on  The European Union Agency for Network and
payment services in the internal market (PSD2). Information Security – ENISA
 The European Cybercrime Centre within Europol – EC3
In response to the start of the application of the General
Data Protection Regulation (GDPR) on the processing

OPINION PAPERS 4
 THE EU CYBERSECURITY AGENCY

ENISA was established in 2004 to bring a high level banks and law enforcement. The institution has signed
of network and information security to the European a Memorandum of Understanding with Europol EC3 to
Union. The Agency works closely together with Member improve co-operation between the European banking
States and the private sector to offer advice and community and European Law Enforcement Agencies.
solutions on cyber security related issues. In September
2017, the European Commission launched the cyber Europol set up the European Cybercrime Centre (EC3)
security package, an important milestone for ENISA, as it in 2013 to strengthen the law enforcement response to
contained proposals on the new mandate of ENISA, and cybercrime in the EU. Since then, it has been involved in
on the EU cybersecurity certification framework within many cyber-crime operations, one of the latest lead to
the Cybersecurity Act. arresting a criminal organization which was responsible
for losses of EUR 1 billion. In March 2018, Europol’s
Besides these activities, 2018 is a year in which ENISA EC3 was involved in arresting the people behind
continued to invest in its core activities related to the the Carbanak malware that was targeting financial
NIS directive, the recently adopted GDPR Directive, institutions. With the help of the cybersecurity group
eIDAS, European Cyber Security Month, European Cyber of the European Banking Federation, EC3 was able to
Security Challenge, Internet of Things, eHealth, etc. identify related cyber incidents and trace financial flows.

ENISA aims to strengthen cyber security in three main

areas: expertise, policy and capacity. Amongst the key
tasks of the agency are identifying the cyber threat
landscape and Computer Security Incident Response
Teams (CSIRT) cooperation. Although, cooperation is
on a more global level and related to many sectors, the
financial sector is one of the key sectors involved in the
information sharing.

ENISA was also one of the founding members of the

European Financial Institutes – Information Sharing and
Analysis Centre (FI-ISAC). The European FI-ISAC, is an
independent organisation, that was founded in 2008 to
facilitate the information exchange, e.g. between CSIRTs,

OPINION PAPERS 5
 THE EU CYBERSECURITY AGENCY

THE WAY FORWARD

In general, it can be concluded that online or digital between public and private actors in the research and
access brings ease of use to the consumers, but it innovation process in order to allow people in Europe to
also creates more requirements towards the industry access innovative and trustworthy European solutions
with regard to securing the online services. An (ICT products, services and software).
effective risks management program is of paramount
importance. Identification of new threats and modus
operandi needs to be included in the regular risk Incident Reporting
management programme.
In order to gain an overview of the EU risk situation and
Based on the trends from ENISA’s latest threat landscape on potential threat scenarios, the EU is dependent on
report, the complexity of attacks and sophistication of the input from national competent authorities. Only
malicious actions in cyberspace will continue to increase. with comprehensive data, the EU will be able to gain
This will require more collaboration between institutions knowledge on current dangers to the sector.
in the ecosystem to be able to respond to an ever-
changing environment. ENISA plays a significant role in this process by
providing support in the execution of aligned reporting
It is also safe to assume that most of the fraudulent schemes at EU level. With the help of ENISA a consistent
activity will move to the digital world and will require implementation of incident reporting would make it
additional measures to combat the threats. This also easier for the different Member States. Monitoring of
requires developing the needed skill set, both for the IT-infrastructure can be conducted by the institutions
business side and for the regulatory side. Policy makers themselves or, in cases of smaller institutions with
need to create proper conditions that will lead to better limited financial resources, by third parties. If needed,
education in the area of cybersecurity. It will also require institutions should be supported in the development of
the adoption of new technical and procedural measures the capacities for monitoring and incident reporting by
to understand emerging trends in malware, attack and public agencies.
malicious infrastructure tactics and adapt defences
accordingly. Potential use of machine learning and Mandatory security incident reporting should also
artificial intelligence methods may be something to be include obligations for competent authorities to report
desired in the future. back to the affected institutions and inform them about
security threats and other related issues. This will create
Recent developments in lawful interventions in cyber- additional incentives for institutions to cooperate with
space show the need to regulate various critical the government on incident reporting and ensures
elements of the threat landscape such as state support that vulnerable institutions are informed quickly about
of vulnerability discovery and utilization. These issues potential threats.
will require the development of practices regarding
procedural, technical and legal aspects.
Trusted Information sharing

Governance Structure The identification of new threats and attack vectors is

something that the community needs to be able to share
In the cybersecurity strategy of the European Union, and act upon in an efficient and effective manner. Being
the EU reaffirms the importance of all stakeholders in able to quickly deploy new protection mechanisms, or
the current Internet governance model and supports identify new attack patterns is something that will help
the multi-stakeholder governance approach. Indeed, the community in limiting the losses.
the multi-stakeholder approach is fundamental to the
development of successful standards, particularly in the An information sharing platform is something that
area of Cybersecurity where public-sector requirements the EU commission has identified as something very
are implemented to a large extent by private sector valuable. As a result, the CSIRT network, created by
service providers. the NIS directive, will use a common platform for
information exchange between Member states.
The European Commission has created the Cyber
Security contractual Public-Private Partnership (cPPP).
The aim of the partnership is to drive the cooperation

OPINION PAPERS 6
 THE EU CYBERSECURITY AGENCY

Risk management programme

An effective risk management programme that focuses

on mitigation of online payment application risks and
identifies measures including detection of possible
data compromise and fraud should be in place. To
this end, all players in the chain should have a reliable
and accurate fraud monitoring system, which reliably
detects transactions outside the customer’s baseline.
They should also be able to effectively prevent further
payments from a compromised online payment account.

To prove that adequate security measures are taken,

regular testing on critical points of the network should
be done. This should also be supplemented by the use
of a proper threat intelligence to follow the modus
operandi of the organized criminals. As the system is
very complex and involves many players, it should be
properly scoped and executed with minimal disruption
of the system.

REFERENCES USED:
1. https://www.nao.org.uk/wp-content/uploads/2017/06/Online-Fraud.pdf
2. https://worldpay.globalpaymentsreport.com/ , 2017
3. https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017
4. https://www.theregister.co.uk/2016/03/11/bangladesh_bank_cyber_heist_1bn_dollars_nearly_stolen/
5. https://www.enisa.europa.eu/publications/info-notes/atm-cash-out-attacks
6. https://www.telegraph.co.uk/business/2018/09/06/british-airways-hacked-380000-sets-payment-details-stolen/

OPINION PAPERS 7
 THE EU CYBERSECURITY AGENCY

ABOUT ENISA
The European Union Agency for Network and Information Security (ENISA) is a centre
of network and information security expertise for the EU, its member states, the
private sector and EU citizens. ENISA works with these groups to develop advice and
recommendations on good practice in information security. It assists member states in
implementing relevant EU legislation and works to improve the resilience of Europe’s critical
information infrastructure and networks. ENISA seeks to enhance existing expertise in
member states by supporting the development of cross-border communities committed
to improving network and information security throughout the EU. More information about
ENISA and its work can be found at www.enisa.europa.eu.

CONTACT

For media enquires about this paper, please use [email protected].

LEGAL NOTICE

Notice must be taken that this publication represents the views and interpretations of ENISA,
unless stated otherwise. This publication should not be construed to be a legal action of
ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013.
This  ublication does not necessarily represent state-of the-art and ENISA may update it
from time to time.

Third-party sources are quoted as appropriate. ENISA is not responsible for the content
of the external sources including external websites referenced in this publication.

This publication is intended for information purposes only. It must be accessible free
of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that
might be made of the information contained in this publication.

COPYRIGHT NOTICE

© European Union Agency for Network and Information Security (ENISA), 2018

Reproduction is authorised provided the source is acknowledged.

Vasilissis Sofias Str 1

Maroussi 151 24
Attiki, Greece
Tel: +30 28 14 40 9710
[email protected]
www.enisa.europa.eu