EPC notes key payment threats

The European Payments Council has published its third annual Payment Threats and Fraud Trends report. The report discusses the risks and trends, including those caused by:

  • social engineering;
  • malware;
  • “advanced persistent threats” (meaning specific targeted threats);
  • mobile device related threats;
  • denial of service attacks;
  • botnets;
  • threats related to cloud services and big data;
  • threats related to the IOT; and
  • threats related to virtual currencies.

The report also contains a detailed section on card-related and ATM fraud, and SEPA related frauds. Its key conclusions are:

  • in general, the main attack focus is on social engineering, although malware is still the prevalent methodology for attacks on companies – which have become the preferred targets;
  • phishing of authentication codes will become useless with the changes PSD2 has brought, but phishing of activation codes for mobile payment and authentication apps is set to take its place;
  • ransomware is an increasing threat and appears to be preferred by criminals to banking Trojans – and, while not possible to achieve full protection against such threats, there are many mitigating steps that can help minimise risks and their impact;
  • advanced persistent threats are growing as lucrative payment frauds against payment infrastructures and their large customers – and tools to combat frauds need to evolve constantly;
  • (D)DoS attacks and botnets are still common and EPC expects an increase in the use of IOT devices to launch them;
  • new risks are emerging from the use of innovative technologies;
  • card payment fraud remains a huge problem, with no shortage of stolen credentials – but SCA is driving criminals to prefer using phishing and social engineering techniques. EPC cautions that security of new products such as mobile wallets bears this risks in mind; and
  • sharing of intelligence between PSPs is key to combatting risks.

Emma Radmore