The European Payments Council has published its third annual Payment Threats and Fraud Trends report. The report discusses the risks and trends, including those caused by:
- social engineering;
- malware;
- “advanced persistent threats” (meaning specific targeted threats);
- mobile device related threats;
- denial of service attacks;
- botnets;
- threats related to cloud services and big data;
- threats related to the IOT; and
- threats related to virtual currencies.
The report also contains a detailed section on card-related and ATM fraud, and SEPA related frauds. Its key conclusions are:
- in general, the main attack focus is on social engineering, although malware is still the prevalent methodology for attacks on companies – which have become the preferred targets;
- phishing of authentication codes will become useless with the changes PSD2 has brought, but phishing of activation codes for mobile payment and authentication apps is set to take its place;
- ransomware is an increasing threat and appears to be preferred by criminals to banking Trojans – and, while not possible to achieve full protection against such threats, there are many mitigating steps that can help minimise risks and their impact;
- advanced persistent threats are growing as lucrative payment frauds against payment infrastructures and their large customers – and tools to combat frauds need to evolve constantly;
- (D)DoS attacks and botnets are still common and EPC expects an increase in the use of IOT devices to launch them;
- new risks are emerging from the use of innovative technologies;
- card payment fraud remains a huge problem, with no shortage of stolen credentials – but SCA is driving criminals to prefer using phishing and social engineering techniques. EPC cautions that security of new products such as mobile wallets bears this risks in mind; and
- sharing of intelligence between PSPs is key to combatting risks.