On November 21st, NCR issued a security alert for a new form of Transaction Reversal Fraud (TRF) occurring in the UK, typically between 10 PM and midnight on any given day.
Contrary to previously reported TRF attacks in which cash is pried from the dispenser after a payment reversal is initiated due to the jamming of the card reader, this new method does not require any interaction with the card reader or the use of modified cards. Instead, the fraudster manipulates the cash dispenser to activate a fault, which is subsequently reversed by the transaction host. The fraudster is then able to withdraw cash without the corresponding account being debited.
NCR has reported that fraudsters in the UK are using multiple different cards to execute the attack, with Bank Identification Numbers (BINs) corresponding to issuers in Russia and Ukraine.
Transaction Reversal Fraud is becoming increasingly more common, with The Europe Association for Secure Transactions (EAST) recently reporting that TRF is up 135% with total losses reaching 3.2 million euro in the first six months of 2019. Unlike logical ATM attacks, TRF is a sophisticated attack involving a sequence of events at the ATM that generates multiple error codes, an unnecessary payment reversal and the removal of cash from the dispenser. These attacks can be tricky to isolate and detect before financial losses occur, especially if changes to the ATM host applications are required.
While it is impossible to prevent fraudsters from attempting Transaction Reversal Fraud, with real-time access to the right data, you can gain the precise information needed to immediately detect TRF and protect (or even shut down) targeted ATMs within seconds. When selecting a fraud detection and prevention solution, such as INETCO Insight, it is important that the solution have the ability to ensure that every payment transaction is independently captured, every message field is fully decoded and every transaction link is correlated. Not only should the solution capture transaction data, it must marry transactions to hardware events and errors in real-time, thereby identifying TRF and helping take appropriate action.
For example, if an ATM device code error occurs and the ATM subsequently reverses the transaction, a customizable rules-based alert can trigger a workflow to shut down the targeted ATM within seconds.