Katie Fiander, Europol: "Shared knowledge amongst an increasing criminal community will always pose a major threat to any retailer"

Melisande Mual, Managing Director at The Paypers, spoke with Katie Fiander of the European Cybercrime Centre (EC3), part of Europol, at the MRC Seville 2016. 

As the European Union’s law enforcement agency, Europol’s mission is to support its Member States in preventing and combating all forms of serious international crime and terrorism, what are the main cybercrime threats merchants are facing in 2016?

There is a wide variety in 2016. At one end of the spectrum, we are still seeing a prevalence of the more traditional threats, such as ransomware or data attacks. In addition to this modus operandi, we are seeing ‘CEO fraud’ -social engineering techniques used by cyber criminals to attack company employees by impersonating the CEO or a Law firm supposedly working for the CEO to transfer money to an account of an OCG. We have a specialized group at Europol who support these investigations. More information is available on our website.

In addition, eCommerce continues to present a significant threat to merchants who are increasingly falling victim to fraudulent purchases via mobile phones. We also see underground forms as an increasing threat, presenting challenges for merchants as cyber criminals use these environments to exchange information and expose merchant vulnerabilities.

Increasingly, cybercriminals are employing more and more advanced methods to defraud specific merchants. Shared knowledge amongst an increasing criminal community will always pose a major threat to any retailer, so awareness of this is very important in efforts to counteract this impact. Some threats are new and some continue to cause difficulties to merchants.

What initiatives did Europol start to combat ecommerce fraud?

We have been providing operational support to Member States investigating eCommerce fraud for quite some time now. This has included analytical support and the co-ordination of operational meetings involving multiple Member States. In 2014, we established ‘The eCommerce Working Group’ which comprises all key partners within the ecommerce crime, including are law enforcement agencies, merchants, representatives, the banking industry including card issuers and card acquirers and other important parties such as logistics carriers. We aim to create a community where each partner all plays a significant role in sharing information and methodology concerning the investigation, prosecution and prevention of eCommerce fraud.

Within this group, we facilitate the secure sharing of data and assist Member State investigations into this crime area, particularly complex and cross border cases. We host operational meetings, to assist existing investigations and bridge the gap between merchants and the police because it is this direct communication which stimulates effective investigations.

How are these merchants represented? Do you work with individual merchants or do you work together with organisations like MRC, representing merchants or ecommerce associations?

We tend to work directly with representatives from individual merchants. However, we are also willing and able to work with umbrella companies, for example, acquirers, who have permission of the merchants they look after to officially share large amounts of data. The project is still in the early stages, and we are working on manage bookcases where we can show other merchants successful operational outcomes and really build upon experiences in doing so.

In serious and complex cases, we provide a number of services to the Member States involved. One is analytical support. For example, we insert the data we receive into our databases to identify the networks and map their structure. Importantly, if there we can also identify links to other crime areas which these networks are involved in. eCommerce fraud is being used widely across Europe to directly facilitate and fund other forms of serious and harmful crime types.

We also provide operational support. For example, when police arrest suspects we can give forensic expertise, we can also take a mobile office to give real-time information checks and complete reports based on data received at that time.

In addition, we work with private sector partners around preventative measures in relation to ecommerce fraud. For example, we host events which raise awareness around securing payment platforms and accessing training opportunities.

We also support the smaller merchants. Our specialists constantly seek to regenerate our networks to encompass smaller merchants and to target specific smaller merchants to come to our events to give them better access to law enforcement members and banking representatives, and to be part of these initiatives.

In a 2015 report, Europol underlined the idea that Bitcoin could become the go-to currency for criminals. What does Europol recommend in terms of approach to closely monitor Bitcoin-based ‘crime-as-a-service’ transactions?

It is important to remember that Bitcoin is a currency abused by cybercriminals. Bitcoin and other digital-based currencies offer a very particular set of features, which make them attractive to these criminals, such as, for example:

• Global nature of the currency with many possibilities to acquire or sell bitcoins
• Fast transactions, as payments are propagated instantly and usually confirmed within 10 minutes
• Irreversibility of transaction
• Problematic traceability

Yet, Bitcoin offers interesting investigation opportunity for law enforcement as its blockchain technology is based on recording all transaction in a searchable and unalterable public ledger. Bitcoin transactions can therefore be followed, but the challenge of attributing an individual Bitcoin address to a particular person remains and Europol closely cooperates with private sector to address this issue.

It should be noted that the “everything is recorded forever” nature of the blockchain means that crimes that are difficult to trace nowadays may be detected in the future due to natural evolution of bitcoin tracing technology.
From our perspective, the majority of merchants at this time are not processing Bitcoin transactions although there is an expectation that this possibly could change in the future and we are very much aware of this possibility. Additionally, the majority of merchants accepting bitcoin do so through a payment processing agent who in most cases instantly converts any bitcoin payments into fiat currency.

In some ways, bitcoins can offer additional security for merchants as there are no chargebacks. The vast majority of ecommerce fraud, at this time, still relates to the use of compromised credit card data. Until such time as a there is a fraud detection/prevention services similar to those used in the credit card industry, the focus for merchants should continue to be the KYC (Know Your Customer) procedures used to assess customers using both manual and automated online payment protection systems.

That being said, it would be a no surprise to cybercriminals utilizing bitcoins to facilitate their crime-as-a-service activities that the European Cybercrime Center at Europol continues to actively support its Member States in the identification and arrest of the individuals and groups involved in this phenomenon. The message for cybercriminals is this: Bitcoin may help you to hide your identity online, but will not ensure it.

About Katie Fiander

Katie studied forensic psychology in England before joining the Metropolitan Police in London where she served her final years as a detective before joining the European Cybercrime Centre at Europol in 2014.

About Europol

Europol is the European Union’s law enforcement agency whose main goal is to help achieve a safer Europe for the benefit of all EU citizens. The European Cybercrime Centre (EC3), as part of Europol, serves as the European information hub on cybercrime, developing cutting edge digital forensic capabilities to support investigations in the EU and building capacity to combat cybercrime through training, awareness raising and delivering best practice on cybercrime.