Earlier this year, the Secret Service published an alert that foreign gangs have begun infecting U.S. automated teller machines with a computer virus that causes them to spit out all the cash they have. The resulting gusher of $20 or $50 bills looks like the grand payoff of a Las Vegas slot machine, earning this exploit the name, ATM jackpotting.
Many banks responded by upgrading the security of their ATM networks. But they should have taken another step: ensuring that their insurance policies have up-to-date language that will cover their losses in case their new anti-jackpotting defenses fail.
ATM jackpotting was developed in Europe and Latin America after banks started replacing magnetic stripes on credit and debit cards with microchips. Previously, the best way to rob ATMs was to make a stack of fake debit cards with account numbers copied from tiny magnetic stripe readers embedded in bank ATMs. A hidden camera captured customers entering their PIN numbers. But as chip cards were adopted, crooks took to ATM jackpotting. It’s a faster way to get more money than using forged cards, but riskier because the thieves need to spend more time standing next to the machines, where they can be observed by security cameras or guards.
To avoid detection, most jackpotters have been targeting machines placed in convenience stores or other non-bank locations. Often dressed as ATM service technicians, they’ll drill a hole in the ATM case and connect a cable to the USB port on the computer that controls the cash machine. (They guide the cable using an endoscope, a snake-like instrument that doctors use to view inside the body.) Once connected to the computer, taking control of the machine is easy and is often accomplished by installing a specific virus, Ploutus D. Once the virus is installed, the thieves can tap a code on the ATM keyboard and start collecting the cash. The haul from cleaning out a typical ATM is about $20,000, while the haul from a busy machine at peak hours can be up to $200,000.
The Secret Service said in January that a coordinated gang of international hackers had stolen more than $1 million through ATM jackpotting from machines in New England and the Gulf Coast. Since then, there have been reports of more jackpotting incidents around the country. ATM makers have issued alerts telling banks to upgrade the operating systems in their machines, to encrypt their hard drives and to install physical barriers to prevent attackers from being able to connect to the internal ATM electronics.
This is all well and good, but if those defenses fail, it’s not clear that existing financial institution bonds—the main insurance policies banks buy to protect from robberies, forgeries and the like—will cover losses from jackpotting. The problem is that language in the typical ATM rider dates back more than 40 years, a time when the state of the art in ATM theft was to pry entire machines out of bank walls using crowbars (or tractors). Since jackpotting involves convincing the machine to voluntarily dispense cash rather than forcibly removing the money, some insurance companies may decide not to pay claims for the new exploit.
Our suggestion to banks is simple: Don’t take the risk of having to fight with your insurance company over unclearly worded policies. Have your ATM rider modified to cover jackpotting and related crimes explicitly. Some insurers, in fact, have already published jackpotting endorsements. They are asking for small increases in premiums, but these can usually be wrapped into overall negotiation over rates.
Criminals targeting banks is nothing new but the methods that they use are constantly evolving. Having an experienced broker review the wording of your policies is critical to ensuring that your organization is protected from the newest hacking schemes.
Robert Madocks is an associate director in Crystal & Company’s financial institutions department in New York.
Sign up to get the latest Viewpoints articles by Crystal & Company experts sent directly to your inbox