Diebold Marries VMs with ATMs to Secure Banking Data 151
gManZboy writes "Automatic teller machine maker Diebold has taken a novel approach to protecting bank customer data: virtualization. Virtualized ATMs store all customer data on central servers, rather than the ATM itself, making it difficult for criminals to steal data from the machines. In places including Brazil, customer data has been at risk when thieves pulled or dynamited ATMs out of their settings and drove off with them. With threats increasing worldwide at many retail points of sale, such as supermarket checkout counters and service station gas pumps, Diebold needed to guarantee the security of customer data entered at the 50,000 ATMs that it manages. Diebold last year partnered with VMware to produce a zero-client ATM. No customer data is captured and stored on the ATM itself." Perhaps Diebold should take the same approach to vote-tabulating machines.
Not really (Score:2, Informative)
I stopped reading when it said that ATMs store customer data on the machine. That's the most ridiculous thing I've ever heard. ATMs have always accessed customer data from central servers.
If that weren't the case, I could just visit all the ATMs for my bank and withdrawl my account balance. There would be no way the machines would know I've made withdrawls.
Fuck, does the Diebold tech just walk from machine to machine each day with a floppy disk?
I've delt with ATMs before, and they usually have a DSL connection with a static IP and a VPN back to the central server. The ones I have worked with run Windows XP. If you steal one, you're just getting a computer. The ATM software won't work because of IP restrictions at the central server (you have to be on the DSL at the location). The firewalls in the ATM providing the VPN connection do not allow anything out or in except over that VPN. There is no customer data. Customer data is stored in RAM by the Diebold software when it is accessed. I suppose that's a security risk, but what else can you do?
I think the entire article is full of shit.
Re:I can't believe that even Diebold (Score:4, Informative)
These systems were all built with bad network communication in mind -- verifying over phones, etc, which causes them to have to store this credit card data (PAN data). Because modern systems are just upgrades on these old codebases, little has changed but to give it the bare amount of encryption/etc for PCI compliance, which is routinely ignored by small businesses.
Re:Are you sure? (Score:5, Informative)
I always thought that when the balance was not available meant that the ATM was out of paper. It's the only time I don't get a receipt. I have my profile set to automatically generate a receipt.
It depends on your local ATM I guess, but just for fun, next time you can't get a balance before withdrawing, try to take out more money than you have (if the ATM limit is high enough) and you'll have the answer. They will put a negative balance in your bank account and call you to complain a few days later.
This happened to a friend of mine who was sure the ATM was broken so he kept taking money out. Tsk tsk. Beating the bank - not possible!
Re:Erm... (Score:2, Informative)
I work in network operations for a company that does core processing for banks. None of our thousands of ATMs store customer data on the ATM and I can't imagine a reason any of our competitors would do it differently than we do.
The ATM is going to have to report back to whatever server or mainframe maintains the account balance regardless, why would you cache that information on the ATM?