Diebold Marries VMs with ATMs to Secure Banking Data

gManZboy writes "Automatic teller machine maker Diebold has taken a novel approach to protecting bank customer data: virtualization. Virtualized ATMs store all customer data on central servers, rather than the ATM itself, making it difficult for criminals to steal data from the machines. In places including Brazil, customer data has been at risk when thieves pulled or dynamited ATMs out of their settings and drove off with them. With threats increasing worldwide at many retail points of sale, such as supermarket checkout counters and service station gas pumps, Diebold needed to guarantee the security of customer data entered at the 50,000 ATMs that it manages. Diebold last year partnered with VMware to produce a zero-client ATM. No customer data is captured and stored on the ATM itself." Perhaps Diebold should take the same approach to vote-tabulating machines.

Erm...

[Spad]

Presumably the money is all sitting in a VM at one of Diebold's datacentres as well?

Who the hell steals an ATM out of the wall to get customer data? You just send out a phishing email and you'll probably get 100x the return without having to blow a bloody wall to pieces and steal what amounts to a large cube of metal.

Also, who the hell was storing any significant customer data on the ATMs in the first place?

Re:Erm...

[lucm]

Who the hell steals an ATM out of the wall to get customer data? You just send out a phishing email and you'll probably get 100x the return without having to blow a bloody wall to pieces and steal what amounts to a large cube of metal.

Who said that they stole ATMs to get customer data? It was a "happy" side effect since the money and the data were stored in the same container. It's like a pickpocket that wants the money in your wallet but also ends up with your swingers club membership card and the pictures of your children.

Re:Erm...

[icebike]

Who said that they stole ATMs to get customer data? It was a "happy" side effect since the money and the data were stored in the same container. It's like a pickpocket that wants the money in your wallet but also ends up with your swingers club membership card and the pictures of your children.

Are you so sure it actually runs that way, even in Brazil? I've never seen an ATM without a network connection of some sort.

I seriously doubt there is any customer date in the ATM. Refreshing that daily would be a nightmare.
Having the system on a VM seems to be necessary because Diebold insists on using Windows in the boxes. Windows, left laying around in public!! Idiots! By having VMware, running, they can give each customer a fresh virtual machine to run the transaction, saving them a whole lot of programming to make sure all cached data is cleared from memory. (In other words saving them from having to do a competent job in the first place).

A simple terminal system would do the same. There never was a valid use case for having any data resident in the cash machine.

The more you read the story the less you are sure that what they are reporting is actually what is happening, because it is so incredibly dumb. But then this is Diebold, so.....

Re:Erm...

[fuzzyfuzzyfungus]

Luckily, some fancy VM setup definitely prevents customer data from passing through the local PIN pad and/or touchscreen controller hardware. Thankfully, hardware keyloggers suddenly give up in defeat if they are asked to log keystrokes going to a super-secure remote VM...

Re:Erm...

[bws111]

Best security practice is to not have ATMs. Or electronic banking. Or paper checks. Or bank accounts. Or credit/debit cards. Or even cash. All of them have been abused by criminals. However, out here in the real world most people don't live in a constant state of paranoia about what criminals might do, and they don't like it when they can't access their money.