Slashdot Mirror

← Back to Stories (view on slashdot.org)

Diebold Marries VMs with ATMs to Secure Banking Data

Posted by timothy on from the do-you-machine-take-this-data dept.

gManZboy writes "Automatic teller machine maker Diebold has taken a novel approach to protecting bank customer data: virtualization. Virtualized ATMs store all customer data on central servers, rather than the ATM itself, making it difficult for criminals to steal data from the machines. In places including Brazil, customer data has been at risk when thieves pulled or dynamited ATMs out of their settings and drove off with them. With threats increasing worldwide at many retail points of sale, such as supermarket checkout counters and service station gas pumps, Diebold needed to guarantee the security of customer data entered at the 50,000 ATMs that it manages. Diebold last year partnered with VMware to produce a zero-client ATM. No customer data is captured and stored on the ATM itself." Perhaps Diebold should take the same approach to vote-tabulating machines.

9 of 151 comments (clear)

  1. Erm... by Spad · · Score: 4, Insightful

    Presumably the money is all sitting in a VM at one of Diebold's datacentres as well?

    Who the hell steals an ATM out of the wall to get customer data? You just send out a phishing email and you'll probably get 100x the return without having to blow a bloody wall to pieces and steal what amounts to a large cube of metal.

    Also, who the hell was storing any significant customer data on the ATMs in the first place?

    1. Re:Erm... by lucm · · Score: 4, Insightful

      Who the hell steals an ATM out of the wall to get customer data? You just send out a phishing email and you'll probably get 100x the return without having to blow a bloody wall to pieces and steal what amounts to a large cube of metal.

      Who said that they stole ATMs to get customer data? It was a "happy" side effect since the money and the data were stored in the same container. It's like a pickpocket that wants the money in your wallet but also ends up with your swingers club membership card and the pictures of your children.

      --
      lucm, indeed.
    2. Re:Erm... by icebike · · Score: 5, Insightful

      Who said that they stole ATMs to get customer data? It was a "happy" side effect since the money and the data were stored in the same container. It's like a pickpocket that wants the money in your wallet but also ends up with your swingers club membership card and the pictures of your children.

      Are you so sure it actually runs that way, even in Brazil? I've never seen an ATM without a network connection of some sort.

      I seriously doubt there is any customer date in the ATM. Refreshing that daily would be a nightmare.
      Having the system on a VM seems to be necessary because Diebold insists on using Windows in the boxes. Windows, left laying around in public!! Idiots! By having VMware, running, they can give each customer a fresh virtual machine to run the transaction, saving them a whole lot of programming to make sure all cached data is cleared from memory. (In other words saving them from having to do a competent job in the first place).

      A simple terminal system would do the same. There never was a valid use case for having any data resident in the cash machine.

      The more you read the story the less you are sure that what they are reporting is actually what is happening, because it is so incredibly dumb. But then this is Diebold, so.....

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:Erm... by fuzzyfuzzyfungus · · Score: 4, Insightful

      Luckily, some fancy VM setup definitely prevents customer data from passing through the local PIN pad and/or touchscreen controller hardware. Thankfully, hardware keyloggers suddenly give up in defeat if they are asked to log keystrokes going to a super-secure remote VM...

  2. I can't believe that even Diebold by Presto+Vivace · · Score: 5, Interesting

    ever stored customer data in the ATM terminal itself. I always assumed that the info was all in the bank's server. Things are worse than I imagined.

    1. Re:I can't believe that even Diebold by Midnight_Falcon · · Score: 4, Informative
      Don't use your credit card at a restaurant then. Almost all point of sale systems cache locally to some extent, often for up to a month!

      These systems were all built with bad network communication in mind -- verifying over phones, etc, which causes them to have to store this credit card data (PAN data). Because modern systems are just upgrades on these old codebases, little has changed but to give it the bare amount of encryption/etc for PCI compliance, which is routinely ignored by small businesses.

  3. Obvious joke by dkleinsc · · Score: 4, Funny

    According to Ohio Revised Code 3101.01(A), effective in 2004, marrying VMs and ATMs is illegal.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  4. Re:Voting machines? by Pieroxy · · Score: 4, Funny

    Have you seen the documentary where the guy finds out that the "secure database" where they collate votes is a simple Access file?

    And so? Are you going to tell me that Access is insecure now?

    Sheesh, you find these MS haters around every corner these days...

    --
    Write boring code, not shiny code!
  5. Re:Are you sure? by lucm · · Score: 4, Informative

    I always thought that when the balance was not available meant that the ATM was out of paper. It's the only time I don't get a receipt. I have my profile set to automatically generate a receipt.

    It depends on your local ATM I guess, but just for fun, next time you can't get a balance before withdrawing, try to take out more money than you have (if the ATM limit is high enough) and you'll have the answer. They will put a negative balance in your bank account and call you to complain a few days later.

    This happened to a friend of mine who was sure the ATM was broken so he kept taking money out. Tsk tsk. Beating the bank - not possible!

    --
    lucm, indeed.