Infrastructure // Storage
News
1/3/2012
09:08 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

Diebold Virtualizes ATMs To Secure Banking Data

Diebold seeks to close vulnerabilities by moving customer data off physical machines onto virtualized ATMs on protected data center servers.

Automatic teller machine maker Diebold has taken a novel approach to protecting bank customer data: virtualization. Virtualized ATMs store all customer data on central servers, rather than the ATM itself, making it difficult for criminals to steal data from the machines.

In places including Brazil, customer data has been at risk when thieves pulled or dynamited ATMs out of their settings and drove off with them. With threats increasing worldwide at many retail points of sale, such as supermarket checkout counters and service station gas pumps, Diebold needed to guarantee the security of customer data entered at the 50,000 ATMs that it manages.

"From the entrance to Death Valley in California to a Mount Everest base camp, we must maintain them all," said Mark Kropf, head of Deibold's emerging technologies group, in an interview.

[ Want to learn more about how hackers can attack ATM machines? See ATM Hack Demo Planned for Black Hat. ]

Diebold produces Opteva ATM machines and supplies Agilis software to run on its own and other manufacturers' ATMs. Diebold ATMs have been among those targeted by hackers. Westfield Bank, Palmetto Bank, and BellCo Credit Union are among the U.S. institutions that use Diebold ATMs, ATM management, or ATM security services. In addition, Diebold supplies BancoStato in Switzerland and Banco Santander in Brazil.

Diebold last year partnered with VMware to produce a zero-client ATM. An inaccessible zero-client component causes the ATM screen to render the results of interactions with a virtual machine running on a central server in a bank or Diebold data center. No customer data is captured and stored on the ATM itself, and all data storage devices have been removed. The zero client can relay customer entries to central servers and has sufficient smarts to display the text, graphics, and video that a financial institution wishes to send to customers.

Diebold is currently trying to maintain security at each physical ATM, a user endpoint that is running either Microsoft's Windows XP or IBM's OS/2 operating system. These operating systems, although hardened, provided "a larger attack surface" for hackers than the zero client, which has no operating system and no data storage, Kropf said. He said he knew of no other ATM system running virtual machines in place of local device software.

Hackers--in some cases, company insiders--have put card readers on gas station service pumps and customer checkout machines in supermarkets, storing customer data in an encrypted file that can be downloaded by the hackers. Virtualization combats such attempts by making such a reading device an instantly identifiable interloper, since the endpoint device no longer needs any memory-equipped accessory.

"Virtualization will fundamentally change the way Diebold--and its customers--deploy solutions to the marketplace," said Frank Natoli, VP and CTO at Diebold, as the firm announced its virtualized ATM prototype on the eve of VMworld in September. "This technology is a game changer for our industry," he said at the time.

By virtualizing ATM applications, Diebold could move data security and customer privacy protection into a Diebold or bank data center. Large banks use their own data centers to run their ATM networks. "Second- and third-tier banks" use Diebold's data centers and ATM network, Kropf said.

Kropf noted that the virtual machine approach will also allow financial institutions to change customer applications more readily on central servers, then have the changes deployed automatically through the ATM network.

Even so, the primary motivation for going with virtualized ATMs was to prevent the theft of customer data. Likewise, the security features of end-user virtual machines may eventually become the compelling argument for virtualizing end-user desktops. Data stored on central servers with in-depth protections has tended to be more secure than data stored on end-user devices.

When the end-user device--whether a desktop, laptop, or tablet--is virtualized, a thief can still be prevented from accessing user data. Once the device is reported stolen, it can be wiped clean of any data that might still be resident on it through commands from the data center. And central servers hosting virtual machines can be staging grounds for establishing defenses at multiple logical boundaries, such as rechecking a user's credentials at each step of a process. For example, is this user authorized to access this particular data set?

ATMs, fortunately, were not among InformationWeek's Six Worst Data Breaches In 2011. Diebold is looking for a partner in 2012 with whom to deploy virtualized ATMs. It believes it's a step toward keeping the technology off 2012's top breaches list.

In today's uncertain and highly scrutinized financial services industry, achieving effective risk management is vital for survival. The report examines the need for enterprise risk management, the benefits of holistic data management, and ERM best practices. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.