Will Virtualization Halt ATM Skimming?
In a partnership with VMWare, Diebold is readying its first zero-client ATM in a renewed effort to thwart skimming attacks.
In an August press release, Diebold said "the physical components of a single server provide resources to many 'virtual' ATMs." In the past, individual ATMs used older OSs, namely Windows XP or IBM's OS/2. With VMware, each ATM will display the text, graphics, and video, but will not store consumer data. ATMs will relay all customer entries and responses via secure channel to a central location.
Large banks will use their own data centers. Second- and third-tier banks may opt to use Diebold's data centers instead. Centralization will also allow banks to update their customer applications quickly.
Virtualization may address some problems, such as the ATM spewing cash demonstration made popular by Barnaby Jack at Black Hat in 2010. That hack involved remote access flaws within the operating system and software.
But the more common ATM problem is skimmers, secondary devices which skim the account data as the ATM card is inserted into the machine. Many skimmers have their own internal memory and ability to broadcast SMS data.
Whether the ATM is hosted locally or remotely via visualization, the card data stored on the physical magstripe remains vulnerable to attack -- even with these new "virtual" ATMs.