Diebold turns ATMs into VDI clients

ATMs hold data and software that can be compromised by sophisticated criminals. Diebold will blunt threats by transforming ATMs into VDI-based zero clients.

VDI software isn't just for desktops anymore. Diebold is about to turn thousands of ATM machines into VDI-based zero clients.

Diebold Inc. secures and manages hundreds of thousands of Automatic Teller Machines around the world. One of the company's biggest challenges includes servicing ATMs in inconvenient places -- including the base camp of Mount Everest, according to Mark W. Kropf, Diebold's emerging technologies team lead.

"ATMs are everywhere -- in very remote locations -- and we have to send someone there to replenish cash and do patches," Kropf said. "It's a difficult model. So, if I can take software out of the scope, I enable our people in vans out there to focus on hardware maintenance."

Securing ATMs is a major problem as well. For the most part, criminals try to steal the cash -- they blow up machines or hoist entire ATMs out of gas stations and supermarkets. "It's a cat and mouse game in the security world," Kropf said. "We create stronger vaults and they come up with new ways to break through them."

While cash inside ATM vaults is the obvious target, sophisticated criminals know the data within the hard drive is more valuable than the cash in machines, Kropf said. "The loss of software is a problem, and it's tougher to quantify than lost money," he said.

For instance, IP addresses in ATMs are a source of insecurity because when a potential attacker learns the ATM's IP address, he can register with the machine's Logical IP Subnet (LIS), and perform Man in the Middle attacks to retrieve card data or perform denial of service attacks.

Using server-hosted VDI, Diebold can remove all customer financial data from ATM hard drives and prevent increasingly sophisticated attacks on ATMs.

The company will also benefit from centralized management.

VDI-based ATMs
In Diebold's prototypes, displayed at the VMworld 2011 conference last year, the ATM hard drive is replaced with zero clients that transmit data back and forth to a remote data center using VMware View.

Since VDI changes the ATM model so significantly, the company will co-create its plans with customers. Diebold will perform virtualized ATM pilots for customers this year.

The remote computing model is already well established in the point-of-sale industry, where customer data is never stored at the endpoint, but at a remote, secure data center, Kropf said.

"By removing the data from the client, there is never data on the point-of-sale devices to steal," he said.

Many of the Canton, Ohio-based company's banking clients have already virtualized servers and desktops, so Kropf doesn't anticipate much opposition to the technology -- other than resistance to change. But there's sure to be concerns -- particularly from IT pros who have had poor experiences with VDI.

Jeff Moore, an IT manager with a bank in Montana, tried VDI products from VMware and Citrix Systems, but neither performed up to his company's standards. He worries about ATM performance issues with VDI, especially with banks using ATMs as multifunction machines.

"Everyone is aware by now of the bandwidth cost of video or any type of flash marketing on a VDI system," Moore said. "I am not sure how the multifunction machines -- check scanning, deposits -- will play into it, but I can tell you by experience that attempting to scan images across the network in a VDI environment is not a good experience."

But, Diebold uses VMware VDI for its own employee desktops and Kropf said he is working with VMware and Teridici on PCoIP improvements to ensure good performance for ATMs.

The company has used server virtualization in-house for about seven years and, being a VMware shop with many VMware-based clients, it chose View 5 for ATMs. The company standardized on Cisco Unified Computing System and uses those systems to deliver View virtual desktops.

Let us know what you think about the story; email Bridget Botelho or follow @BridgetBotelho on Twitter.

Dig Deeper on Virtual desktop infrastructure and architecture