Did you know that many automatic teller machines (ATMs) throughout the world still run Windows XP, Windows 2000, and even (gasp!) IBM OS/2? Yes, it's safe to say that in many cases, ATM machines have been brushed aside for years as it relates to operating system upgrades and patch maintenance.
But something as critical as an ATM -- a publicly shared device that has direct access to our bank accounts "should" be of utmost importance in terms of IT security. But for one reason or another, the technology seems to have been stuck in the past decade or two. This has led to major security holes found in out-of-date OS software. Banks and ATM manufacturers claim that the lack of proper OS and security updates is due to the fact that each ATM is its own independent PC. Since the operating systems are so outdated, the only way to perform upgrades is to have technicians physically visit each ATM and manually update software.
To solve this problem, Diebold -- a major ATM manufacturer -- is developing cloud-based ATMs with VMware that move ATM software and operating systems into the back-end network. Diebold claims that this solves not only the system update predicament but also makes the local ATM machine more secure, due to the fact that absolutely no information is ever stored on the ATM itself -- rather, it's stored securely in the cloud. If an ATM was to be stolen, there is absolutely no customer data on the hardware to tamper with.
The logic behind virtualized ATMs seems sound, but I see several major drawbacks that could make ATMs less reliable. For one, a constant high-speed Internet connection is necessary in order to work. Many ATMs still use dial-up connections or low-speed DSL/leased lines. The telecommunications network would have to go through a significant upgrade for the virtualized ATM model to work.
Also, some ATMs can continue to perform cash-distribution functions while they have no connection to the back-end banking system. The transactions get cached locally and are recorded later when the network connection is restored. The new virtualized ATMs would require 100 percent connectivity; otherwise it stops working altogether. Since a virtualized ATM cannot store any information locally, no network connection means no cash. This could be a major problem in parts of the world that still don't have reliable broadband or sub-par telecommunications cabling.
Lastly, the risk of customer data being stolen while being temporarily stored locally on an ATM is very low, in my opinion. While it is true that a handful of countries have a problem with thieves physically stealing ATMs, this type of brute-force action is done only to steal the cash inside and has nothing to do with any data that is stored on the machine itself. Plus, I would sincerely hope that any important customer data is encrypted, and therefore useless to anyone that tries to retrieve the data outside the ATM network.
So what do you think? Are the benefits of virtualized ATMs all they're cracked up to be, or is Diebold simply ratcheting up the hype in an effort to sell some new hardware using the "cloud" as a marketing tool?