Home Depot. Target. Neiman Marcus. Albertsons. Michaels. Most Americans have shopped at one of these national chains recently. If you’re one of them, your credit card information may already be on the black market. And if you’re a retailer using a POS system, proposed legislation like the The Consumer Privacy Protection Act may hold you financially accountable in the event of a data breach. Here’s the skinny on RAM scraping, and what can be done to prevent it.
The fundamentals of RAM scraping aren’t rocket science: from the point at which a credit card is swiped or keyed to when the data is transmitted over the wire for processing, communications are being encrypted end-to-end. There is a crucial moment, however, when the data enters the memory banks of the POS machine for processing, unencrypted. It’s during this short window of opportunity that POS RAM-scraping malware is able to harvest the payment data in clear text and send it to remote hackers.
Here’s a video showing POS RAM scraping in action:
Breaching the Barriers
So how does RAM scraping malware make its way into a private network and onto a POS terminal? Techniques are unglamorous as they are common: phishing attacks luring victims into opening malicious files or web pages, insider-assisted malware installation—the usual suspect list of intrusion methods. Once hackers are able to penetrate the corporate network, it’s just a matter of time before they’re able to find their way to the target systems. The POS RAM-scraping malware can then be installed and set to quietly harvest credit card data as transactions are processed throughout the business day.
The presence of RAM scrapers is becoming increasingly difficult to detect. New generations of the malware employ sophisticated mechanisms to obfuscate their activity. For example, many RAM-scraping malware programs use custom packers to masquerade as legitimate programs and/or hide the true nature of their codebase. Many also inject their processes into normal, existing processes on a system or network. The end result is that anti-malware programs and IDS/IDPS systems cannot effectively protect POS systems from RAM scraping.
RAM Scraping on the Rise
A cursory web search on “RAM scraping” yields a bounty of results illustrating the clear and present danger of POS RAM-scraping malware—not only for credit card-bearing consumers, but also—and arguably more importantly—for retailers employing POS systems in their storefronts. The latest trends and statistics also verify that RAM scraping is on the rise. For example, Verizon’s recent report on data breaches reveals that RAM-scraping malware and phishing are rising in prominence, while spyware and keyloggers are on the decline:
For more sobering data regarding the latest trends in data breaches and intrusions, please check out our coverage and analysis of Verizon’s 2015 report.
The convergence of desktop and business systems is of particular concern when it comes to POS machines and vulnerabilities. Take a peek at the register screen next time you’re at the local supermarket—chances are you’ll see a familiar Windows background. In most cases, POS terminals are just ruggedized PCs equipped with special peripherals. Even popular Java-based POS terminals are usually running some sort of Unix variant at the OS level. Any vulnerabilities inherent to these operating systems can eventually allow hackers to access the data flowing through the terminal.
Securing the Infrastructure Against RAM Scrapers
Information security (infosec) is experiencing a transformation as traditional and legacy IT security products are losing the battle against new and emerging threats. This infosec renaissance will lead to new models of dynamic and fluid IT security, combining real-time comprehensive vulnerability monitoring and assessment with easy collaboration and integration with other solutions. To this end, platforms like UpGuard are crucial for maintaining the security posture of any environment—including fleets of POS terminals.
Implementing security as an ongoing, enterprise-wide collaborative effort spanning all phases of an application or system's lifecycle is the only safe bet towards bolstering a company’s security posture against an unknown future of threats and vulnerabilities. And in Target’s case, it could have saved them millions (and counting) in class action payout dollars—not to mention the ire and wrath of millions of customers.
Fighting RAM-Scraping Malware
The US-CERT team has put out an alert regarding malware targeting POS systems, with instructions to POS system owners regarding security best practices:
“Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches. POS systems, in the same way as computers, are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.”
PCI-DSS (Payment Card Industry Data Security Standard)—the industry standard for payment card security guidelines—recommends the following:
“6.1 Establish a process to identify security vulnerabilities, by using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high,' 'medium,' or 'low') to newly discovered security vulnerabilities."
"6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release."
UpGuard can continuously test infrastructures and environments with POS terminals through both user-defined policies and an OVAL-backed vulnerability suite to ensure quality from development to production. The platform also captures infrastructure requirements from the current desired secure state to avoid regressions and maintain consistently secure baselines.
In short, keeping POS systems patched and updated is key to combatting RAM scrapers and other malware types on the security horizon. UpGuard provides comprehensive vulnerability scanning and monitoring for ensuring that systems have been updated against the latest vulnerabilities and threats.
So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Read Blog >
Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Read Blog >