Target Breach: 8 Facts On Memory-Scraping Malware
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)What is memory-scraping malware, and how can it be stopped?
Malware that attacks the RAM inside point-of-sale (POS) devices -- the fancy name for digital cash registers used by everyone from retailers and restaurants to hoteliers and hospitals -- leapt into the spotlight this week after it was tied to the recent breach of Target, and by extension, breaches involving Neiman Marcus and other as-yet-unnamed retailers.
"There was malware installed on our POS registers; that much we have established," Target chief executive Gregg Steinhafel said Sunday in an interview with CNBC, referring to a breach that began on November 28 and lasted until December 15. That breach resulted in up to 110 million people having their credit card information or personal details compromised. A related investigation remains underway.
In the wake of Target's admission, here's what businesses and their customers should know about RAM-scraping malware and how to stop it.
1. Memory-scraping malware isn't new. Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet. "One of the earliest serious POS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their PoS systems compromised," said Numaan Huq, a security researcher at SophosLabs Canada, in a July 2013 blog post. "Later we saw varied targets, including an auto dealership in Australia infected with Trackr."
Retailers aren't the only organizations vulnerable to having their POS systems targeted by memory-scraping malware. "Although retailers can be affected by these kinds of things, there have been food service companies, healthcare, hotels and tourism companies being targeted by RAM scraping in the past," said security researcher Graham Cluley, speaking by phone.
But the Target breach appears to set a new high in terms of the number of records that the attackers were able to successfully compromise. "Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred," Cluley said.
[For more on the expanding Target data breach, see Neiman Marcus, Target Data Breaches: 8 Facts.]
2. POS malware routes around encryption. Memory-scraping malware is typically designed to target Track 1 and Track 2 data -- including a cardholder's name, card number, expiration date, and the card's three-digit security code (a.k.a. CVV or CVC) -- at the place where it's most vulnerable to being intercepted: in memory, where it's in plaintext format.
"There is that opportunity to steal the credit card information when it is in memory, perhaps even before your payment has even been authorized, and the data hasn't even been written to the hard drive yet," said Cluley. "In some ways, it's understandable that the bad guys did this because the Payment Card Industry Data Security Standards -- PCI DSS -- tell retailers that if you write this [card] information to a hard disk or any other type of media it has to be strongly encrypted so nothing can grab it, and if you transmit it must be strongly encrypted, so nothing can intercept it in transit."
3. Security wrinkle: plaintext realities. Unfortunately, it's not feasible to encrypt data in POS system memory. "No matter how strong your encryption is, if the system needs to process data or process the code, everything needs to be decrypted in memory," explained Chris Elisan, principal malware scientist at security firm RSA, a division of EMC, speaking by phone.
Furthermore, RAM-scraping malware is purpose-built to act only when that information capture or decryption occurs. "Let's say it wants to steal credit card numbers," Elisan said. "The moment it sees new data being loaded into memory -- the moment it sees 16 characters with a zero or special character at the end, indicating that it's a card number -- it would just intercept that."
1 of 2
Comment |
Print |
More Insights
Comments
Oldest First | Newest First | Threaded View
Another reason...
...to pay with cash. I wonder what the relative risk of being robbed is compared to the risk of being hacked.
Re: Another reason...
Indeed. The convenience factor of using a debit/credit card would also be offset by having to carefully review one's statement online every 24-48 hours for signs of abuse.
Re: Another reason...
Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.
Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.
Target Breach
I posted this against another article, but I think it's important enough to repeat here.
Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple
Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple
White Papers
Video
0 Comments
Current Issue
Flash Poll
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-12630
PUBLISHED: 2018-06-21
PUBLISHED: 2018-06-21
PUBLISHED: 2018-06-21
PUBLISHED: 2018-06-21
PUBLISHED: 2018-06-21
From DHS/US-CERT's National Vulnerability Database CVE-2018-12630
PUBLISHED: 2018-06-21
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
CVE-2018-12631PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal.
CVE-2018-12632PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to discover the installation path via an invalid LFN parameter to the /redbin/rpwebutilities.exe/text URI.
CVE-2018-12581PUBLISHED: 2018-06-21
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
CVE-2018-12613PUBLISHED: 2018-06-21
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attack...
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This