Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
RAM Scraper Malware: Why PCI DSS Can't Fix Retail
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 9:50:07 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
That's a great call to action, @brianriley. Here are two links about how to join the group of participating organizations and also about the companies that already belong.
brianriley
50%
50%
brianriley,
User Rank: Author
7/25/2014 | 9:42:47 AM
Re: correcting POS processing
Credit card data should be protected/encrypted at the earliest point in the transaction, the point of interaction. Moving the encryption to the card itself is yet another way to provide separation, moving some of the processing of the transaction to the card itself. It seems like such an approach would require a greater overall investment to update the infrastructure, since it requires changing more than just the POS terminals.

I agree that EMV is no solution to the RAM scraper problem. They were designed to solve a different problem, card cloning. In that regard, I do think they add value.
brianriley
50%
50%
brianriley,
User Rank: Author
7/25/2014 | 9:40:08 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
In some operating systems, full administrator rights are not required to read memory from other processes. (Windows XP comes to mind.)  On the opposite end of the spectrum, there are ways to build a system to limit users (and administrators) to a subset of the system (or all of the system, depending on the purpose of the system). This may be accomplished through secure partitioning. Separation kernels are well suited for this.

POS terminals do present challenges with respect to physical security. Various levels of tamper detection and protection may be added to the system to reduce risk associated with physical attacks. Skimmers present an interesting challenge that may only be mitigated by implementing security controls outside of the POS terminals, such as video surveillance and monitoring of the physical environment.
brianriley
50%
50%
brianriley,
User Rank: Author
7/25/2014 | 9:34:23 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
The next version of the standard doesn't go into effect until 2017, so obviously nothing will change before then. The most common way to participate in the PCI standards development process is to become a PCI Security Standards Council (SSC) Participating Organization (PO). I am aware of at least one major Participating Organization that is attempting to address the problem of RAM scrapers. (My employer is presently not a Participating Organization).
SgS125
50%
50%
SgS125,
User Rank: Ninja
7/24/2014 | 3:57:35 PM
Re: correcting POS processing
Really well thought out system, but it sounds expensive to the card issuer and somewhat cumbersomne to the consumer, especially if cards are replaced annually.

Perhaps some of the ideas could be brought into chip and pin and make it work?

For now I just use cash.
macker490
50%
50%
macker490,
User Rank: Ninja
7/24/2014 | 8:12:10 AM
correcting POS processing
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .


The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST.  Instead, the POST will submit an INVOICE to the customer's card.  On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service.  Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice.  The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated.  They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire.  Note that PGP signatures can also be REVOKED if the card is lost.

Transactions are Serialized using a Transaction Number ( like a check number ) plus date and time of origination.    This to prevent re-use of transactions.   A transaction authorizes one payment only not a cash flow.

EMV is no solution: and EMV card passes the cardholders account number, name, expiration date, et al
to the POST in plain text -- making the same error that the mag stripe reader makes and which
has been heavilly exploited by criminals.

~~~
Roger Sanders
100%
0%
Roger Sanders,
User Rank: Apprentice
7/23/2014 | 7:15:46 PM
Re: Why PCI-DSS doesn't address Ram Scraper?
Reading memory from other processes requires a program running with full administrator rights. If the bad guys have already obtained that level of access to the POS system, it's game over anyway. By definition, the attackers have gained the ability to perform any operation on that machine. The entire system, and any data passed to it, is compromised, no matter what you do.

That said, I think you're right, the key here is separation, but i think the emphasis needs to be on separation of the POS system from the outside world. Why are POS terminals openly networked, with active internet connections? It's cheaper, easier to develop software for, and easier to administer. It's also incredibly vulnerable to attack. POS systems shouldn't have any means to communicate with each other or the outside world. They should have a single secured and encrypted point of communication with a central server of some kind where required, and other than that, they should be completely isolated.

At the end of the day, if an attacker can engineer a situation where he can gain unsupervised physical access to a POS terminal, he will be able to compromise it. That should be where it stops though. It shouldn't be possible for an infection to spread from one POS system to another, or for data from a compromised POS system to be leaked back over the internet. If attacks were limited to individual terminals, and recovering data required physical access, or additional hardware to be dropped in like a phone, it would greatly increase the difficulty and reduce the payoff for the bad guys, and they'll go back to targetting ATMs or the like where they also need physical access, but the payoff is bigger.

In terms of physical security too, why are POS systems often sitting on an open shelf right next to customers and employees, with exposed USB ports and no real physical isolation? Again, because it's cheaper and easier, but it's very insecure. POS systems should be viewed as filled to the top with cold hard cash, and secured accordingly.

POS systems could learn a lot from ATM security. Any software platform will have vulnerabilities just waiting to be discovered, and where there's a lot of money involved, the bad guys will find them. Network isolation and restricted physical access are key. When was the last time you heard about a network of thousands of ATMs being hacked? That's because they're heavily network isolated. The PCs themselves can be attacked if you can gain physical access, which is why they're supposed to be kept under lock and key in a safe. If the bad guys don't have to get a blowtorch out to compromise your POS system, you're doing it wrong.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/23/2014 | 2:50:03 PM
Why PCI-DSS doesn't address Ram Scraper?
Good article, Brian. Wondering if the card industry has given a reason for not tightening their standards to protect against the RAM scraper expoit. Do you see any activity in the future?


Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...