Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
RAM Scraper Malware: Why PCI DSS Can't Fix Retail
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/23/2014 | 2:50:03 PM
Why PCI-DSS doesn't address Ram Scraper?
Good article, Brian. Wondering if the card industry has given a reason for not tightening their standards to protect against the RAM scraper expoit. Do you see any activity in the future?
Roger Sanders
100%
0%
Roger Sanders,
User Rank: Apprentice
7/23/2014 | 7:15:46 PM
Re: Why PCI-DSS doesn't address Ram Scraper?
Reading memory from other processes requires a program running with full administrator rights. If the bad guys have already obtained that level of access to the POS system, it's game over anyway. By definition, the attackers have gained the ability to perform any operation on that machine. The entire system, and any data passed to it, is compromised, no matter what you do.

That said, I think you're right, the key here is separation, but i think the emphasis needs to be on separation of the POS system from the outside world. Why are POS terminals openly networked, with active internet connections? It's cheaper, easier to develop software for, and easier to administer. It's also incredibly vulnerable to attack. POS systems shouldn't have any means to communicate with each other or the outside world. They should have a single secured and encrypted point of communication with a central server of some kind where required, and other than that, they should be completely isolated.

At the end of the day, if an attacker can engineer a situation where he can gain unsupervised physical access to a POS terminal, he will be able to compromise it. That should be where it stops though. It shouldn't be possible for an infection to spread from one POS system to another, or for data from a compromised POS system to be leaked back over the internet. If attacks were limited to individual terminals, and recovering data required physical access, or additional hardware to be dropped in like a phone, it would greatly increase the difficulty and reduce the payoff for the bad guys, and they'll go back to targetting ATMs or the like where they also need physical access, but the payoff is bigger.

In terms of physical security too, why are POS systems often sitting on an open shelf right next to customers and employees, with exposed USB ports and no real physical isolation? Again, because it's cheaper and easier, but it's very insecure. POS systems should be viewed as filled to the top with cold hard cash, and secured accordingly.

POS systems could learn a lot from ATM security. Any software platform will have vulnerabilities just waiting to be discovered, and where there's a lot of money involved, the bad guys will find them. Network isolation and restricted physical access are key. When was the last time you heard about a network of thousands of ATMs being hacked? That's because they're heavily network isolated. The PCs themselves can be attacked if you can gain physical access, which is why they're supposed to be kept under lock and key in a safe. If the bad guys don't have to get a blowtorch out to compromise your POS system, you're doing it wrong.
macker490
50%
50%
macker490,
User Rank: Ninja
7/24/2014 | 8:12:10 AM
correcting POS processing
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .


The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST.  Instead, the POST will submit an INVOICE to the customer's card.  On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service.  Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice.  The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated.  They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire.  Note that PGP signatures can also be REVOKED if the card is lost.

Transactions are Serialized using a Transaction Number ( like a check number ) plus date and time of origination.    This to prevent re-use of transactions.   A transaction authorizes one payment only not a cash flow.

EMV is no solution: and EMV card passes the cardholders account number, name, expiration date, et al
to the POST in plain text -- making the same error that the mag stripe reader makes and which
has been heavilly exploited by criminals.

~~~
SgS125
50%
50%
SgS125,
User Rank: Ninja
7/24/2014 | 3:57:35 PM
Re: correcting POS processing
Really well thought out system, but it sounds expensive to the card issuer and somewhat cumbersomne to the consumer, especially if cards are replaced annually.

Perhaps some of the ideas could be brought into chip and pin and make it work?

For now I just use cash.
brianriley
50%
50%
brianriley,
User Rank: Author
7/25/2014 | 9:34:23 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
The next version of the standard doesn't go into effect until 2017, so obviously nothing will change before then. The most common way to participate in the PCI standards development process is to become a PCI Security Standards Council (SSC) Participating Organization (PO). I am aware of at least one major Participating Organization that is attempting to address the problem of RAM scrapers. (My employer is presently not a Participating Organization).
brianriley
50%
50%
brianriley,
User Rank: Author
7/25/2014 | 9:40:08 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
In some operating systems, full administrator rights are not required to read memory from other processes. (Windows XP comes to mind.)  On the opposite end of the spectrum, there are ways to build a system to limit users (and administrators) to a subset of the system (or all of the system, depending on the purpose of the system). This may be accomplished through secure partitioning. Separation kernels are well suited for this.

POS terminals do present challenges with respect to physical security. Various levels of tamper detection and protection may be added to the system to reduce risk associated with physical attacks. Skimmers present an interesting challenge that may only be mitigated by implementing security controls outside of the POS terminals, such as video surveillance and monitoring of the physical environment.
brianriley
50%
50%
brianriley,
User Rank: Author
7/25/2014 | 9:42:47 AM
Re: correcting POS processing
Credit card data should be protected/encrypted at the earliest point in the transaction, the point of interaction. Moving the encryption to the card itself is yet another way to provide separation, moving some of the processing of the transaction to the card itself. It seems like such an approach would require a greater overall investment to update the infrastructure, since it requires changing more than just the POS terminals.

I agree that EMV is no solution to the RAM scraper problem. They were designed to solve a different problem, card cloning. In that regard, I do think they add value.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 9:50:07 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
That's a great call to action, @brianriley. Here are two links about how to join the group of participating organizations and also about the companies that already belong.


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.