Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

RAM Scraper Malware: Why PCI DSS Can't Fix Retail
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/23/2014 | 2:50:03 PM
Why PCI-DSS doesn't address Ram Scraper?
Good article, Brian. Wondering if the card industry has given a reason for not tightening their standards to protect against the RAM scraper expoit. Do you see any activity in the future?
Roger Sanders
Roger Sanders,
User Rank: Apprentice
7/23/2014 | 7:15:46 PM
Re: Why PCI-DSS doesn't address Ram Scraper?
Reading memory from other processes requires a program running with full administrator rights. If the bad guys have already obtained that level of access to the POS system, it's game over anyway. By definition, the attackers have gained the ability to perform any operation on that machine. The entire system, and any data passed to it, is compromised, no matter what you do.

That said, I think you're right, the key here is separation, but i think the emphasis needs to be on separation of the POS system from the outside world. Why are POS terminals openly networked, with active internet connections? It's cheaper, easier to develop software for, and easier to administer. It's also incredibly vulnerable to attack. POS systems shouldn't have any means to communicate with each other or the outside world. They should have a single secured and encrypted point of communication with a central server of some kind where required, and other than that, they should be completely isolated.

At the end of the day, if an attacker can engineer a situation where he can gain unsupervised physical access to a POS terminal, he will be able to compromise it. That should be where it stops though. It shouldn't be possible for an infection to spread from one POS system to another, or for data from a compromised POS system to be leaked back over the internet. If attacks were limited to individual terminals, and recovering data required physical access, or additional hardware to be dropped in like a phone, it would greatly increase the difficulty and reduce the payoff for the bad guys, and they'll go back to targetting ATMs or the like where they also need physical access, but the payoff is bigger.

In terms of physical security too, why are POS systems often sitting on an open shelf right next to customers and employees, with exposed USB ports and no real physical isolation? Again, because it's cheaper and easier, but it's very insecure. POS systems should be viewed as filled to the top with cold hard cash, and secured accordingly.

POS systems could learn a lot from ATM security. Any software platform will have vulnerabilities just waiting to be discovered, and where there's a lot of money involved, the bad guys will find them. Network isolation and restricted physical access are key. When was the last time you heard about a network of thousands of ATMs being hacked? That's because they're heavily network isolated. The PCs themselves can be attacked if you can gain physical access, which is why they're supposed to be kept under lock and key in a safe. If the bad guys don't have to get a blowtorch out to compromise your POS system, you're doing it wrong.
User Rank: Author
7/25/2014 | 9:40:08 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
In some operating systems, full administrator rights are not required to read memory from other processes. (Windows XP comes to mind.)  On the opposite end of the spectrum, there are ways to build a system to limit users (and administrators) to a subset of the system (or all of the system, depending on the purpose of the system). This may be accomplished through secure partitioning. Separation kernels are well suited for this.

POS terminals do present challenges with respect to physical security. Various levels of tamper detection and protection may be added to the system to reduce risk associated with physical attacks. Skimmers present an interesting challenge that may only be mitigated by implementing security controls outside of the POS terminals, such as video surveillance and monitoring of the physical environment.
User Rank: Author
7/25/2014 | 9:34:23 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
The next version of the standard doesn't go into effect until 2017, so obviously nothing will change before then. The most common way to participate in the PCI standards development process is to become a PCI Security Standards Council (SSC) Participating Organization (PO). I am aware of at least one major Participating Organization that is attempting to address the problem of RAM scrapers. (My employer is presently not a Participating Organization).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 9:50:07 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
That's a great call to action, @brianriley. Here are two links about how to join the group of participating organizations and also about the companies that already belong.
User Rank: Ninja
7/24/2014 | 8:12:10 AM
correcting POS processing
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST.  Instead, the POST will submit an INVOICE to the customer's card.  On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service.  Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice.  The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated.  They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire.  Note that PGP signatures can also be REVOKED if the card is lost.

Transactions are Serialized using a Transaction Number ( like a check number ) plus date and time of origination.    This to prevent re-use of transactions.   A transaction authorizes one payment only not a cash flow.

EMV is no solution: and EMV card passes the cardholders account number, name, expiration date, et al
to the POST in plain text -- making the same error that the mag stripe reader makes and which
has been heavilly exploited by criminals.

User Rank: Ninja
7/24/2014 | 3:57:35 PM
Re: correcting POS processing
Really well thought out system, but it sounds expensive to the card issuer and somewhat cumbersomne to the consumer, especially if cards are replaced annually.

Perhaps some of the ideas could be brought into chip and pin and make it work?

For now I just use cash.
User Rank: Author
7/25/2014 | 9:42:47 AM
Re: correcting POS processing
Credit card data should be protected/encrypted at the earliest point in the transaction, the point of interaction. Moving the encryption to the card itself is yet another way to provide separation, moving some of the processing of the transaction to the card itself. It seems like such an approach would require a greater overall investment to update the infrastructure, since it requires changing more than just the POS terminals.

I agree that EMV is no solution to the RAM scraper problem. They were designed to solve a different problem, card cloning. In that regard, I do think they add value.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file