Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
RAM Scraper Malware: Why PCI DSS Can't Fix Retail
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
7/25/2014 | 9:50:07 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
That's a great call to action, @brianriley. Here are two links about how to join the group of participating organizations and also about the companies that already belong.
brianriley
50%
50%
brianriley,
 User Rank: Author
7/25/2014 | 9:42:47 AM
Re: correcting POS processing
Credit card data should be protected/encrypted at the earliest point in the transaction, the point of interaction. Moving the encryption to the card itself is yet another way to provide separation, moving some of the processing of the transaction to the card itself. It seems like such an approach would require a greater overall investment to update the infrastructure, since it requires changing more than just the POS terminals.

I agree that EMV is no solution to the RAM scraper problem. They were designed to solve a different problem, card cloning. In that regard, I do think they add value.
brianriley
50%
50%
brianriley,
 User Rank: Author
7/25/2014 | 9:40:08 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
In some operating systems, full administrator rights are not required to read memory from other processes. (Windows XP comes to mind.)  On the opposite end of the spectrum, there are ways to build a system to limit users (and administrators) to a subset of the system (or all of the system, depending on the purpose of the system). This may be accomplished through secure partitioning. Separation kernels are well suited for this.

POS terminals do present challenges with respect to physical security. Various levels of tamper detection and protection may be added to the system to reduce risk associated with physical attacks. Skimmers present an interesting challenge that may only be mitigated by implementing security controls outside of the POS terminals, such as video surveillance and monitoring of the physical environment.
brianriley
50%
50%
brianriley,
 User Rank: Author
7/25/2014 | 9:34:23 AM
Re: Why PCI-DSS doesn't address Ram Scraper?
The next version of the standard doesn't go into effect until 2017, so obviously nothing will change before then. The most common way to participate in the PCI standards development process is to become a PCI Security Standards Council (SSC) Participating Organization (PO). I am aware of at least one major Participating Organization that is attempting to address the problem of RAM scrapers. (My employer is presently not a Participating Organization).
SgS125
50%
50%
SgS125,
 User Rank: Ninja
7/24/2014 | 3:57:35 PM
Re: correcting POS processing
Really well thought out system, but it sounds expensive to the card issuer and somewhat cumbersomne to the consumer, especially if cards are replaced annually.

Perhaps some of the ideas could be brought into chip and pin and make it work?

For now I just use cash.
macker490
50%
50%
macker490,
 User Rank: Ninja
7/24/2014 | 8:12:10 AM
correcting POS processing
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .


The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST.  Instead, the POST will submit an INVOICE to the customer's card.  On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service.  Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice.  The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated.  They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire.  Note that PGP signatures can also be REVOKED if the card is lost.

Transactions are Serialized using a Transaction Number ( like a check number ) plus date and time of origination.    This to prevent re-use of transactions.   A transaction authorizes one payment only not a cash flow.

EMV is no solution: and EMV card passes the cardholders account number, name, expiration date, et al
to the POST in plain text -- making the same error that the mag stripe reader makes and which
has been heavilly exploited by criminals.

~~~
Roger Sanders
100%
0%
Roger Sanders,
 User Rank: Apprentice
7/23/2014 | 7:15:46 PM
Re: Why PCI-DSS doesn't address Ram Scraper?
Reading memory from other processes requires a program running with full administrator rights. If the bad guys have already obtained that level of access to the POS system, it's game over anyway. By definition, the attackers have gained the ability to perform any operation on that machine. The entire system, and any data passed to it, is compromised, no matter what you do.

That said, I think you're right, the key here is separation, but i think the emphasis needs to be on separation of the POS system from the outside world. Why are POS terminals openly networked, with active internet connections? It's cheaper, easier to develop software for, and easier to administer. It's also incredibly vulnerable to attack. POS systems shouldn't have any means to communicate with each other or the outside world. They should have a single secured and encrypted point of communication with a central server of some kind where required, and other than that, they should be completely isolated.

At the end of the day, if an attacker can engineer a situation where he can gain unsupervised physical access to a POS terminal, he will be able to compromise it. That should be where it stops though. It shouldn't be possible for an infection to spread from one POS system to another, or for data from a compromised POS system to be leaked back over the internet. If attacks were limited to individual terminals, and recovering data required physical access, or additional hardware to be dropped in like a phone, it would greatly increase the difficulty and reduce the payoff for the bad guys, and they'll go back to targetting ATMs or the like where they also need physical access, but the payoff is bigger.

In terms of physical security too, why are POS systems often sitting on an open shelf right next to customers and employees, with exposed USB ports and no real physical isolation? Again, because it's cheaper and easier, but it's very insecure. POS systems should be viewed as filled to the top with cold hard cash, and secured accordingly.

POS systems could learn a lot from ATM security. Any software platform will have vulnerabilities just waiting to be discovered, and where there's a lot of money involved, the bad guys will find them. Network isolation and restricted physical access are key. When was the last time you heard about a network of thousands of ATMs being hacked? That's because they're heavily network isolated. The PCs themselves can be attacked if you can gain physical access, which is why they're supposed to be kept under lock and key in a safe. If the bad guys don't have to get a blowtorch out to compromise your POS system, you're doing it wrong.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
7/23/2014 | 2:50:03 PM
Why PCI-DSS doesn't address Ram Scraper?
Good article, Brian. Wondering if the card industry has given a reason for not tightening their standards to protect against the RAM scraper expoit. Do you see any activity in the future?


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.