The fundamental problem is that credit cards are built around a model where credit card numbers are theoretically supposed to be secret, but every random retailer has to have them to process transactions. If credit cards were electronic devices, like in Europe, rather than fancy pieces of paper with a number written on them, then fraud would drop, and retailers would be freed of a massive burden. But American banks aren't up to the task of creating that sort of infrastructure, so instead they blame it on whichever poor retailer happened to have its computers broken into.
Not on the horizon for whom? I'm running a startup that already has combination magstripe/Chip and PIN payment dongles for smartphones ready to sell to the US market.
The problem is there aren't many chipped cards at all.
A long time ago I helped a company get their payment terminal up and running after their first consultant had spent 9 months and $30,000 not getting anything done. The code I got was astonishingly bad and I realized that these folks had no way of evaluating good or bad code, and it depressed me that this was more the 'normal' situation rather than the 'unusual' sort of situation. I hope that in today's target rich environment folks are investing a bit more care into these things but I worry that isn't the case.
From what I gather from the article, the systems which RAM scrapers attack were running on general purpose computers, with very similar vulnerabilities.
Why isn't sensitive software like this built and audited with the same concern for reliability and security as avionics, medical equipment, SCADA, etc.? Certainly the cost in financial losses caused by these attacks makes this a pertinent question.
Well, but these are: https://news.ycombinator.com/item?id=8409305 Yet, of course it doesn't mean that modifications would be impossible. Smart guys can breach it, it's nothing different from mod chipping a playstation or other custom embedded hardware. There are multiple protection layers, but those are just slowing the process down. Smart guys with skills, labs, test hardware and proper budget, can always work around those.
"Why?" Because money; of course. Did you think "lean" companies shipping "MVPs" were the only guys around shoveling shit out the door as long as it sells? Also, the medical and SCADA fields are notoriously bad at security (but have been catching up, SCADA more than medical).
It seems that many people are really confused about this stuff. Because if PA-DSS standards are followed, the PC doesn't ever get any actualy credit card data. Yes, it's possible to backdoor / modify / infect / re-firmware or what ever the actua POS terminal, but it has nothing to do with the POS PC. POS terminals are independent systems with their own ram, keyboard, networking, processors, firmware, operating system, and software. I just made credit card transaction, here's all data what the PC get's from the credit card terminal. B2A8AAA4-6585-4D97-8AF7-C2DE0A617E3B for 40€ is successful. So? Feel free to abuse that information, if you find way to do so.
So when ever writing stuff like this, it would be very smart to mention if the attack is targeting the PC or the actual POS terminal.
These are likely using hooking. They don't scan RAM all the time, instead they patch or inject code into the POS software and then record the data when that code is called.
Think of something like Microsoft Detours. RAM scrapers seems a pretty inaccurate description.
> Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card’s magnetic stripe.
No hooking, sounds exactly like they're looking through the memory assigned to each process looking for the right looking data.
That's exactly what they do. They'll call ReadProcessMemory() on every process and then use a regex + Luhn algorithm to check for credit card data. I'm sure some of the more advanced and targeted ones do use hooking, and some filter the processes to scrape by name, but a lot of malware authors are surprisingly amateur.
Wow, that's sort of surprising to me. Perhaps just due to having some RE background, though maybe it's not stupid or amateur. It may actually be a better strategy if you want to minimize time in the store (no separate trip to steal the POS software first) and effort (no reverse engineering necessary).
"Six months before the breach, the company had installed a $1.6 million malware detection system that worked exactly as planned when the intruders began stealing their loot. It even issued multiple alerts for Target’s security staff. But the security staff simply ignored them."
That sounds bad, but I wonder if this system was issuing huge numbers of alerts all the time, leaving the security staff no real option but to ignore the alerts. I'd be curious to see the false positive rate. It seems like for an off-the-shelf security system that you buy, false positives must be a huge problem, because it hasn't been tuned to your data.
I don't get it, you spend all this money on card readers, they've got all kinds of anti-hacking software/hardware/sensors, but the scanner sends the cards as plain text to the register?
I wouldn't call a RAM scraper an exploit. ASLR isn't an effective protection against a program that reads from memory. Driver signing in newer versions of Windows is a more appropriate protection but will still fall short of stopping a motivated attacker.
so are these hardware that somehow people manage to sneak and install on a store's network? How would them monitor traffic and get the credit card info?
Edit: The articles does say: "Attackers installed these RAM scrapers surreptitiously on the point-of-sale systems used to scan and process credit and debit card transactions at Albertson’s and Supervalu. The tools make it easy to steal card numbers by the millions as they pass through the system."
But still a bit confusing if these are hardware devices or somehow they install software to do this.
They're purely software. The article does briefly discuss attacks on ATMs and similar devices that use concealed hardware to intercept user data, but the RAM scrapers that are the main focus of the article are just pieces of software.
"RAM scrapers, by contrast, can be installed remotely on a Big Box
retailer’s network and deployed widely to dozens of stores in a
franchise, without an attacker ever leaving his computer. They can
also be deleted remotely to erase crucial evidence of the crime."
The ability to remotely install and delete RAM scrapers from anywhere in the world precludes this being a hardware device.
I love the quote about Target. SIX MONTHS BEFORE THE BREACH, THE COMPANY HAD INSTALLED A $1.6 MILLION MALWARE DETECTION SYSTEM THAT WORKED AS DESIGNED AND ISSUED MULTIPLE ALERTS THAT GOT PASSED TO TARGET’S SECURITY STAFF, WHO SUMMARILY IGNORED THEM.