

How RAM Scrapers Work: The Tool Behind the Latest Credit Card Hacks - 80ProofPudding
http://www.wired.com/2014/09/ram-scrapers-how-they-work/

======
jimrandomh
The fundamental problem is that credit cards are built around a model where
credit card numbers are theoretically supposed to be secret, but every random
retailer has to have them to process transactions. If credit cards were
electronic devices, like in Europe, rather than fancy pieces of paper with a
number written on them, then fraud would drop, and retailers would be freed of
a massive burden. But American banks aren't up to the task of creating that
sort of infrastructure, so instead they blame it on whichever poor retailer
happened to have its computers broken into.

~~~
bsder
This is coming. Chip-and-pin are slated to start rolling out in the US in
2015.

~~~
brewdad
Chip-and-Signature. Chip-and_Pin is not yet on the horizon for the US.

~~~
kapnobatairza
Not on the horizon for whom? I'm running a startup that already has
combination magstripe/Chip and PIN payment dongles for smartphones ready to
sell to the US market.

The problem is there aren't many chipped cards at all.

------
ChuckMcM
A long time ago I helped a company get their payment terminal up and running
after their first consultant had spent 9 months and $30,000 not getting
anything done. The code I got was astonishingly bad and I realized that these
folks had no way of evaluating good or bad code, and it depressed me that this
was more the 'normal' situation rather than the 'unusual' sort of situation. I
hope that in today's target rich environment folks are investing a bit more
care into these things but I worry that isn't the case.

------
Sami_Lehtinen
It seems that many people are really confused about this stuff. Because if PA-
DSS standards are followed, the PC doesn't ever get any actualy credit card
data. Yes, it's possible to backdoor / modify / infect / re-firmware or what
ever the actua POS terminal, but it has nothing to do with the POS PC. POS
terminals are independent systems with their own ram, keyboard, networking,
processors, firmware, operating system, and software. I just made credit card
transaction, here's all data what the PC get's from the credit card terminal.
B2A8AAA4-6585-4D97-8AF7-C2DE0A617E3B for 40€ is successful. So? Feel free to
abuse that information, if you find way to do so. So when ever writing stuff
like this, it would be very smart to mention if the attack is targeting the PC
or the actual POS terminal.

------
ackalker
From what I gather from the article, the systems which RAM scrapers attack
were running on general purpose computers, with very similar vulnerabilities.

Why isn't sensitive software like this built and audited with the same concern
for reliability and security as avionics, medical equipment, SCADA, etc.?
Certainly the cost in financial losses caused by these attacks makes this a
pertinent question.

~~~
valarauca1
>Why isn't [..] software like this built and audited [...] for reliability and
security as avionics, medical equipment, SCADA, etc.?

Imply that it is. It very very often isn't at all.

------
ultramancool
The term "RAM scraper" seems pretty stupid to me.

These are likely using hooking. They don't scan RAM all the time, instead they
patch or inject code into the POS software and then record the data when that
code is called.

Think of something like Microsoft Detours. RAM scrapers seems a pretty
inaccurate description.

~~~
alexkus
> How RAM Scrapers Work

> Once on a targeted system, RAM scrapers work by examining the list of
> processes that are running on the system and inspecting the memory for data
> that matches the structure of credit card data, such as the account number,
> expiration date, and other information stored on a card’s magnetic stripe.

No hooking, sounds exactly like they're looking through the memory assigned to
each process looking for the right looking data.

~~~
ultramancool
Okay, so, how do they harvest live data? Scan constantly? That would have a
risk of missing something or of slowing down the system.

I suspect that is just an oversimplification, of course, unless they post the
malware in question I can't really say for sure.

~~~
tkmcc
That's exactly what they do. They'll call ReadProcessMemory() on every process
and then use a regex + Luhn algorithm to check for credit card data. I'm sure
some of the more advanced and targeted ones do use hooking, and some filter
the processes to scrape by name, but a lot of malware authors are surprisingly
amateur.

further reading: [http://www.trendmicro.com/cloud-content/us/pdfs/security-
int...](http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp-pos-ram-scraper-malware.pdf)

~~~
ultramancool
Wow, that's sort of surprising to me. Perhaps just due to having some RE
background, though maybe it's not stupid or amateur. It may actually be a
better strategy if you want to minimize time in the store (no separate trip to
steal the POS software first) and effort (no reverse engineering necessary).

------
lacker
_" Six months before the breach, the company had installed a $1.6 million
malware detection system that worked exactly as planned when the intruders
began stealing their loot. It even issued multiple alerts for Target’s
security staff. But the security staff simply ignored them."_

That sounds bad, but I wonder if this system was issuing huge numbers of
alerts all the time, leaving the security staff no real option but to ignore
the alerts. I'd be curious to see the false positive rate. It seems like for
an off-the-shelf security system that you buy, false positives must be a huge
problem, because it hasn't been tuned to your data.

------
panarky
This article [1] argues that RAM scrapers are only able to work because the
point-of-sale systems are running Windows XP.

Newer versions of Windows make this exploit far more difficult [2].

[1]
[http://www.dailytech.com/Appalling+Negligence+DecadeOld+Wind...](http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm)

[2]
[http://en.wikipedia.org/wiki/Address_space_layout_randomizat...](http://en.wikipedia.org/wiki/Address_space_layout_randomization)

~~~
Sami_Lehtinen
Most of POS terminals aren't using Windows, but embedded custom operating
system, firmware & software.
[https://news.ycombinator.com/item?id=8409305](https://news.ycombinator.com/item?id=8409305)

------
jason_slack
so are these hardware that somehow people manage to sneak and install on a
store's network? How would them monitor traffic and get the credit card info?

Edit: The articles does say: "Attackers installed these RAM scrapers
surreptitiously on the point-of-sale systems used to scan and process credit
and debit card transactions at Albertson’s and Supervalu. The tools make it
easy to steal card numbers by the millions as they pass through the system."

But still a bit confusing if these are hardware devices or somehow they
install software to do this.

~~~
aeling
They're purely software. The article does briefly discuss attacks on ATMs and
similar devices that use concealed hardware to intercept user data, but the
RAM scrapers that are the main focus of the article are just pieces of
software.

------
bitJericho
I don't get it, you spend all this money on card readers, they've got all
kinds of anti-hacking software/hardware/sensors, but the scanner sends the
cards as plain text to the register?

------
coldcode
I love the quote about Target. SIX MONTHS BEFORE THE BREACH, THE COMPANY HAD
INSTALLED A $1.6 MILLION MALWARE DETECTION SYSTEM THAT WORKED AS DESIGNED AND
ISSUED MULTIPLE ALERTS THAT GOT PASSED TO TARGET’S SECURITY STAFF, WHO
SUMMARILY IGNORED THEM.

------
discardorama
Would the use of a chip (as is more common in Europe) cut down on this sort of
theft?

