When Target (TGT) announced a breach of customer data in December, tens of millions of people who shop there had to worry that hackers had stolen their financial information. When the company’s chief executive officer admitted on Monday that the problem was malware in its credit-card reading system, businesses had even more cause to worry.
From the smallest corner store to the biggest big-box retailer, pretty much anyone selling anything has to have what’s called a “point-of-sale” system for reading and processing customers’ credit and debit cards in our increasingly cashless economy.
As a merchant, you’d better make sure shoppers trust that they’re not exposing themselves to identity theft and credit-card fraud every time they swipe. Even Target, a huge company with big bucks to spend on security, hasn’t managed to assure such certainty.
Here’s where “RAM Scraping” comes in, and it’s not, as it might sound, something disgusting that happens at the dentist. Broadly speaking, there are two ways to compromise point-of-sale systems. In some cases, thieves attach a physical device to the system to collect card data, which is called “skimming,” according to the U.S. Computer Emergency Readiness Team (U.S.-CERT), a cyber watchdog that’s part of the Department of Homeland Security.
The second method is for hackers to infect the system with a malicious program that scans for anything that looks like credit-card information as it passes through, data that the hackers then collect remotely. Common types of such malicious code, with names such as Dexter and Stardust, according to U.S.-CERT, are doing the “RAM-scraping,” which refers to the process of scanning a computer server’s system memory—RAM for “random access memory”—for the right kind of information.
What about encryption? Well, as the tech news site Re/code puts it, think of the data as a package being delivered with a lock on it. To see what it contains, you have to unlock it, even if only for a fraction of a second. That’s when the malware hits.
The Target hack highlights just how hard it is to safeguard consumer data. Target hasn’t disclosed—if it even knows—how the malware got into the system. It could have been just one employee clicking on an innocent-looking but malware-infected e-mail, which then downloaded itself to Target’s corporate network. Or maybe there were unpatched software vulnerabilities in Target’s system.
In its Security Threat Report 2014 (PDF) released in December, the software company Sophos highlighted point-of-sale systems as a growing problem. Many such systems run on Windows; starting in April 2014, no new patches will be available for Windows XP or Office 2003, the report says.
“Despite industry standards that require rapid application of security patches, some of these systems are updated inconsistently, especially in smaller retail environments without sophisticated IT organizations,” the Sophos report says.
Sounds prescient now, though it’s obviously not just mom-and-pop shops that are going to have problems.