Forget keyloggers and packet sniffers. In the wake of industry rules requiring credit card data to be encrypted, malware that siphons clear-text information from computer memory is all the rage among scammers, security researchers say. So-called RAM scrapers scour the random access memory of POS, or point-of-sale, terminals, …
More reason to deploy "zero knowledge proofs", which is fancy math allowing one to prove he knows something, like say his PIN, without actually revealing it. And while at it, do it for identity proofs too, thanks.
Too much reliance on commodity hard and software
It worries me that the description of the symptoms indicate that the ATM's are running stock software stacks, including the OS. If there ever were an application where I would like bespoke software, I believe that it would be in payment and card handling systems. Security by obscurity is not to be relied on as a sole measure, but it can be a part of the solution.
Also, I would have thought to be connected to the merchant systems that process payments, there must be an accreditation system for the hardware, and I would have thought that this must include tamper-proofing of the ATM hardware. If the ATM could detect that additional software had been installed, and flag it to the merchant system, or even refuse to process cards, then this could not happen.
Of course, it would appear that at some point, this was being done with some form of insider privilege, which makes it more difficult to detect, but with all of the supposed research on secure systems, having ATM's vulnerable to this type of attack borders on the negligent. Put a fritz chip in the things and have every level locked down, checksumed with high trust cryptographic hashes, and make sure that the merchant systems isolate compromised ATM's.
Of course it would make maintenance more difficult (and expensive), but it would increase the level of confidence in the systems.
The Sainsbury's POS are all running a Win2000 variant. Occasionally and obviously being a geek, I often see the odd POS system crashed and waiting reboot in the long line of tills in the local store. I suspect most large shops like TESCO, et all are all running Windows based POS terminals. The development time on the POS software can obviously be reduced using a standard O/S rather than code your own, that then brings it own wonderful world of pain!
Before you Linux boys start up, don't forget that whatever O/S is used, it will be deployed as is across thousands of terminals, so there will be on custom build per system, just one single fixed builds pushed out to all terminals, as it's static, it can be relied on to be the same this hacks can be written.
This is nothing to do with ATMs, this is the sort of machine like a till at a supermarket or the like.
If you have the acronym "POS" and Windows in the same paragraph you should make it clrear that "POS" stands here for point of service. Otherwise, people will assume that it stand for something else!
Wahtever, POS or ATM, they all run Windows, I've recently seen them with XP on them. They also run McAfee on some! From previous experience I can say they used to run a custom board PC but who knows, perhaps they run on Dell or IBM or some such now...
Gives you loads of confidence.
security through obscurity = fail
I would have given you a Paris if she'd known what cryptography meant.
For the record and with rare exceptions every lock has a keyhole.
Pretending that you can fool a locksmith or thief into believing that a lock hasn't got a hole (when it does), is like proffering a BBQ'd t-bone to a rutting bull.
ATM's running on XP
"It worries me that the description of the symptoms indicate that the ATM's are running stock software stacks, including the OS. "
That's not even the worst part: Most of those is running plain vanilla XP or Vista, not even some stripped-down version of it or unix.
yes, and they're damn expensive
If you want a terminal approved, you have to pay to have it tested, and i don't recall now, but it was on the order of tens of thousands of dollars, and if the test couldn't be completed in X ammount of time, you had to pay again for a retest.
I like traffic lights
Isn't it about time we all went to 2fa for our online banking and replace pins with the token response?
My HSBC company account comes with an RSA token, but I can't seem to get one for my personal account.
Sure it makes like a little more cumbersome, but if it's neceesary, then we should just do it.
Customers wont do it
And there isent that much risk in online banking anyway.
Why not give them a choice?
It's not that difficult ffs.. after all the RSA fob is a nice little dooberry and it's *real* easy to use, hell as long as you're not vision impaired I'd say it makes logging into an account easier and definitely more secure!
You'd just need to colour code them or provide some other way of identifying them to an account for those of us with more than one!
What. The. Frack?
"Tell-tale signs they've been installed include the presence of strange rdump files and perl scripts on a hard drive, sudden changes in free disk space and the monitoring of registries and system processes."
That this is even possible in POS systems says a lot about the current practices in this "industry", Are these things put together by flight-by-night basement operations in Somalia? Are the hired engineers more able to play WoW than design a technical system? Is there not enough money left to actually set up a good infrastructure because managers are enjoying prolonged stays on Carribean "conferences"? What is this?
What you're forgetting is that the goal in capitalism isn't to make the best possible product - that's a great way to go bankrupt! - but to make a product that does the job cheaply, then requires regular maintenance and upgrades, which of course aren't free.
That way you make money out of the customer for years, rather than just once! If they'd done the job properly in the first place, this wouldn't be possible.
I don't agree with it, but those seem to be the rules!
To read the ram you have to access it first.
"So-called RAM scrapers scour the random access memory of POS"
And how does that thing gets into the POS software exactly? The first layer of defense is always physical. If somebody has access to the machine there is no encription that can save it.
Not quite true...
Many tamper-proof hardware security modules (HSMs) exist and are designed to prevent sensitive data from being released even with physical access. Google "IBM 4758" for example. I thought the keypad in all PIN terminal was part of such a device, but obviously not....
Attacked and breached.
20 minutes of physical access to extract encrypted keys and around a day to brute force them with an FPGA and some fancy software.
Why get the data from a secure module when the customer taps it into the pad in cleartext?
All the pictures of hacked C&P terminals I've seen look as though they have a simple microcontroller attached to the back of the keypad and the board so that's obvious.
The main fail is that there must be a plaintext transfer of account number between the card reader and processor somewhere....
Hmm, off the top of my head...
How about using ASM for the decrypt and check part, just use 64-bit registers instead of RAM. A CC number can easily be stored in 2 64-bit registers in BCD form, and if the OS handles debugging correctly (ie disallows it totally - as it should be on a production server anyway), there would be no way of accessing without patching and changing the signature of the process (making it easy to identify an attack).
Ok InfoSec people, pay me loads of money for that idea.......
PIN requests to the card will be zero knowledge but the PIN still has to be entered by the customer and unless you're expecting them to do RSA or whatever in their heads, it's going to be plaintext in memory somewhere.
These machines aren't easy to come by, unless you're a retailer I assume, so to get the RAM scraper onto the machine in the first place must indicate an extremely poor level of security to begin with? I would assume also that this RAM scraper would have to be a specifically coded piece of software as well, so it's not going to be a run-of-the mill attack just yet, but as it's prevalence increases this may alter.
Anyway, I was duped by the credit card industry into believing that chip and pin technology would reduce my likliehood of being defrauded by over 98% over my previous chipless cards. Perhaps cash is going to become popular again, and your "Plastic Friend" can be euthanased with dignity, also resolving possibly, countless other financial problems as well.
I dound it some how, for the one simple reason that cash is not safe. Its also very difficult to deal in amounts above £500 because of money laundering laws.
There are many other problems with cash, and the problems with credit are down to a few.
I'm so looking forward
to seeing how effectively the ID card reader avoids all these problems.
Possibly by being so expensive that only the dole office will have one.
When are banks going to realise that they have to make their systems SECURE?!
Off the shelf OS and software, systems with back doors in them to enable the fraudster access, simple PINs being used in place of complex signatures and stored in the clear...
It's an absolute crock of shit, that's what it is. In other news, cars are easy to break into and steal...
This is a title
What do you expect with ATMs etc. running Windows XP...
"Jason Milletary", a researcher with SecureWorks' Counter Threat Unit
Just wouldn't have the same ring to it if he was working as an accountant....
the clue is in the name
"These machines aren't easy to come by, unless you're a retailer I assume, so to get the RAM scraper onto the machine in the first place must indicate an extremely poor level of security to begin with?"
These are "Point of Sale" machines - so any point of sale has one, and it can be accessed by the poor minimum-wage schmuck who has to do the nightshift at the filling station, burger bar, or whatever. And there's no-one more bribable than a minimum-wagew schmuck - so yes, points of sale do tend to have very poor levels of security. Which is why you should pay cash when you visit them.
It's quicker too...
@the clue is in the name
Except, of course, when the minimum-wage schmuck can't make change...
Alarmist opaque article
The title might imply that fraudsters are obtaining payment details from discarded RAM memory or sold-on memory (ebay sellers beware) and that this can be done when there is no power to the RAM much like traces of data left on hard discs. But reading further, the article mentions none of this.
The threat is very real BUT possibly to badly maintained, unpatched/updated insecure Windows-based web SERVERS that run online payment systems.
The article could be clearer to confirm this.
re: alarmist opaque article
"The title might imply that fraudsters are obtaining payment details from discarded RAM memory or sold-on memory (ebay sellers beware) and that this can be done when there is no power to the RAM"
Errm, surely if they are only kept very *very* cold? :-)
They are not talking about web servers, they are talking about a private network. They don't use the public internet for transactions, in exactly the same way that ATM's use a direct line to the clearing house.
You, sir, are the alarmist here methinks
RAM scrapers and credit card data
"RAM scrapers", never heard the term before and I've been interested in computer security for a long time. I think I see what the problem is, and quoting from the article ..
"So-called RAM scrapers scour the random access memory of POS, or point-of-sale, terminals, where PINs and other credit card data must be stored in the clear so it can be processed. When valuable information passes through, it is uploaded to servers controlled by credit card thieves"
01. What idiot designed this POS, where no one notices it contacting some criminal server. Do they not have auditing systems in place for this. How is it even able to connect to the Internet. In this day-and-age, have they not heard of the phishing epidemic ?
"Heightened awareness around security issues and increased regulatory requirements are pushing many organizations to minimize data retention or encrypt data that must be retained whether in storage or in transit. RAM scrapers circumvent such controls and capture data in memory where it must be decrypted to be read and processed"
02. No the data don't have to be stored in the clear, a one-time transaction token can be generated from a smart card and used to process the transaction.
"Unusual system behavior or performance; presence of large or unusual files (ramdump files and perl scripts); sudden changes in free disk space; registry monitoring; system process monitoring; routine log monitoring; presence of other malware on system; AV disabled"
03. Ahh, there's your problem, you have no system in place to verify the software running on the POS. For instance digital signatures running on an embedded hardware device. One that won't let unauthorized software run.
"During investigations involving suspected malware we commonly examine active system processes and create a list of all system contents sorted by creation/modification date. These efforts often reveal malicious files sitting in the Windows\system32 and user temp directories."
04. Even more ahh so, there's you problem right there. What idiot decided to run POS systems, that store credit card data in the clear, on a system that you could run any ole software on and connect it directly to the Internet, and finally not have an auditing system in place to notice all your credit-card numbers being uploaded to the criminal server.
"The perpetrator returned at regular intervals through a backdoor to collect cardholder data dumped from the POS server’s memory"
Look, if someone you don't know is rummaging round in the back of your POS - then he is most probably up to no good :)
Wasn't all this "trusted computing", end to end encryption, code signing, tamper proofing, etc all included in Vista?
Obviously in Vista it was there to protect something far more important than money, it was there to prevent copying of "HD content".
Is it still in Windows 7?
Is it available under any other OS, on commodity (or any other) hardware?
MS money maker
"Obviously in Vista it was there to protect something far more important than money, it was there to prevent copying of "HD content".
Is it still in Windows 7?"
Yes it is. DRM is built into kernel and 7 has the same kernel, just different UI, yet again.
So say goodbye to the HD content on 7 (unless you have bought hardware which manufacturer gave 2% of the retail price to MS & MPAA for "licence" to display HD content").
MS will get your money, in one way or another. Usually both ways.
If you use their stuff, that means.
Do it right
Proper implementation uses pinpads with integrated encryption in a tamper-proof unit so that only encrypted data can be tapped. The host only stores encrypted pins. The keys are injected into the pinpad during manufacture from a secure facility using encrypted keys making it extremely difficult to compromise. Further, ATMs can have their keys changed daily by the host computer (in a secure facility, not a server in the closet) using public key cryptography. Anything that emits keys or pins in the clear is asking for trouble.
I dont want to point out the obvious..
Isn't it about time that the Merchants were made to use something a little more secure.
Any WHY WHY WHY do the merchant need to know my PIN!
Hardware encryption in ROM built in directly to the keypad, with all of these being made and certified and sold onto the authorised PIN machine manufacturers would solve it.
This way the encryption is always done directly from the keyboard and the merchant and PIN machine can only see the encrypted data (only a sealed keypad sees the unencrypted key-presses!). The merchant / PIN machine would never get even a sniff of the pre-encryption data.
If the encrypted data is pinched, then the risks to decryption rely entirely on the strength of algorithm in use.
This solves almost all the problems, and creates only a few minor ones.
The remaining weakness is keypad replacement by crooks, or key theft.
The good news however...
We should all periodically claim that random transactions were not performed by us, and blame PIN design weaknesses. Off to Tesco now......
So how do they get the scaper onto the system. Its one thing to speculate another to know. And while we are at it do minimum wage till operators have access to the POS hard drive or are they only on a terminal with limited access to the POS hardware its self?
If I'm right, a simple hardware firewall configured to only allow connections to the servers it needs to connect to would stop the problem. I would have thought something like that would be standard for POS systems. I guess POS could easily stand for something other than Point Of Sale.
POS systems aren't that secure..
A lot of them are badly written, the hardware and software is basically commodity with a couple of vaguely unusual peripherals and integrating with them is an arse.
It's important to know that POS these days is vastly more complex than simply scanning in information. Many stores now also use ADSL to communicate with head office.
The better retailers do at least lock down the OS reasonably well, and some of them physically secure the machine too. It does surprise me that a POS system has access to enough of the Internet to be controlled externally.
It's highly likely to be an inside job, though. Physical access is probably the easiest way to subvert the machine. Anything beyond that requires access to the head office network - perhaps a trojan that is hosted on a website accessed by a back office PC, which then propagates to the POS systems.
I don't know any of the details of how a credit card transaction works these days, but I do question the assertion that the data 'must be held in the clear'. If sufficient processing is placed inside the card reader, it should be possible to transmit encrypted data end to end.
The title is required, and must contain letters and/or digits.
I thought that the security with 'Chip and Pin' came from the fact that the PIN is validated by the chip on the card and doesn't need to be uploaded to the central server. There's no need for the PIN number to leave C&P machine - so the connected POS workstation should never even see the PIN. So why are the workstations storing the PIN in memory?
This is not dealing with a PED (Pin Entry Device) of a C&P machine, which is indeed seucred so that information doesn't come in and out of it. Having read the Verizon report (or a bit of it) and It's very hard to tell from the article, this is a POS server in a casino in America. This sort of peroblem has occured in a few sites, the software has always got on to the Windows servers involved by default access credentials not having been changed. These servers are, in the absence of PEDs tokenising/encrypting the data before transmission.
I assume that the card data doesn't include the PIN, because the document doesn't say so, it's probably a full copy of the magstripem which in itself is pretty bad.
Now, if only there was some sort of technology that would prevent this from happening... Oh, say something with a chip in the card, requireing a PIN to auth.
Chip and Pin = FAIL
So, aside from the fact that its made shopping ques longer, and is a ploy by the banks to shift blame when these systems get caught with their pants down, the important element of wisdom to remember is that there is nothing as secure as visiting the bank in person rather than trusting these machines. For what its worth to others fed up with the chip and pin fiasco google for section 10.7 of the banking code or visit http://www.bba.org.uk/bba/jsp/polopoly.jsp?d=350&a=13289&artpage=all
- while the bank staff will straighten up when you mention it, they do have to provide an alternative to chip and pin!
"So, aside from the fact that its made shopping ques longer"
It hasn't, I've never even heard this anecdotally.
"and is a ploy by the banks to shift blame when these systems get caught with their pants down..."
It really isn't, I know that you won't believe this, but it's not a conspiracy, it is to improve security, signatures and magstripes are piss-poor 70s tech - as anyone whose card has been cloned will tell you.
"the important element of wisdom to remember is that there is nothing as secure as visiting the bank in person rather than trusting these machines."
Except if someone has stolen your signature and magstripe card they just withdraw your cash over the counter because they aren't stopped by not knowing your PIN. If you loose your C&P card, you've nothing to worry about if you haven't recorded your PIN on or near it (subject to the magstripe being cloned and sent to USA etc). If someone makes you tell them your PIN while mugging you, you've got a pretty good idea that this has happened and can call the cops and get your card canceled as soon as you are able.
Oh and 10.7 specifically says that you have to have a medical reason to not use a C&P card, you can't just choose not to.
Didn't quite a few POS systems
used to run OS/2 on their terminals? Or even better, the terminals were greenscreens connected back to an AS/400 or larger. The real fault is assuming it's OK to need a fancy GUI on your POS terminals, which leads to POS terminals running an unsecure, high-profile OS like Windows.
Dear Headquarters Help Desk,
We don't ALL know PERL (it's hard to find good help these days) so we upgraded to Visual Studio on the Cash Register as per instructions. Now nothing will compile, even some games we've had on there forever! We told customers to come back later; are we missing a DLL or are you missing a brain ?
store # 110111001000100100001000100000
@ Pirate Dave
"The real fault is assuming it's OK to need a fancy GUI on your POS terminals"
Here in western Canada, a significant fraction of the population is evidently literate only in Chinese, hence ATMs have to be able to display Chinese text, as well as in Canada's two official languages, English and French. The latter is easy, but the former not so easy.
A graphical display is therefore essential.
I don't know if POS key pads know Chinese, however; suspect not.
they're talking about cash-registers (which are hopefully operated by an employee), not ATMs that are supposed to be operable by anyone. I see your point though, and might I suggest BeOS for ATMs... ;)
Since you can purchase a mobile phone top-up from a ATM, the term POS does not exclude ATMs.
OK, I've never seen such a thing here in the US. All of the ATMs I've used only do checking stuff, not cellphone stuff.
@Destroy All Monsters
worked briefly with the guy who did the till software for a certain wholesaler/retailer. Youi have no idea how bad. Cut & paste coding, procedures running to many scores of pages, no data hiding, no code review or testing, that and more an dworse. When it compiled he loaded it straight onto the tills literally. Then they fell over. He was very well paid and had job security.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Kate Bush: Don't make me HAVE CONTACT with your iPHONE
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers