The fundamental problem is that credit cards are built around a model where credit card numbers are theoretically supposed to be secret, but every random retailer has to have them to process transactions. If credit cards were electronic devices, like in Europe, rather than fancy pieces of paper with a number written on them, then fraud would drop, and retailers would be freed of a massive burden. But American banks aren't up to the task of creating that sort of infrastructure, so instead they blame it on whichever poor retailer happened to have its computers broken into.
A long time ago I helped a company get their payment terminal up and running after their first consultant had spent 9 months and $30,000 not getting anything done. The code I got was astonishingly bad and I realized that these folks had no way of evaluating good or bad code, and it depressed me that this was more the 'normal' situation rather than the 'unusual' sort of situation. I hope that in today's target rich environment folks are investing a bit more care into these things but I worry that isn't the case.
It seems that many people are really confused about this stuff. Because if PA-DSS standards are followed, the PC doesn't ever get any actualy credit card data. Yes, it's possible to backdoor / modify / infect / re-firmware or what ever the actua POS terminal, but it has nothing to do with the POS PC. POS terminals are independent systems with their own ram, keyboard, networking, processors, firmware, operating system, and software. I just made credit card transaction, here's all data what the PC get's from the credit card terminal. B2A8AAA4-6585-4D97-8AF7-C2DE0A617E3B for 40€ is successful. So? Feel free to abuse that information, if you find way to do so.
So when ever writing stuff like this, it would be very smart to mention if the attack is targeting the PC or the actual POS terminal.
From what I gather from the article, the systems which RAM scrapers attack were running on general purpose computers, with very similar vulnerabilities.<p>Why isn't sensitive software like this built and audited with the same concern for reliability and security as avionics, medical equipment, SCADA, etc.? Certainly the cost in financial losses caused by these attacks makes this a pertinent question.
The term "RAM scraper" seems pretty stupid to me.<p>These are likely using hooking. They don't scan RAM all the time, instead they patch or inject code into the POS software and then record the data when that code is called.<p>Think of something like Microsoft Detours. RAM scrapers seems a pretty inaccurate description.
<i>"Six months before the breach, the company had installed a $1.6 million malware detection system that worked exactly as planned when the intruders began stealing their loot. It even issued multiple alerts for Target’s security staff. But the security staff simply ignored them."</i><p>That sounds bad, but I wonder if this system was issuing huge numbers of alerts all the time, leaving the security staff no real option but to ignore the alerts. I'd be curious to see the false positive rate. It seems like for an off-the-shelf security system that you buy, false positives must be a huge problem, because it hasn't been tuned to your data.
This article [1] argues that RAM scrapers are only able to work because the point-of-sale systems are running Windows XP.<p>Newer versions of Windows make this exploit far more difficult [2].<p>[1] <a href="http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm" rel="nofollow">http://www.dailytech.com/Appalling+Negligence+DecadeOld+Wind...</a><p>[2] <a href="http://en.wikipedia.org/wiki/Address_space_layout_randomization" rel="nofollow">http://en.wikipedia.org/wiki/Address_space_layout_randomizat...</a>
so are these hardware that somehow people manage to sneak and install on a store's network? How would them monitor traffic and get the credit card info?<p>Edit: The articles does say: "Attackers installed these RAM scrapers surreptitiously on the point-of-sale systems used to scan and process credit and debit card transactions at Albertson’s and Supervalu. The tools make it easy to steal card numbers by the millions as they pass through the system."<p>But still a bit confusing if these are hardware devices or somehow they install software to do this.
I don't get it, you spend all this money on card readers, they've got all kinds of anti-hacking software/hardware/sensors, but the scanner sends the cards as plain text to the register?
I love the quote about Target. SIX MONTHS BEFORE THE BREACH, THE COMPANY HAD INSTALLED A $1.6 MILLION MALWARE DETECTION SYSTEM THAT WORKED AS DESIGNED AND ISSUED MULTIPLE ALERTS THAT GOT PASSED TO TARGET’S SECURITY STAFF, WHO SUMMARILY IGNORED THEM.