Estimated read time: 3-4 minutes
This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
OREM — First it was 40 million Target shoppers. Then it became 70 million people affected by that massive data breach. How did the crooks do it?
An Orem man, David Ellis, thinks he knows exactly how it happened. Ellis is Director of Forensics at the payment security firm SecurityMetrics. He spends his day looking into how hackers break into the payment systems of businesses. He's not surprised hackers succeed from time to time due to what's called a RAM scraper.
"The software has been around for several years," he said. "In the last two or three years, it's become very popular with attackers."
RAM scrapers don't target hard drives or info being sent over a network, he said. They look inside the register's memory to grab sensitive information while it's being processed.
"For that brief moment that it's in a memory or in RAM, the data that comes in there is typically unencrypted," he said.
Banks require businesses that take credit cards to follow rules set by the payment card industry. That means, all those numbers stored on their hard drives or networks must be encrypted. So, the only chance hackers have to grab useful data is to scrape it out of the register's memory while it's processing payments. It takes just milliseconds.
"They'll usually have other pieces of software in their malware suite that will say, 'OK, I just detected something that looks like a credit card,' " he explained. "They'll have another software that will pull the credit card info out, put it into a text file. Another software will get that software back to the attackers."
The investigations are just getting started into the data breaches. Officially, they're still trying to figure out if RAM scrapers were used. But Target CEO Gregg Steinhafel is certain someone, somehow, installed malicious software on Target's registers.
But debit cards are a different matter. Ellis suggested asking the retailer to run your card as credit so you don't have to enter your PIN. If you use your card as a credit card, you'll have the same protections offered by Visa and Mastercard, he said.
"There was malware installed on our point-of-sale registers," he said. "That much we've established. We removed that malware so that we could provide a safe and secure shopping environment."
Target is keeping mum on the details, but Reuters said sources familiar with the attacks tell them the malware used was a RAM scraper.
So, how do the attackers get their malicious, evil software onto registers in the first place? In Target's case, we don't know yet. Generally, sometimes an employee deliberately installs it on the business' network. Or they'll unintentionally install it by opening an email attachment infected by the malware.
That's one reason businesses should make sure their payment system is not attached to their network, Ellis said.
"Everything related to the swipe of the credit card transaction needs to be separated or segmented from all of the other business that takes on, should be completely firewalled off," he said.
Ellis expects more data breaches pulled off by hackers using RAM scrapers. He said just a few years ago, they had to create and deploy the software themselves, which required a high level of skills. Now, they can simply buy it.
"A novice hacker can stand on the shoulders of someone that's brighter than he was, go out on the Internet and bring these packaged attacks into their own system and employ them," he said.
