What Is a RAM Scraping Attack?

A RAM scraping attack is an intrusion into the random access memory (RAM) of a retail sales terminal in order to steal consumer credit card information. This type of cybercrime has plagued retailers and their customers since at least 2008.

RAM scraping is also called a point-of-sale (POS) attack because the target is a terminal used to process retail transactions.

Understanding a RAM Scraping Attack

The first known RAM scraping attack was reported in an alert issued by the credit card company Visa Inc. in October 2008. The company's security team discovered that point-of-sale (POS) terminals used to process customer transactions using its cards had been accessed by hackers. The hackers had been able to obtain unencrypted customer information from the RAM in the terminals.

Key Takeaways

  • A RAM scraping attack targets credit card transaction information stored temporarily in the point-of-sale terminal.
  • It is only one type of malware used to steal consumer information.
  • The notorious Home Depot and Target attacks used RAM scraping malware.

The targets of the earliest attacks were mostly in the hospitality and retail industries, which process high volumes of credit card transactions at a large number of locations. By 2011, investigators were tracking an uptick in the introduction of malware bugs.

Notorious POS Attacks

POS attacks did not gain widespread attention until 2013 and 2014 when hackers infiltrated the networks of the Target and Home Depot retail chains. The personal information of more than 40 million Target customers and 56 million Home Depot customers was stolen in those attacks, which were attributed to the use of a new spyware program known as BlackPOS.

The attacks continue, although RAM scrapers are now being replaced with more advanced types of malware such as screen grabbers and keystroke loggers. 

How RAM Scrapers Work

The plastic credit cards that we all carry contain two distinct sets of information.

  • The first set is embedded in the magnetic stripe and is invisible to the human eye. That stripe contains two tracks of information. The first track contains an alphanumeric sequence based on a standard developed by the International Air Transport Association (IATA). This sequence contains the account number, cardholder’s name, expiration date, and more in a sequence recognizable by any POS machine. The second track uses a shorter but analogous sequence developed by the American Bankers Association (ABA). There is a third track but it is little used.
  • The second piece of information is visible. It's the three- or four-digit code known as the card verification number (CVN) or card security code (CSC). This number adds an extra layer of security if it is not included in the electronic data contained in the magnetic stripe.

Screen grabbers and keystroke loggers are newer ways to steal credit card data.

The POS terminal collects all of the data in that first set, and sometimes the second code as well. The data is then held in the memory of that POS machine until it is periodically purged.

When Data Is Vulnerable

As long as it is in temporary storage on the terminal, that information is vulnerable to RAM scrapers.

Small merchants are a relatively easy target for cybercriminals since they can't devote a lot of resources to elaborate security systems. Larger retailers like Target and Home Depot are far more attractive because of the massive amounts of data they retain at any given time.