What Is a RAM Scraping Attack?
A RAM scraping attack is an intrusion into the random access memory (RAM) of a retail sales terminal in order to steal consumer credit card information. This type of cybercrime has plagued retailers and their customers since at least 2008.
RAM scraping is also called a point-of-sale (POS) attack because the target is a terminal used to process retail transactions.
Understanding a RAM Scraping Attack
The first known RAM scraping attack was reported in an alert issued by the credit card company Visa Inc. in October 2008. The company's security team discovered that point-of-sale (POS) terminals used to process customer transactions using its cards had been accessed by hackers. The hackers had been able to obtain unencrypted customer information from the RAM in the terminals.
- A RAM scraping attack targets credit card transaction information stored temporarily in the point-of-sale terminal.
- It is only one type of malware used to steal consumer information.
- The notorious Home Depot and Target attacks used RAM scraping malware.
- RAM scraping is thwarted by newer credit cards that use an embedded chip rather than a magnetic stripe.
The targets of the earliest attacks were mostly in the hospitality and retail industries, which process high volumes of credit card transactions at a large number of locations. By 2011, investigators were tracking an uptick in the introduction of malware bugs.
Notorious POS Attacks
S attacks did not gain widespread attention until 2013 and 2014 when hackers infiltrated the networks of the Target and Home Depot retail chains. The personal information of more than 40 million Target customers and 56 million Home Depot customers was stolen in those attacks, which were attributed to the use of a new spyware program known as BlackPOS.
The attacks continue, although RAM scrapers are now being replaced with more advanced types of malware such as screen grabbers and keystroke loggers. These are exactly what they sound like. They are malware programs designed to capture personal information when it is displayed or as it is entered and then transmit it to a third party.
How RAM Scrapers Work
The plastic credit cards that we all carry contain two distinct sets of information.
- The first set is embedded in the magnetic stripe and is invisible to the human eye. That stripe contains two tracks of information. The first track contains an alphanumeric sequence based on a standard developed by the International Air Transport Association (IATA). This sequence contains the account number, cardholder’s name, expiration date, and more in a sequence recognizable by any POS machine. The second track uses a shorter but analogous sequence developed by the American Bankers Association (ABA). There is a third track but it is little used.
- The second piece of information is visible. It's the three- or four-digit code known as the card verification number (CVN) or card security code (CSC). This number adds an extra layer of security if it is not included in the electronic data contained in the magnetic stripe.
Screen grabbers and keystroke loggers are newer ways to steal credit card data.
The POS terminal collects all of the data in that first set, and sometimes the second code as well. The data is then held in the memory of that POS machine until it is periodically purged.
When Data Is Vulnerable
As long as it is in temporary storage on the terminal, that information is vulnerable to RAM scrapers.
Small merchants are a relatively easy target for cybercriminals since they can't devote a lot of resources to elaborate security systems. Larger retailers like Target and Home Depot are far more attractive because of the massive amounts of data they retain at any given time.
Avoiding RAM Scraping
Thwarting RAM scraping is mostly the job of the retailer, not the consumer. Luckily, a good deal of progress has been made since the infamous attacks on Home Depot and Target.
Your credit card issuers have by now almost certainly sent you a new card that is inserted into a retailer's card reader rather than swiped along the side of it. The reader uses the chip embedded in the card rather than the older magnetic stripe. The purpose of this technology is to make a POS attack more difficult.
Contactless payment by credit card is considered as safe as "dipping" a card. These are not yet universally accepted by retailers (or enabled by card issuers) but are increasingly an option.
It took a long while for this switch to be fully put in place nationwide because it required every retailer who used the new system to buy new equipment in order to enable it. If you run across a retailer who still uses the old swipe readers, you might consider paying cash instead.