The United States is almost ready to join the rest of the world in the chip-and-pin credit card future. But in the meantime hackers have been stealing numbers left and right. Wired took a deep dive into the software that lets it happen, and the process is both clever and simple.
The programs at work here are called RAM Scrapers. Unlike ATM skimmers, which physically skim a little data off the top as you put your card into a machine, RAM Scrapers poke around inside a system's memory for pretty much the same information. Instead of physical access, hackers just need to get into a target's (or a Target's) network to set this malware to work. It's as easy as finding a careless HVAC guy.
Once they're in, Wired explains, hackers set these nefarious programs — with flashy little names like Dexter, Soraya, ChewBacca and BlackPOS — zip around a system's RAM to find strings of bits and bytes that match up with the general shape of credit card data. Security standards ensure that companies that take credit card payments encrypt them when they travel over public networks, but not necessarily when they travel over the private intranet. And even though point-of-sale devices never actually store credit card numbers, they still wind up floating through RAM somewhere.
Once you nab 'em, it's just a matter of pickup. Wired puts it this way:
The scrapers usually encrypt and store the stolen data somewhere on the victim's network until the attackers can retrieve it remotely. Or they can program their scraper to send the encrypted data automatically over the internet at regular intervals, passing it through various proxy servers before it reaches its final destination.
Of course, the whole process is dead simple to thwart; just require a micro-chip authentication for all sales and suddenly the numbers alone are worthless. We'll get there eventually, but until then, the scrapers will keep on scrapin'. You can read more about these clever little programs over at Wired. [Wired]