top of page
12953588_Data_security_10.jpg

How we made a RAM scraping proof POS system?

Background :

In 2013, Target (an American retail corporation that operates a chain of department stores and hypermarkets) said that card information of 40 million shoppers who shopped at one of its retail outlet over the holiday season were compromised. In addition, personal information of 70 million people were also stolen and any shopper who came to the stores in the whole year were at risk.

It was later investigated that the malware used in the attack was a RAM scraper. A RAM scraper is a specific type of malware which targets information stored in memory, as opposed to information saved on the hard drive or being transmitted over the network.

This news overall created panic and concern among all the retailers as it seemed that each retailer was vulnerable as they daily have hundreds of customers shopping from their stores using cards.

(News courtesy: PcMag)

Objective :

Enhancing the application security to make the system RAM scraping proof. Our client had more than 150 stores all over America and hundreds of customers daily swiped their card to make purchases on their POS systems. The system also contained the customers' personal data like name, address, social security number etc. Securing all this data was needed.

Solution :

  • The solution was to ensure that the RAM does not persist the card or personal information of the customer for a long time as the POS till and card machines could not be disconnected from the internet because of the need of authorization from banks and syn up of transactions with central system.

  • Fine tuning of garbage collector was done and after each transaction the finalize method was called to request GC to clean up the memory.

  • A RAM monitor was used to track if card numbers are getting persisted for more than 1 sec to ensure compliance.

Outcome :

  • RAM monitor confirmed clean RAM even within 1 second of the transaction.

  • No card or personal information was seen on the RAM.

  • The system performance did not reduce.

  • No security issue was ever encountered by our client and they cleared all compliance checks from the government.

bottom of page