Saturday, November 8, 2014

Using Throughput Measurements to Detect Data Scraping Attacks

If retailers insist on using out-of-the box operating systems to process card payments in electronic cash registers (ECR) then the least they can do is perform the minor calculations needed to determine that throughput within the ECR meets nominal expectations. Microsoft has provided various functions to monitor processing such as QueryPerformanceCounter (QPC). It is possible to use these functions to determine if there is unusual activity within an ECR.

ECR suppliers can create benchmarks for movement of financial data across their platforms both before and after distribution to customers. Timing begins before reading a port containing external financial data and ends at the point after clearing memory containing financial data just before returning control to a non-financial data processing application. 

A terminate stay resident (TSR) application then can read the measurements on a continual basis and determine if increased processing time indicates a likely data scraping attack. The following rough pseudo code gives an example of this type of countermeasure to a data scraping attack
            Read Timer with highest resolution possible
                        Process Financial Transaction
                        Wipe financial data from application memory and I/O buffers
            Read Timer with highest resolution possible
            Write End timer results – Begin timer results to next position of data store for TSR

The TSR then continually looks at the values in its data store and if the values start increasing consistently beyond a reasonable deviation variable then the TSR performs actions based on its configuration.

This simple method comes from descriptions of data scraping attacks in various media. The presumption that these attacks originate within the ECR ensure that monitoring activity occurs for only one financial transaction at a time. If the data scraping attacks occur further up stream then similar methods of measuring throughput are possible, however the complexity of the approach increases.

The pseudo code mentions the wipe of application memory containing financial data. If applications do not contain this step then this monitoring approach is futile. So please developers and ECR manufacturers, wipe after flushing.

Next Blog: Something pseudo wicked lurks nearby

No comments:

Post a Comment