Skip navigation

In retail, so much depends on today’s modern version of the cash register. Point of sale (POS) systems are the data entry point for making sales and tracking sales, inventory, and, for many merchants, customer relationships. If the POS system goes down, a retailer can’t do business. If a POS system is compromised, even worse things can happen. Which is why I’m writing about POS security a second time this year. This time my focus is on protecting against a particularly prevalent threat: keylogging and screen scraping.


Keyloggers and screen scrapers are two common methods to steal usernames, passwords, and identification and authentication entered by users. A keylogger is software that monitors keystrokes, logging them to a file and sending them off to remote attackers. A screen scraper is an application that collects character-based data from the display output of another program, such as transactional software.


In “Pssst … Have You Truly Secured Your POS?,” I covered how 3rd generation Intel® Core™ processors provide a variety of advanced security technologies to protect transactions at the POS level. I also showed examples of boards from members of the Intel® Intelligent System Alliance that a designer could use to create such POS systems. These same processors and technologies will also play a role here—as well as a solution from McAfee.


Over the past 20 years, POS systems have evolved to collect and use greater amounts of data. Today’s POS systems are often networked computers designed to process sales, check inventory, manage customer loyalty programs, deliver information to employees, and even provide training. Attached to these systems are peripherals such as card readers and pin pads, money drawers, barcode scanners, and sometimes scales for weighing produce.


One piece of interesting reading is the latest Verizon Data Breach Investigations Report. This annual data breach information study is conducted by the Verizon RISK Team, with participation from the U.S. Secret Service and international national cyber security agencies in Australia, Holland, Ireland, and Britain. The study analyzes data breaches to see how they happen, who causes them, why they do it, and how the breaches could be prevented in the future.


For the past two years the retail industry has ranked only second behind hotel and food services in the study as the business most plagued with data breaches. One thing both these industries hold in common is that they use POS system. This makes them prime targets for criminals who exploit POS systems with weak security. Retailers are easy targets with lucrative credit card data. A favorite target is small to medium businesses, particularly franchise owners who lack the IT resources and expertise to mount proper security.


An example I gave in my last post on this topic was a breach of 100 Subway sandwich shops by two Romanian hackers who remotely installed keyloggers to collect all card data keyed in or swiped at the POS. A more recent example is the September 2012 credit card data security breach of the pin pads at 63 Barnes & Noble stores in eight U.S. states. Last year Michaels, the arts and crafts chain reported nearly 100 payment card terminals at stores in 20 states had been tampered with by criminals looking to steal debit and credit card data.


According to the 2012 Verizon Data Breach Investigations Report:

  • When malware was used to exfiltrate data, 98 percent of the time it was paired with keylogging functionality.
  • 91 percent of the studied 276 breaches leveraging stolen credentials also had keyloggers installed.
  • Keylogging, form grabbers (a method for capturing web form data) and spyware rank number one in the top ten threat action types by number of breaches.


How to Protect Against Keyloggers and Screen Scrapers

Obviously, keylogging and screen scrapers are two problems POS customers would love POS designers to solve. The million-dollar question (it could be worth that much to some retailers) is how do you maximize malware protection against these increasingly sophisticated attacks?


Intel takes a comprehensive approach by building tamper-resistant hardware features into 3rd generation Intel® Core™ processor-based devices. These features are further strengthened by adding advanced software protection features from McAfee. This multi-layered approach to security helps prevent malware infections, automates threat protection, protects data from malware, and speeds remediation.


The primary elements in this solution for helping protect again keyloggers and screen scrapers are:

  • Intel® OS Guard. This silicon-based feature inside 3rd generation Intel Core processors provides an important layer of defense against malware. It keeps malicious code from getting outside application memory, preventing it from injecting itself into operating system space or data memory.
  • Intel® Secure Key. Many organizations use encryption to protect data; however, the random numbers used by key encryption algorithms are typically stored in system memory, visible to malware, which can steal those keys and use them to decrypt data before transmitting it back to hackers. Intel Secure Key generates a clean source of random number keys in hardware out of view of malware  to help ensure that encrypted data remains encrypted and indecipherable to hackers.
  • Intel® Identity Protection Technology (Intel® IPT) with Protected Transaction Display. This solution adds another critical layer of hardware-based defense by helping to prevent keystroker logger and screen scraper code from stealing passwords and other credentials when accessing public-key infrastructure (PKI) or one-time password (OTP) services. Intel IPT works by letting users enter credentials on a scrambled pin pad generated by integrated graphics within the processor. Because the pin pad is not exposed to the operating system, it prevents malware from scraping the display or logging keys while authenticating the user.
  • McAfee Deep Defender. Optimized to work with 3rd generation Intel Core processors, this product provides additional stealth malware prevention, and also detection, quarantine, and remediation. It does this by tapping into McAfee DeepSAFE software. Jointly developed by McAfee and Intel, this software utilizes Intel® Virtualization Technology (included with 3rd generation Intel Core processors) to execute between the silicon and OS. This enables McAfee Deep Defender to help identify and stop in real time stealthy kernel mode rootkit attacks which often conceal and launch keylogging applications. Unlike static scans and user-mode protections, McAfee Deep Defender monitors memory operations in real time, stopping unknown, zero-day infections before they have a chance to do damage. If the rootkit has been concealing secondary malware, that malware will be revealed for cleanup by user-level protections like McAfee VirusScan Enterprise.



Figure 1. McAfee DeepSAFE technology provides low-level monitoring to enable rootkit detection and removal. It should be used with anti-virus (AV) software and host-based intrusion prevention systems (HIPS), products also available from McAfee.

Building in Protection Is Easy When You Start with the Right Board

If you’re designing a POS system, the Intel® Intelligent Systems Alliance offers a wide range of boards based on 3rd generation Intel Core processors that team up well with McAfee Deep Defender. A good example comes from MSC Vertriebs GmbH. They make the MSC C6B-7S COM Express* Type 6 module which offers several key features that make it an excellent option for a wide range of POS from mid-to-high level (see Figure 2). First, it can run three independent HD displays with up to 2560x1600 resolution via HDMI and DisplayPort interfaces. This maximizes the amount of options and information that can be displayed at any given time, including driving a display solely for advertising. Second, seamless video streaming on multiple displays in H.264, VC-1, and MPEG2 formats enables integrating surveillance into POS systems or using HD video for infotainment. Third, hardware-based security compliant to the requirements of TCG (Trusted Computing Group) further enhances the security capabilities of this module.



Figure 2. MSC C6B-7S COM Express* Type 6 module.


A big advantage of COM Express modules like this one is that they enable designers to partition host processors from proprietary baseboards, thereby minimizing current and future design risks during the initial phase of development. Separating the CPU-upgradable module from system specific I/O carrier boards safeguards development investments and lowers total cost of ownership. In addition, companies like MSC Vertriebs GmbH can provide services to clients on the carrier board design and development and BIOS customization.


What are thoughts about designing systems to help protect against keylogging and screen scraping? I’d be interested in hearing experiences your retail customers have had.




Solutions in this blog:

Related Topics

McAfee is an Associate member of the Intel® Intelligent Systems Alliance. MSC Vertriebs GmbH is an Affiliate member of the Alliance.

Mark Scantlebury

Roving Reporter (Intel Contractor), Intel® Intelligent Systems Alliance

Associate Editor, Embedded Innovator magazine

In 2012, service providers worldwide continued their aggressive rollout of LTE networks, with 105 operators in 48 countries having launched LTE commercially by the end of October. In total, over 350 network operators have invested or soon will invest in LTE. Overall, LTE is on a faster growth trajectory than any other mobile technology, projected to reach a billion connections in just over seven years (in 2017), whereas GSM took GSM twelve years to reach that milestone.

Driven by the number of subscribers and the exponential increase in video traffic, overall mobile data traffic is projected to grow 500x between 2010 and 2019, so the 25x performance increase provided by LTE compared to 3G is critical to meeting end users’ expectations.

In parallel with the growth in network deployments, however, cut-throat price competition among carriers has resulted in steadily declining ARPU (Average Revenue per User), despite on-going advances in the features and services being delivered to subscribers. This places extreme pressure on service providers both to improve the cost-performance of their networks and also to maximize their resource utilization.

Core network virtualization, which leverages concepts proven in cloud computing, has emerged as a key approach to maximizing network resource utilization and thereby minimizing network OPEX.

Virtualized Core.png

In a virtualized core network, functions that were traditionally implemented in dedicated, stand-alone equipment are now instantiated as virtualized software running on generic hardware platforms. This enables service providers to achieve greater hardware efficiency and flexibility by dynamically allocating network resources to the most appropriate software applications. Network resources are allocated on-the-fly, according to traffic and service demands and with the capability to adapt easily to new traffic profiles as they arise. This provides high scalability and optimum hardware utilization.

The LiquidCore initiative from Nokia-Siemens Networks is an interesting example of this concept.

Core network virtualization provides important business-level benefits for service providers, including:

  • Reduced CAPEX thanks to the use of standard generic hardware platforms;
  • Reduced OPEX through improved resource utilization;
  • Greater network flexibility to dynamically provide network resources where and when needed;
  • Improved ARPU through the accelerated deployment of high-value features and services;
  • Increased subscriber retention;
  • Improved network monetization.

The recently-announced Network Functions Virtualisation initiative was launched by leading service providers and Telecom Equipment Manufacturers (TEMs), with the goal of establishing industry-wide standards around key aspects of core network virtualization. Strong attendance at the group’s initial working meeting, held in France last week, indicates the high importance placed on this topic by companies at all levels of the supply chain.

But there’s a problem. From the perspective of the hardware platforms used for core network virtualization, industry-standard software hypervisors severely constrain the performance of network I/O in virtualized environments, so that virtualized networking equipment delivers only a fraction of the networking performance achieved by physical equipment. This significantly limits the use of virtualization in network-intensive applications such as LTE infrastructure.

Luckily, there’s a solution. At 6WIND, we recognized this hypervisor performance problem and enhanced the 6WINDGate™ software, already widely deployed in physical LTE networking equipment, to deliver significant performance improvements in virtualized environments as well (details here). The 6WINDGate software has now become a key enabler for the virtualization of mobile network functions. We are working with several innovative TEMs on such programs, thereby enabling service providers to achieve the level of networking performance that is critical for virtualizing mobile core functions at an acceptable cost.

All indications are that core network virtualization will become increasingly deployed in LTE infrastructure, as service providers achieve tangible business benefits leverage the concept to maximize the ROI of their networks.

What’s your opinion on the network virtualization trend in LTE? What are the barriers to adoption of this concept? Are there key features and/or services that will accelerate deployments?

(This article was written by Eric Carmès, 6WIND's Founder and CEO, for the Multicore Packet Processing Forum.)


Last July, Nicira’s acquisition by VMware shook (should I say shocked?) the networking industry. It was like a nostalgic retro move back to the good old Internet times. At least now everybody has heard about SDN and OpenFlow, although it’s unlikely that many people except a few visionaries can explain in a few words what SDN and OpenFlow really bring. Network virtualization, simplified network architecture, networking CAPEX and OPEX reduction, Network-as-a Service… all are nice concepts but not so easy to explain and articulate.


In 2012, OpenFlow standardization and education activities remained very strong within the Open Networking Foundation while new concepts like NFV (Network Function Virtualization) emerged to complement the OpenFlow architecture. However, SDN deployments are still very limited and at an early stage. Most of these SDN deployments don’t use OpenFlow. Another piece of technology, the virtual switch, was the subject of interesting discussions as it will likely play a pivotal role in SDN architectures.


Last year, a large number of SDN “me-too” software start-up companies emerged (should we suspect a Nicira effect?) and it’s quite difficult to understand their unique differentiation in the market. All these companies claim they have developed a smarter SDN architecture, typically including an optimized controller. At the same time, incumbent networking players explain that they fully support the SDN initiative… while reusing their existing protocols and promoting their own implementation of a virtual switch. Others say they have been designing and developing SDN-based architectures for years, arguing that SDN and OpenFlow are just marketing buzz.


So, will 2013 be finally the year of SDN? Maybe, but it will require both technical and business clarifications.


OpenFlow has been designed to be simple but is its simplicity compatible with complex network services? Will OpenFlow only address the operation and configuration of Layer2-3 hardware and software switches, or will it go beyond that? How will OpenFlow, the virtual switch, and NFV coexist to provide a complete SDN-based set of network services? Are we sure that the end solution will be based on open standards?


Beyond architecture design clarifications, emerging technologies always need to have a clear business justification to be widely adopted. How much will an OpenFlow architecture cost, including the switches and the controller, compared to a legacy solution? How much cost needs to be added to provide all the required Layer 4-7 services in a SDN-based data center? What about the OPEX savings? The industry is obviously still waiting for compelling business cases.


At 6WIND, we strongly believe SDN is going to transform the network industry and I explained why in a previous post. Having SDN architectures based on hardware Layer 2-3 switches, a high performance software-based data plane optimized for a standard server with a virtual switch as well as a distributed control plane represents a compelling approach to an agile, affordable networking architecture for data centers. It provides a solution for:


2013 will likely tell us if SDN architectures will be based on open standards like OpenFlow or on proprietary architectures. The answer will be driven by business cases with a clear return on investment. 6WIND will contribute to the definition of these business cases, leveraging its high performance 6WINDGate™ data plane solution.

Filter Blog

By date: By tag: