In retail, so much depends on today’s modern version of the cash register. Point of sale (POS) systems are the data entry point for making sales and tracking sales, inventory, and, for many merchants, customer relationships. If the POS system goes down, a retailer can’t do business. If a POS system is compromised, even worse things can happen. Which is why I’m writing about POS security a second time this year. This time my focus is on protecting against a particularly prevalent threat: keylogging and screen scraping.


Keyloggers and screen scrapers are two common methods to steal usernames, passwords, and identification and authentication entered by users. A keylogger is software that monitors keystrokes, logging them to a file and sending them off to remote attackers. A screen scraper is an application that collects character-based data from the display output of another program, such as transactional software.


In “Pssst … Have You Truly Secured Your POS?,” I covered how 3rd generation Intel® Core™ processors provide a variety of advanced security technologies to protect transactions at the POS level. I also showed examples of boards from members of the Intel® Intelligent System Alliance that a designer could use to create such POS systems. These same processors and technologies will also play a role here—as well as a solution from McAfee.


Over the past 20 years, POS systems have evolved to collect and use greater amounts of data. Today’s POS systems are often networked computers designed to process sales, check inventory, manage customer loyalty programs, deliver information to employees, and even provide training. Attached to these systems are peripherals such as card readers and pin pads, money drawers, barcode scanners, and sometimes scales for weighing produce.


One piece of interesting reading is the latest Verizon Data Breach Investigations Report. This annual data breach information study is conducted by the Verizon RISK Team, with participation from the U.S. Secret Service and international national cyber security agencies in Australia, Holland, Ireland, and Britain. The study analyzes data breaches to see how they happen, who causes them, why they do it, and how the breaches could be prevented in the future.


For the past two years the retail industry has ranked only second behind hotel and food services in the study as the business most plagued with data breaches. One thing both these industries hold in common is that they use POS system. This makes them prime targets for criminals who exploit POS systems with weak security. Retailers are easy targets with lucrative credit card data. A favorite target is small to medium businesses, particularly franchise owners who lack the IT resources and expertise to mount proper security.


An example I gave in my last post on this topic was a breach of 100 Subway sandwich shops by two Romanian hackers who remotely installed keyloggers to collect all card data keyed in or swiped at the POS. A more recent example is the September 2012 credit card data security breach of the pin pads at 63 Barnes & Noble stores in eight U.S. states. Last year Michaels, the arts and crafts chain reported nearly 100 payment card terminals at stores in 20 states had been tampered with by criminals looking to steal debit and credit card data.


According to the 2012 Verizon Data Breach Investigations Report:

  • When malware was used to exfiltrate data, 98 percent of the time it was paired with keylogging functionality.
  • 91 percent of the studied 276 breaches leveraging stolen credentials also had keyloggers installed.
  • Keylogging, form grabbers (a method for capturing web form data) and spyware rank number one in the top ten threat action types by number of breaches.


How to Protect Against Keyloggers and Screen Scrapers

Obviously, keylogging and screen scrapers are two problems POS customers would love POS designers to solve. The million-dollar question (it could be worth that much to some retailers) is how do you maximize malware protection against these increasingly sophisticated attacks?


Intel takes a comprehensive approach by building tamper-resistant hardware features into 3rd generation Intel® Core™ processor-based devices. These features are further strengthened by adding advanced software protection features from McAfee. This multi-layered approach to security helps prevent malware infections, automates threat protection, protects data from malware, and speeds remediation.


The primary elements in this solution for helping protect again keyloggers and screen scrapers are:

  • Intel® OS Guard. This silicon-based feature inside 3rd generation Intel Core processors provides an important layer of defense against malware. It keeps malicious code from getting outside application memory, preventing it from injecting itself into operating system space or data memory.
  • Intel® Secure Key. Many organizations use encryption to protect data; however, the random numbers used by key encryption algorithms are typically stored in system memory, visible to malware, which can steal those keys and use them to decrypt data before transmitting it back to hackers. Intel Secure Key generates a clean source of random number keys in hardware out of view of malware  to help ensure that encrypted data remains encrypted and indecipherable to hackers.
  • Intel® Identity Protection Technology (Intel® IPT) with Protected Transaction Display. This solution adds another critical layer of hardware-based defense by helping to prevent keystroker logger and screen scraper code from stealing passwords and other credentials when accessing public-key infrastructure (PKI) or one-time password (OTP) services. Intel IPT works by letting users enter credentials on a scrambled pin pad generated by integrated graphics within the processor. Because the pin pad is not exposed to the operating system, it prevents malware from scraping the display or logging keys while authenticating the user.
  • McAfee Deep Defender. Optimized to work with 3rd generation Intel Core processors, this product provides additional stealth malware prevention, and also detection, quarantine, and remediation. It does this by tapping into McAfee DeepSAFE software. Jointly developed by McAfee and Intel, this software utilizes Intel® Virtualization Technology (included with 3rd generation Intel Core processors) to execute between the silicon and OS. This enables McAfee Deep Defender to help identify and stop in real time stealthy kernel mode rootkit attacks which often conceal and launch keylogging applications. Unlike static scans and user-mode protections, McAfee Deep Defender monitors memory operations in real time, stopping unknown, zero-day infections before they have a chance to do damage. If the rootkit has been concealing secondary malware, that malware will be revealed for cleanup by user-level protections like McAfee VirusScan Enterprise.



Figure 1. McAfee DeepSAFE technology provides low-level monitoring to enable rootkit detection and removal. It should be used with anti-virus (AV) software and host-based intrusion prevention systems (HIPS), products also available from McAfee.

Building in Protection Is Easy When You Start with the Right Board

If you’re designing a POS system, the Intel® Intelligent Systems Alliance offers a wide range of boards based on 3rd generation Intel Core processors that team up well with McAfee Deep Defender. A good example comes from MSC Vertriebs GmbH. They make the MSC C6B-7S COM Express* Type 6 module which offers several key features that make it an excellent option for a wide range of POS from mid-to-high level (see Figure 2). First, it can run three independent HD displays with up to 2560x1600 resolution via HDMI and DisplayPort interfaces. This maximizes the amount of options and information that can be displayed at any given time, including driving a display solely for advertising. Second, seamless video streaming on multiple displays in H.264, VC-1, and MPEG2 formats enables integrating surveillance into POS systems or using HD video for infotainment. Third, hardware-based security compliant to the requirements of TCG (Trusted Computing Group) further enhances the security capabilities of this module.



Figure 2. MSC C6B-7S COM Express* Type 6 module.


A big advantage of COM Express modules like this one is that they enable designers to partition host processors from proprietary baseboards, thereby minimizing current and future design risks during the initial phase of development. Separating the CPU-upgradable module from system specific I/O carrier boards safeguards development investments and lowers total cost of ownership. In addition, companies like MSC Vertriebs GmbH can provide services to clients on the carrier board design and development and BIOS customization.


What are thoughts about designing systems to help protect against keylogging and screen scraping? I’d be interested in hearing experiences your retail customers have had.




Solutions in this blog:

Related Topics

McAfee is an Associate member of the Intel® Intelligent Systems Alliance. MSC Vertriebs GmbH is an Affiliate member of the Alliance.

Mark Scantlebury

Roving Reporter (Intel Contractor), Intel® Intelligent Systems Alliance

Associate Editor, Embedded Innovator magazine