One of the topics that I often get into discussions with customers is pulling data out of volatile memory (RAM). The argument that is usually made related to insecure RAM storage is, “Well, someone would have to get on the machine and know exactly where to look in memory and it would just not be feasible for someone to do.”

My response to this argument is typically something along the lines of “Obscurity is NOT Security.” Obscurity is a poor defense against security problems.

It now appears there is evidence of malware that can grab data in memory to the hacker’s delight. It’s not really rocket science folks; it is actually pretty simple. This technique has legitimate uses in programming, and now that less and less data is being written to disk, the bad guys have modified their techniques to take advantage of volatile memory.

They are doing it by using common debugging software to pull and/or monitor the contents of the running volatile memory. For many merchants, this means that full magnetic stripe data is there for the taking.

Keep in mind, there is not a ton you can do about the majority of POS applications out there. Unless it is receiving the data encrypted, it will probably be in memory un-encrypted or could at least be pieced together while a crypto routine runs. This to me us much more serious than the issue of data sitting in a pagefile. It seems that if you have the ability to distribute the malware, you will get realtime data on a regular basis and won’t be looking through snapshots of a pagefile.

Of course, I suppose you could just as easily hook into the routines that write things to disk and capture it there.

Regardless, it looks like the malware is out there. Be sure you are patching your machines and doing solid egress filtering as most of the malware compromises a machine first, then sends data offsite.

This post originally appeared on