Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Iranian finance/tech manager publishes 3,000,000 bank accounts' details and PINs

Cory Doctorow at 11:12 am Fri, Apr 20, 2012

— FEATURED —

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

Book Review

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

A finance technology manager named Khosrow Zarefarid discovered a critical flaw in Iran's online banking systems. He extracted 1,000 account details (including card numbers and PINs) and emailed them to the CEOs of 22 Iranian banks along with detailed information about the vulnerability. A year later, nothing had been done. Zarefarid extracted 3 million accounts' details from the bank's systems and posted them to ircard.blogspot.ca. Many Iranian banks have now frozen their customers' accounts and are only allowing PIN-change transactions at ATMs. Some banks have texted their customers to warn them of the breach. The Central Bank of Iran has published an official notice of the breach, but the notice does not say that the underlying vulnerability has been fixed, or even whether it is being addressed. Zarefarid is said to have left Iran, though his whereabouts are not known, at least to Emil Protalinski, who wrote about the breach for ZDNet:

It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?”

...Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.

Update: In a post to the ircard blog, Zarefarid clarifies what he has done, and claims he is not a "hacker." (via "Khosrow Zarefarid, in the comments)

3 million bank accounts hacked in Iran (via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  finance • iran • security

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • desperado

    Fun times we live in.

  • EH

    HAX!@

  • http://www.facebook.com/flink1 David Flink

    He is now the most wanted man in Iran!

  • mccrum

    Well, thankfully that could never happen here in these United States of America!

    Um, right?

  • Jay Converse

    Christ, what an asshole.

    • Aleknevicus

      Do you mean Mr. Zarefarid or the 22 CEOs who did nothing for over a year?

      • mccrum

         Oh, it’s Friday, why not both!

        • http://disqus.com/Kimmoth/ Kimmo

          I submit the guy who gave up his home in order to see something done about this negligence is patently not an arsehole.

  • http://www.jimdraws.com Thorzdad

    I get that security flaws need to be revealed and fixed, but I really have a big problem in distributing innocent customers’ information like that. The security flaw isn’t their doing. If anything, he should have gotten the information of all the bank executives and IT heads who ignored his discovery and published only those.  Leave the customers out of it.

    • desperado

      Well, what he DID do was guarantee the issue would be dealt with, and in a manner that no customers would lose money from the exploitation of the issue.

      Unfortunately, they can’t get at their own money though.

  • http://twitter.com/Fenrox Fenrox

    haha! Thats cool.

  • http://blademccool.myopenid.com/ BladeMcCool

    If only the people of Iran had a value transfer system they could use that was not dependent on centralized institutions, they could avoid the pain of having their personal info compromised. Too bad nobody invented p2p money based on a cryptographically secured public ledger or something like that.

    • http://profiles.google.com/donovan.hill Donovan Hill

       Or simply using hard value metals.

  • andygates

    If that happened here, I’d be storming the doors of my bank, and if it happened in America there’d be a class-action suit the likes of which even God has never seen. 

    It’ll be interesting to watch how this plays out.  I expect the banks to paint Zarefarid as a hax villain, to divert all the blame onto his made-up elite skillz, and also to not fix a damn thing. Unless threatened with bottom-line impact or boardroom jail time, corps don’t move.

  • http://profiles.google.com/carboncow robert feller

    I’m sure he’s been executed by now…

  • el dueno

    Another CIA plot?

  • http://twitter.com/zarefarid Khosrow Zarefarid

    I am not hacker
    http://ircard.blogspot.com/2012/04/i-am-not-hacker.html