A finance technology manager named Khosrow Zarefarid discovered a critical flaw in Iran's online banking systems. He extracted 1,000 account details (including card numbers and PINs) and emailed them to the CEOs of 22 Iranian banks along with detailed information about the vulnerability. A year later, nothing had been done. Zarefarid extracted 3 million accounts' details from the bank's systems and posted them to ircard.blogspot.ca. Many Iranian banks have now frozen their customers' accounts and are only allowing PIN-change transactions at ATMs. Some banks have texted their customers to warn them of the breach. The Central Bank of Iran has published an official notice of the breach, but the notice does not say that the underlying vulnerability has been fixed, or even whether it is being addressed. Zarefarid is said to have left Iran, though his whereabouts are not known, at least to Emil Protalinski, who wrote about the breach for ZDNet:
It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?”
...Zarefarid previously worked as a manager at a company called Eniak, which operates the
Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.
Update: In a post to the ircard blog, Zarefarid clarifies what he has done, and claims he is not a "hacker." (via "Khosrow Zarefarid, in the comments)
3 million bank accounts hacked in Iran
The most on-brand name since “Fraud Guarantee.”
The Firefox extensions store removed four plugins from Avast/AVG, including two that are supposed to keep users safe from malicious activity because they appeared to be stealing browser histories and other user data.
In a decision released late Tuesday night, a federal judge ruled that up to 29 million Facebook users whose personal info was stolen in a September 2018 data breach are not entitled to sue Facebook as a group for damages — but the users may be entitled to demand better personal data security at Facebook.
In the early days of the web, everyone wanted a .com domain for their site. As a result, all the good ones got snapped up. But .com no longer has the cachet it once did. In fact, many new businesses and individuals are opting for other top-level domain extensions. One of the most memorable is […]
When the SNES launched back in the early 1990s, it changed gaming forever. One of the innovations was a gamepad with four action buttons — something that has remained a constant on controllers ever since. The 8BitDo SN30 Bluetooth Gamepad brings that iconic design up to date, with Bluetooth connectivity and support for multiple platforms. […]
After a long day at work, cooking a meal from scratch can seem like too much trouble. Unfortunately, the alternative is usually something unhealthy. Enter the Mellow Sous Vide Precision Cooker. This compact water bath uses cutting-edge technology to cook meat and veggies at the perfect temperature for exactly the right amount of time. It […]