3 million bank accounts hacked in Iran

3 million bank accounts hacked in Iran

Summary: First, he warned of the security flaw in Iran's banking system. Then he provided them with 1,000 bank account details. When they didn't listen, he hacked 3 million accounts across at least 22 banks.

TOPICS: Banking, Security

Update - Google kills Iranian blog with 3 million hacked bank accounts

After finding a security vulnerability in Iran's banking system, Khosrow Zarefarid wrote a formal report and sent it to the CEOs of all the affected banks across the country. When the banks ignored his findings, he hacked 3 million bank accounts, belonging to at least 22 different banks, to prove his point.

It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question "Is your bank card between thease 3000000 cards?"

At least three Iranian banks (Saderat, Eghtesad Novin, and Saman) have already sent text messages to their clients, warning them to change their debit card PINs, according to Kabir News. Furthermore, the Central Bank of Iran (CBI) issued a statement announcing that millions of ATM cards have been hacked and urged all card holders to change their PINs, especially if they haven't done so in the last few months. The warning was repeated on state TV channels.

Some banks are currently blocking their clients' accounts to be on the safe side, and the CBI has also apologized for the inconvenience this is causing. Furthermore, many ATMs in Iran have stopped dispensing cash and only let customers change their PINs when they put in their debit card.

It's worrying that the CBI statement did not mention anything about improving security. Changing passwords isn't going to solve the root of the problem if the security flaw isn't addressed. Of course, it may even already have been fixed, but it's important to let the public know of your plans and/or progress.

Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.

A year ago (Iran's last calendar year ended on March 19), Zarefarid discovered the security hole and notified all affected banks of its presence. He even provided them with information about the bank accounts of 1,000 customers. When none of them responded, Zarefarid decided to make his findings public.

Zarefarid is reportedly no longer in Iran, though it is unclear when he left. He insists he hacked the accounts to highlight the vulnerability in Iran's banking system. Central bank officials had earlier downplayed the reports, saying the threat was not serious.

Update - Google kills Iranian blog with 3 million hacked bank accounts

See also:

Topics: Banking, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wonder what OS the system is running?

    • It doesn't matter

      With the US trade embargo, anything that they don't code themselves is going to be pirated.
    • I see I was flagged

      So I am betting Loverock knows his precious Microsoft is behind this.
    • What where they running for their operating system?

      if you checked you would have seen that Saderat runs Windows Server 2008, Eghtesad Novin runs Windows server 2003, and Saman runs Apache on Linux.

      Did you have a point, or was it that you just did you not know how to check on that?

      Tim Cook
      • Yes, I am proving a point

        Microsoft shouldn't be the OS responsible for thousands of people's account information.
      • Then explain the Linux one

        Linux shouldn't be the OS responsible for thousands of people's account information
        William Farrel
  • He now

    has their full attention.

    You can count on executives and managers to be total airheads.
  • trade

    Maybe they can Trade North Korea a working missile for better working code
    preferred user
  • good job

    This guy showed that banks are too non-flexible and stupid in such serious questions as Information Security. However his style of doing thins with 3 000 000 accounts hacked can not be named as very polite and legal
    • troll

      Don't spread fear
  • not bad..

    this is great. those banks must don't care at all.
    I don't believe in bank security systems anymore. Stopped using credit cards as a protest against their careless and respectless attitude. The last thing I trust when it comes up to online shopping are Paysafecards and game cards. Noone tries to hack them.
  • well that's great but...

    I'm ordering 10,000 bacon sandwiches for Mahmoud Ahmadinejad
  • I am not Hacker.

    Please read my text at:
  • good job

    sounds like they owe him back pay and a job . This is why hacking period is important . It will expose fraudualent goverments banks and companies for the crap they are. What happens next is up to you
  • I am not hacker (zarefarid blogspot com)

    First of all I must to say that this action is not Hack and is not Publishing secure account information of bank cards. Card number (PAN) printed on card surface plus hided 4 digits PIN1 inside of a 14 digits random number published here .It can not to have any danger for accounts. Just card holders are able to recognize their card number and PIN. So my weblog is just to warn card holders. I am warning them that their accounts are in danger. Card numbers must be used with expiration date and CVV2 plus PIN2 for cardless transactions in our country. And physical card have track 2 information that is not in my weblog.

    I was Software Manager at E. company. E. was PSP (Payment Service Provider ) of more than 8 different banks. Not only we had not HSM device. But also Switch Development Company did not exclude PIN information from log files. Card holders secure information were accessible to many peoples for more than 3 years. Our security problem had great danger to card holder accounts. I tried to solve problem by forcing our managers to buy HSM device and to force second company for excluding PIN data. When I noticed they did not want to solve problem. I left the E. I sent 1000 card information to different bank CEOs anonymously. And warned them there is a great security problem in our banking system. I did not receive a reasonable response. They reported me to police too. Then I went to IT deputy of R. Bank and explained all problems. IT manager and his deputy were venal. Finally I left the country and begun to warn card holders by my weblog. This story happened in about one year.

    I was a manger that decided to solve one great problem in our banking system. This is not Hack. I did not break any law. Any card holder have right to know what kind of danger is threating him. This is a philanthropy action.

    I need to International helps from Human Right Defenders organizations. Our government wants to catch me.

    From your point of view what is the name of my action!?

    (HSM Hardware Security Module is for managing keys and encrypting and decrypting of PIN)