Google kills Iranian blog with 3 million hacked bank accounts

Google kills Iranian blog with 3 million hacked bank accounts

Summary: An Iranian security researcher recently hacked 3 million accounts across at least 22 banks in the country. Now, Google has taken down the blog on which he posted the account details of his victims.

SHARE:
TOPICS: Google, Banking, Browser
8

Khosrow Zarefarid, an Iranian security researcher who hacked 3 million bank accounts, has had his blog taken down by Google. Zarefarid did not steal money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs over at ircard.blogspot.ca. I found the link via his Facebook account, along with the question "Is your bank card between thease 3000000 cards?" As you can see in the screenshot above, however, the blog is no longer operational.

"This is an important issue that we take seriously," a Google spokesperson said in a statement. "While we don't discuss specific cases, Blogger's content policies prohibit publishing another person's personal and confidential information."

Here is the relevant excerpt from the Blogger Content Policy:

Personal and confidential information: It's not ok to publish another person's personal and confidential information. For example, don't post someone else's credit card numbers, Social Security numbers, unlisted phone numbers and driver's licence numbers. Also, please bear in mind that in most cases, information that is already available elsewhere on the Internet or in public records is not considered to be private or confidential under our policies.

Zarefarid is still, however, allowed to blog on Blogger; it appears Google is comfortable with him doing so as lomg as he doesn't post stolen data. In fact, Zarefarid has at least two other blogs: irbanks.blogspot.ca (called Banking Problems in Iran, written in Persian) and zarefarid.blogspot.ca (his personal one). On the latter, he posted the following plea:

I know that google is blocking my weblog by a wrong decision. I need to get help from free reporters all around the world. My weblog was for warning of a great threat to accounts of card holders in Iran. Please help me to get my weblog back.

A year ago (Iran's last calendar year ended on March 19), Zarefarid discovered the security hole in question, wrote a formal report, and sent it to the CEOs of all the affected banks across the country. He even provided them with information about the bank accounts of 1,000 customers. When the banks ignored his findings, he hacked 3 million bank accounts, belonging to at least 22 different banks, to prove his point.

Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.

Zarefarid, who is reportedly no longer in Iran, insists he hacked the accounts to highlight the vulnerability in Iran's banking system. Central bank officials had earlier downplayed the reports, saying the threat was not serious.

See also:

Topics: Google, Banking, Browser

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Iranian Banks

    No matter how big or small, you have got to take any kind of threat seriously, Iranian banks!!!
    Grayson Peddie
  • Hacked bank accounts

    Banks generally seem to be reluctant to admit to the scale of any problem. No doubt bad for their reputation.
    DAS01
  • its like in the movie!

    sounds like live free or die hard (diehard 4)
    tykazowsky
  • Where the heck did Google get 3 million hacked bank accounts...

    "Google kills Iranian blog with 3 million hacked bank accounts"

    I believe you meant "Iranian blog with 3 million hacked bank accounts is killed by Google."

    Word order actually IS important, even in English..
    TheWerewolf
    • --

      --
      Patanjali
    • Ambiguity...

      @TheWerewolf

      The passive voice is generally considered inferior to the active voice (see The Chicago Manual of Style, 5.115). It certainly it is not the key to solving ambiguity. Ambiguity can arise from poor punctuation, bad sentence structure, or other grammatical errors. In this case, I think the conjunction "with" needs to be replaced.

      "Google kills Iranian blog containing 3 million hacked accounts"

      One of my writing mentors told me to avoid the passive voice like the plague.
      HelloTechWorld
  • Google kills Iranian blog with 3 million hacked bank accounts

    @ werewolf,

    You have to admit those bank accounts, in their mass, would make a terrible weapon of massive destruction for attacking a single blog.

    Throw money at it.
    bart001fr@...
  • I am not hacker (zarefarid blogspot com)

    First of all I must to say that this action is not Hack and is not Publishing secure account information of bank cards. Card number (PAN) printed on card surface plus hided 4 digits PIN1 inside of a 14 digits random number published here .It can not to have any danger for accounts. Just card holders are able to recognize their card number and PIN. So my weblog is just to warn card holders. I am warning them that their accounts are in danger. Card numbers must be used with expiration date and CVV2 plus PIN2 for cardless transactions in our country. And physical card have track 2 information that is not in my weblog.

    I was Software Manager at E. company. E. was PSP (Payment Service Provider ) of more than 8 different banks. Not only we had not HSM device. But also Switch Development Company did not exclude PIN information from log files. Card holders secure information were accessible to many peoples for more than 3 years. Our security problem had great danger to card holder accounts. I tried to solve problem by forcing our managers to buy HSM device and to force second company for excluding PIN data. When I noticed they did not want to solve problem. I left the E. I sent 1000 card information to different bank CEOs anonymously. And warned them there is a great security problem in our banking system. I did not receive a reasonable response. They reported me to police too. Then I went to IT deputy of R. Bank and explained all problems. IT manager and his deputy were venal. Finally I left the country and begun to warn card holders by my weblog. This story happened in about one year.

    I was a manger that decided to solve one great problem in our banking system. This is not Hack. I did not break any law. Any card holder have right to know what kind of danger is threating him. This is a philanthropy action.

    I need to International helps from Human Right Defenders organizations. Our government wants to catch me.

    From your point of view what is the name of my action!?


    (HSM Hardware Security Module is for managing keys and encrypting and decrypting of PIN)
    zarefarid