After finding a security vulnerability in Iran's banking system, Khosrow Zarefarid wrote a formal report and sent it to the CEOs of all the affected banks across the country. When the banks ignored his findings, he hacked 3 million bank accounts, belonging to at least 22 different banks, to prove his point.
It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question "Is your bank card between thease 3000000 cards?"
At least three Iranian banks (Saderat, Eghtesad Novin, and Saman) have already sent text messages to their clients, warning them to change their debit card PINs, according to Kabir News. Furthermore, the Central Bank of Iran (CBI) issued a statement announcing that millions of ATM cards have been hacked and urged all card holders to change their PINs, especially if they haven't done so in the last few months. The warning was repeated on state TV channels.
Some banks are currently blocking their clients' accounts to be on the safe side, and the CBI has also apologized for the inconvenience this is causing. Furthermore, many ATMs in Iran have stopped dispensing cash and only let customers change their PINs when they put in their debit card.
It's worrying that the CBI statement did not mention anything about improving security. Changing passwords isn't going to solve the root of the problem if the security flaw isn't addressed. Of course, it may even already have been fixed, but it's important to let the public know of your plans and/or progress.
Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.
A year ago (Iran's last calendar year ended on March 19), Zarefarid discovered the security hole and notified all affected banks of its presence. He even provided them with information about the bank accounts of 1,000 customers. When none of them responded, Zarefarid decided to make his findings public.
Zarefarid is reportedly no longer in Iran, though it is unclear when he left. He insists he hacked the accounts to highlight the vulnerability in Iran's banking system. Central bank officials had earlier downplayed the reports, saying the threat was not serious.