Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Posts Details of 3 Million Iranian Bank Accounts

Posted by samzenpus on from the I-warned-you dept.

Jeremiah Cornelius writes "Khosrow Zarefarid warned of a security flaw in Iran's banking system providing affected institutions the details, including 1,000 captured bank accounts. When the affected banks, including the largest state institutions didn't respond, Khosrow hacked 3 million accounts across at least 22 banks. He then dropped these details — including card numbers and PINs — on his blog. Three Iranian banks Saderat, Eghtesad Novin, and Saman have already warned customers to change their debit card PINs. 'Zarefarid is reportedly no longer in Iran, though it is unclear when he left.'"

21 of 145 comments (clear)

  1. "though it is unclear when he left" by Black+Parrot · · Score: 5, Funny

    But not unclear *why* he left.

    --
    Sheesh, evil *and* a jerk. -- Jade
    1. Re:"though it is unclear when he left" by Alex+Belits · · Score: 4, Insightful

      Right, because all enemies of US are related.

      Iran is a rich Muslim theocracy with some attibutes of a Republic. North Korea is a poverty-stricken pseudo-monarchy with attributes of Stalinism. They are about as likely to be on the speaking terms with each other as Henry Kissinger with Alexander Chikatilo.

      --
      Contrary to the popular belief, there indeed is no God.
    2. Re:"though it is unclear when he left" by jamesbrx · · Score: 4, Informative

      Exactly this. Iran and North Korea don't even do that much business together. They might do when necessary, but the two countries are otherwise completely different. It blows my mind how little US people know about rest of the world. Iran does more business and shares thinking more with Russia and CIS countries. North Korea does business and shares thinking with China and Myanmar.

    3. Re:"though it is unclear when he left" by Black+Parrot · · Score: 3, Insightful

      It blows my mind at how little americans know about ... well ... everything they havn't heard on the telly.

      And how much less we know about things we *have* heard on the telly...

      --
      Sheesh, evil *and* a jerk. -- Jade
    4. Re:"though it is unclear when he left" by Sir_Sri · · Score: 5, Informative

      Not really true. Iran and North Korea are very much in the 'enemy of my enemy' stage of life, and they are both quite friendly with russia and to a lesser extent both with china.

      They may not be ideologically aligned to each other, but given their mutual enemy and mutual ally, they're willing to talk to each other. Who do you think is still buying all this iranian oil that is being extracted now that the previous markets can't and won't buy it? China and North korea. Who does North Korea sell missiles and technology to? (The Taepodong series specifically, as well as some shorter range surface to surface missiles), Yemen, Syria, Iran and a few others. The north koreans need currency, the iranians have currency, the north koreans need oil, the iranians have oil, the iranians need missiles to strike Saudi, Iraq and Israel, the north koreans have missiles.

      They are as far apart ideologically as Stalin and Hitler, and yet for years those two managed to get along oddly well, exchanging training and agreeing to carve up poland together. Iran and North Korea may not be all that ideologically compatible, but they have nothing to particularly drive a wedge between them (unlike stalin and hitler). They each have things the other wants, no directly overlapping or conflicting interests and a shared enemy in the united states, who, helpfully, binned them together in an 'axis of evil', and if they weren't playing nice before, that gave them a good kick in the ass to start playing nice with each other.

      They very much are on strong speaking terms and technological exchange, through russia, through china and at sea. They are both under heavy sanctions meaning their selection of possible trade partners is rather limited, and that means they take what they can get. If you think they at least up until recently weren't on very good terms you should pull your head out of the sand. The new North Korea, under Kim Jong Un, and the current state of affairs in Iran, along with the situations in Burma and Pakistan throw into question any future agreements. A Burma out of chinas sphere of influence, and a pakistan not interested in technological exchanges significantly limit their access to resources and cash, and might significantly shake up their desired alliances.

      That said, you're right, in that they have no real long term collaborative goals. At the first opportunity I'm sure both of them would love to do business with someone else. But until a better opportunity comes along you go with the friends your enemies have given you.

    5. Re:"though it is unclear when he left" by sg_oneill · · Score: 3, Interesting

      Reminder that there are still Americans who believe Iran and/or sadam-era Iraq are/where in bed with Al quaida.

      I mean, forget that Sadam was a secular authoritarian who used the fight against islamism as the pretext for his purges (Baath are arabic socialist, and like most socialists dont have a lot of time for theocracy) and Iran are Shiia, whom Al Quaida consider to be heretical.

      Of course the US administration suffer this same sort of blindness as well. The fact that Iraq will fall into the hands of Iran, almost innevitably should have been obvious to anyone who understood the implications of shifting the power balance from the Suni to the Shiia in Iraq.

      Of course when your in the business of *creating* enemies, sometimes you do get to dictate terms. Once you piss off enough people, chances are they might put aside their differences and hang together in mutual defence.

      Honestly if the US gets involved in many more wars I can honestly see a day when a lot of these powers put their heads together to create an Anti-NATO that should scare the hell out of anyone in the west.

      Its best if we just backed the fuck out of there and let nature take its course. When was the last time someone wanted to invade Switzerland?

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    6. Re:"though it is unclear when he left" by Anonymous Coward · · Score: 4, Interesting

      What sort of natural resources does Switzerland have?

      All of these wars are about one thing: resources. Thats it. It has nothing to do with democracy, religion, west vs. whoever, etc. Those are all guises for the boob tube crowd. It is all about, as are all wars, resources.

      Not making this realization is the fundamental flaw in all analyses of these issues. You run off on a tangent about how the stated goals make no sense and we need to this and that, its not working, blah blah blah. However, if you understand the true motivations, it works like a charm. Not only are we destabilizing the region, we are enriching powerful people/corporations by funneling American tax dollars through a war torn state, right back into the pockets of the wealthy. Its a great money laundering scheme for stealing from the people, and it creates a destabilized region where military might is the only "solution" to peace. Which in turn gives access to the resources and keeps them available for the nations with the most powerful military.

    7. Re:"though it is unclear when he left" by Shoten · · Score: 4, Insightful

      And yet, both got the technology to produce weapons-grade uranium from the same Pakistani, A.Q. Khan. Don't assume that differing political systems and ideologies is an absolute block against cooperation. I think it's ridiculous that they'd have this guy in North Korea; Iran isn't exactly a country with a need to offshore their state security apparatus, nor do they have some fanatical devotion to not saying anything that is technically untrue.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    8. Re:"though it is unclear when he left" by Nidi62 · · Score: 3, Informative

      Wars arent fought with ground troops anymore. Whats a machine gun going to do to a Hellfile missile sent from a predator?

      They most certainly are. War for the next 50 years or so (unless things get really bad) will be primarily long term, low intensity conflict like what we've seen in Iraq, Afghanistan, Syria, and Libya (admittedly we got lucky with Libya, as it was relatively short). Conflicts such as these tend to stretch on for years. See the Sri Lankan insurgency that lasted roughly 25 years. Insurgencies are usually fought with small arms; the largest weapons usually available to insurgents are large-caliber machine guns, mortars, and RPGs. Combine this with the fact that most insurgencies cannot afford a large stand-up fight, and you get a lot of hit and run contact. Thompson, the man who pretty much led the British during the counterinsurgency in Malaya back in the 50s (and who pretty much wrote the bible on COIN doctrine; he started it all) realized that you cannot do sweep and destroy methods to defeat an insurgency; you must use sweep and control. To defeat an insurgency, you have to control ground. To control ground, you need group troops. While armed drones are good for patrolling and attacks on vehicles or fixed positions (camps, emplacements, etc), this is very expensive, and in many cases overkill. Most states cannot afford technology such this, and tactically armed troops on the ground usually make much more sense anyway, as even in predator strikes troops still have to go in afterward to look for intelligence.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  2. Re:What a great guy by deek · · Score: 4, Insightful

    Not quite as much distrust and suspicion as they have regarding "bankers".

  3. Re:What a great guy by Nyder · · Score: 3, Insightful

    And we wonder why the general public has a sense of distrust and suspicion regarding "hackers".

    "When the affected banks, including the largest state institutions didn't respond" is the part that worries me, instead. The hacker in this case was just trying to help and pointed out a REALLY bad security flaw, but since the general public didn't know about it the institutions apparently decided to just ignore it. Publishing all the details was a bad move, that I definitely agree with, but atleast it got the institutions' attention, too bad that this will be spun in the media as the hacker's fault and not the institutions' fault, though.

    hmm, you think it's a bad move. So what you are saying is, if the public doesn't know about it, it's good security? You do realize that if the dude who warned them found it, anyone could of found it. So while the public may not know about it, criminals might. So, in my view, the hacker did good, because the people in charge weren't listening, so it made them listen.

    I don't know what world you live in, but in this world, there isn't only 1 smart person, there is many. When 1 person finds a flaw, you should figure that other people have found the flaw. And someone is going to exploit the flaw to steal something, because that is how the world rolls.

    --
    Be seeing you...
  4. Let a lesson be by cosm · · Score: 3, Informative

    Let a lesson from this be that no matter where you are on the globe managerial types will typically disregard known and reported vulnerabilities until it is too late, generally failing to assess risk properly and address reported findings.

    Karma whoring, dude's blog linked here (yay for in browser translation)

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  5. Re:What a great guy by gstrickler · · Score: 3, Insightful

    I don't know about the OP reasoning, but in my opinion, publishing full details including full card numbers and pin codes was a bad idea. Publish enough to demonstrate that you do in fact have the data, but not enough to make it trivial for someone to use the data. Partial card number, enough that the cardholder can be reasonably certain that's his card and the last 2-3 digits of the pin. It's one thing to go public and embarrass the banks, it's another to expose 3M customers to fraud and abuse by making it easy for the crooks.

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  6. Re:"Zarefarid is reportedly no longer in Iran, tho by jamesbrx · · Score: 4, Interesting

    Interestingly, more than likely this is a joint operation between the United States and Israel. They have tried to get Iran trade embargoed for a long time, and more than likely are pissed off that Iran has developed their own technology to process payments and POS transactions. It is similar to USA's actions with North Korea, just that Iran is even more developed country. Both Israel and USA have been extremely aggressive towards Iran, despite the fact that I see no such aggression coming from them. I just think it's interesting.

  7. What a hack job of reporting! by masouds · · Score: 5, Informative

    Points of fact:
    1) He didn't hack any banks. He was working in a payment processing company that had monopoly in Iran.
    2) The card numbers and pin numbers were kept in clear text in their internal systems
    3) He did complain about it repeatedly to his bosses, who blew him off
    4) He posted the pin numbers and account numbers to a blog. Pin numbers have some digits before and after; They are not quite usable in person. In order to use them online a second pin is required which was not posted.
    5) the Payment processing center's license has been revoked, and all people are in panic trying to change their pin numbers. The only action all ATMs allow is pin change.

    --
    This .sig was intentionaly left blank.
    1. Re:What a hack job of reporting! by olau · · Score: 3, Funny

      True, he should have posted his boss's pin number only.

  8. Re:"Zarefarid is reportedly no longer in Iran, tho by Thanshin · · Score: 3

    ... it is unclear when he left." Yeah...

    I also interpreted that as "it's unclear where they left the corpse" until I remembered he had thousands of numbers/pins.

    It's not so hard to move around when you've got a huge lot of money and know how to use the internet properly.

  9. Re:"Zarefarid is reportedly no longer in Iran, tho by gl4ss · · Score: 3, Interesting

    http://www.nytimes.com/2011/10/12/us/us-accuses-iranians-of-plotting-to-kill-saudi-envoy.html?_r=1&pagewanted=all

    iran plays the game too, although not too well(and they're amateurs - remember the regime doesn't have that long history and when they came to power they pretty much got rid of everyone working with international relations and operations who had any experience - making their plots like bad b-movies like trying to hire zetas or selling guns to some african rebel). mostly iran is pre-occupied with dealing with their domestic dissidents, throwing people to jail for porno and trying to make foreign export ends meet by any means their amateurs can think of and generally just being petty denialists. remember, as far as reports go and one outside the country can figure out most of the bomb attacks within iran have been actually carried out by iranian factions working toward overthrowing their petty government.

    so, historically - what little there is of it - irans current regime has been quite aggressive both internationally and domestically, carrying out murders and attempts at them. what sets them apart from libya is that they're not so poor and they have more people and not just desert.

    pissed off at a POS system? fuck, no, that's not the reason behind this hack, the reason is that it was hackable and they didn't fix it, they had time to fix it - but this guy did wise when he got out of the country because irans government has a history of outright killing guys like him.

    --
    world was created 5 seconds before this post as it is.
  10. Re:Um ... Is This Even An Accurate Story? by Cruorin · · Score: 3, Informative

    http://ircard.blogspot.com/ Click older about ten times, he posted them in plaintext without text wrapping, once you click one of the links. The reason this isn't all over the net is because it is useless to anyone not in Iran.

  11. Re:"Zarefarid is reportedly no longer in Iran, tho by schwit1 · · Score: 4, Insightful

    Let the UN control? The same organization that put Cuba, Egypt, Russia, Saudi Arabia, China and Sudan on its human rights panel?

  12. Re:"Zarefarid is reportedly no longer in Iran, tho by Ihmhi · · Score: 3, Interesting

    Yeah and arming hizbullah, hamas and having their fingers deep in both groups along with previously arming the PLO is 'no aggressive action' right.. Oh wait, let me guess the Jews control both groups.

    Right, it's not like we ever did shit like give the Mujahedin weapons like stinger missiles. We never gave fucking crates full of guns to South American dictators and/or revolutionaries. We never trained people to invade Cuba. We never started something on the order of half a dozen illegal wars in the last 60 years.

    Stop fucking talking like America is a shining beacon of justice and freedom, because we are just as shitty as nearly every other goddamned country in the fucking world. We just have better marketing.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)