An Iranian man who revealed a vulnerability in a widely used point of sale (POS) system in Iran had his blog confiscated by Google, which cited violations of its Terms of Service.

A Google spokesman acknowledged that the company pulled down the Blogger site that Khosrow Zarefarid, an Iranian IT expert, used to post account details for around three million bank accounts of banks across Iran. The account information was obtained by exploiting a vulnerability in a widely deployed point of sale (POS) system used throughout the country, and came after repeated efforts by Zarefarid to compel banks to fix the problem.

“This is an important issue that we take seriously. While we don’t discuss specific cases, Blogger’s content policies prohibit publishing another person’s personal and confidential information,” the company said in an e-mail statement.

Google’s Terms of Service for the Blogger service specifically prohibit the posting of “personal and confidential information,” which Google says include credit card numbers, Social Security numbers, unlisted phone numbers, and driver’s license numbers.”

Zarefarid first reported the POS vulnerability more than a year ago and claims he wrote a formal report to the CEOs of banks in Iran that use the affected system. “But none of them replied to me. Now I decided to publish the information. Published reports indicate that Zare Farid provided the banks with a sample of 1,000 customer credentials as proof of the vulnerability long before going public.

His action attracted press attention from around the world, as it shone a light on a seldom reported or understood issue: IT security holes within Iran’s domestic banking system. Within days, however, the blog containing Zarefarid’s research was taken down by Google, prompting the researcher to appeal for help on Tuesday on a new Blogger-hosted blog.

“I know that google is blocking my weblog by a wrong decision. I need to get help from free reporters all around the world. My weblog was for warning of a great threat to accounts of card holders in Iran. Please help me to get my weblog back,” he wrote.

A Google spokesman said the company has a number of tools at its disposal when it identifies blogs that have violated its terms of service. They range from taking down an individual post, to taking down an entire blog, to banning the blog’s author from its hosted blog platform all together. The fact that Zarefarid continues to have access to the Blogger platform could be indication that the company is comfortable with him blogging, if not with him posting purloined data on its hosted platform.

In the meantime, Zarefarid continues to post on his new blog, titled “Banking Problems in Iran.” His latest post, on Tuesday, picks up the issue of a lack of security within domestic banking networks, including the failure to implement hardware security modules (HSM), cryptographic hardware that can secure bank-to-bank communications and transactions.

Categories: Compliance, Critical Infrastructure, Data Breaches, Government, Vulnerabilities

Comment (1)

Comments are closed.