An Iranian national exposed confidential account details for some three million bank accounts in that country, prompting warnings from banking officials.
Khosrow Zare Farid acquired the account information using a vulnerability in a widely deployed Iranian point-of-sale (POS) system used by banks throughout Iran. He disclosed the information after claiming that he had no response to efforts to warn the CEOs of a number of Iranian banks about the flaw.
On Saturday, three of the affected banks, Eghtesad Novin, Saderat, and Saman sent out a mass SMS message advising that their clients update their debit card passwords.
“According to the rumors which are published in virtual world, we ask people to change the password of their debit cards if they have not changed the main password in the previous months,” The Central Bank of the Islamic Republic of Iran (CBI) said in a statement. “This will maximize the security of your accounts and improve the restrictions of illegal usage of debit cards.”
The incident shone a light on hacking activity within Iran, which is best known as the target of the Stuxnet worm. The Iranian government recently went public with plans to sever the country’s connections to popular online services like Gmail and Facebook and create a “clean” domestic alternative to the Internet and World Wide Web.
“Around one year ago I found a critical bug in the system,” said Zare Farid, according to Kabir News. “Then I wrote and sent a formal report to all the CEO of banks in Iran but none of them replied to me. Now I decided to publish the information. Published reports indicate that Zare Farid provided the banks with a sample of 1,000 customer credentials as proof of the vulnerability long before going public.
A Facebook page belonging to Zare Farid lists him as a resident of Tehran, Iran. According to a report from Kabir News, Zare Farid was once the manager of Eniak, a POS manufacturer that operates the Shetab payment network in Iran.