BreachExchange mailing list archives
Iranian Takes Credit For POS Hack That Spills Three Million Bank Accounts
From: Lee J <lee () riskbasedsecurity com>
Date: Sat, 2 Nov 2013 10:10:00 +1100
http://threatpost.com/iranian-takes-credit-pos-hack-spills-three-million-bank-accounts-041712/76448 An Iranian national exposed confidential account details for some three million bank accounts in that country, prompting warnings from banking officials. Khosrow Zare Farid acquired the account information using a vulnerability in a widely deployed Iranian point-of-sale (POS) system used by banks throughout Iran. He disclosed the information after claiming that he had no response to efforts to warn the CEOs of a number of Iranian banks about the flaw. On Saturday, three of the affected banks, Eghtesad Novin, Saderat, and Saman sent out a mass SMS message advising that their clients update their debit card passwords. “According to the rumors which are published in virtual world, we ask people to change the password of their debit cards if they have not changed the main password in the previous months,” The Central Bank of the Islamic Republic of Iran (CBI) said in a statement. “This will maximize the security of your accounts and improve the restrictions of illegal usage of debit cards.” The incident shone a light on hacking activity within Iran, which is best known as thetarget of the Stuxnet worm<http://threatpost.com/report-iran-resorts-rip-and-replace-kill-stuxnet-072211/>. The Iranian government recently went public with plans to sever the country’s connections to popular online services like Gmail and Facebook and create a “clean” domestic alternative to the Internet and World Wide Web<http://news.cnet.com/8301-1023_3-57411577-93/iran-expected-to-permanently-cut-off-internet-by-august> . “Around one year ago I found a critical bug in the system,” said Zare Farid, according to Kabir News. “Then I wrote and sent a formal report to all the CEO of banks in Iran but none of them replied to me. Now I decided to publish the information. Published reports<http://www.zdnet.com/blog/security/3-million-bank-accounts-hacked-in-iran/11577> indicate that Zare Farid provided the banks with a sample of 1,000 customer credentials as proof of the vulnerability long before going public. A Facebook page belonging to Zare Farid lists him as a resident of Tehran, Iran. According to a report<http://kabirnews.com/3000000-debit-cards-hacked-in-iran/1526/> from Kabir News, Zare Farid was once the manager of Eniak, a POS manufacturer that operates the Shetab payment network in Iran.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Iranian Takes Credit For POS Hack That Spills Three Million Bank Accounts Lee J (Nov 04)