Iranian Takes Credit For POS Hack That Spills Three Million Bank Accounts

[Lee J <lee () riskbasedsecurity com>]

http://threatpost.com/iranian-takes-credit-pos-hack-spills-three-million-bank-accounts-041712/76448

An Iranian national exposed confidential account details for some three
million bank accounts in that country, prompting warnings from banking
officials.

Khosrow Zare Farid acquired the account information using a vulnerability
in a widely deployed Iranian point-of-sale (POS) system used by banks
throughout Iran. He disclosed the information after claiming that he had no
response to efforts to warn the CEOs of a number of Iranian banks about the
flaw.

On Saturday, three of the affected banks, Eghtesad Novin, Saderat, and
Saman sent out a mass SMS message advising that their clients update their
debit card passwords.

“According to the rumors which are published in virtual world, we ask
people to change the password of their debit cards if they have not changed
the main password in the previous months,” The Central Bank of the Islamic
Republic of Iran (CBI) said in a statement. “This will maximize the
security of your accounts and improve the restrictions of illegal usage of
debit cards.”

The incident shone a light on hacking activity within Iran, which is best
known as thetarget of the Stuxnet
worm<http://threatpost.com/report-iran-resorts-rip-and-replace-kill-stuxnet-072211/>.
The Iranian government recently went public with plans to sever the
country’s connections to popular online services like Gmail and Facebook
and create a “clean” domestic alternative to the Internet and World
Wide Web<http://news.cnet.com/8301-1023_3-57411577-93/iran-expected-to-permanently-cut-off-internet-by-august>
.

“Around one year ago I found a critical bug in the system,” said Zare
Farid, according to Kabir News. “Then I wrote and sent a formal report to
all the CEO of banks in Iran but none of them replied to me. Now I decided
to publish the information. Published
reports<http://www.zdnet.com/blog/security/3-million-bank-accounts-hacked-in-iran/11577>
indicate
that Zare Farid provided the banks with a sample of 1,000 customer
credentials as proof of the vulnerability long before going public.

A Facebook page belonging to Zare Farid lists him as a resident of Tehran,
Iran. According to a
report<http://kabirnews.com/3000000-debit-cards-hacked-in-iran/1526/>
from
Kabir News, Zare Farid was once the manager of Eniak, a POS manufacturer
that operates the Shetab payment network in Iran.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.