The security of payment process online has always been a big concern for the financial houses present around. Even after implementing top security features, a small flaw in the applications makes it damn vulnerable and easy to exploit by cyber criminals. In the past we have seen how top banking houses like Citi bank were allegedly hacked using OWASP top 10 web threats. According to a news published at ZDI, Khosrow Zarefarid from Iran almost hacked 3 milion bank accounts to notify bank authorities about the vulnerabilities. Before this, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks. He wrote a formal report and sent it to the CEOs of all the affected banks across the country. When the banks ignored his findings, he hacked 3 million bank accounts, belonging to at least 22 different banks, to prove his point.
It seems Khosrow didn’t stole money from the accounts. He merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca . After this reporting, Iranian banks like Saderat, Eghtesad Novin, and Saman have already sent text messages to their clients, warning them to change their debit card PINs. Furthermore, the Central Bank of Iran (CBI) issued a statement announcing that millions of ATM cards have been hacked and urged all card holders to change their PINs, especially if they haven’t done so in the last few months. The warning was repeated on state TV channels.The Central Bank of Iran’s statement did not mention anything about improving security.It is bit annoying that rather than fixing the security issues, users are told to change the passwords.
Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.During the uncovering of this hack, he was reported to be out of Iran. To give a secure essence to your organization and application contact us today for Pentest++ service.