An Iranian security researcher recently hacked 3 million accounts across at least 22 banks in the country. Now, Google has taken down the blog on which he posted the account details of his victims.
Khosrow Zarefarid, an Iranian security researcher who hacked 3 million bank accounts, has had his blog taken down by Google. Zarefarid did not steal money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs over at ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?” As you can see in the screenshot above, however, the blog is no longer operational.
“This is an important issue that we take seriously,” a Google spokesperson said in a statement. “While we don’t discuss specific cases, Blogger’s content policies prohibit publishing another person’s personal and confidential information.”
Here is the relevant excerpt from the Blogger Content Policy:
Personal and confidential information: It’s not ok to publish another person’s personal and confidential information. For example, don’t post someone else’s credit card numbers, Social Security numbers, unlisted phone numbers and driver’s licence numbers. Also, please bear in mind that in most cases, information that is already available elsewhere on the Internet or in public records is not considered to be private or confidential under our policies.
Zarefarid is still, however, allowed to blog on Blogger; it appears Google is comfortable with him doing so as lomg as he doesn’t post stolen data. In fact, Zarefarid has at least two other blogs:irbanks.blogspot.ca (called Banking Problems in Iran, written in Persian) and zarefarid.blogspot.ca(his personal one). On the latter, he posted the following plea:
I know that google is blocking my weblog by a wrong decision. I need to get help from free reporters all around the world. My weblog was for warning of a great threat to accounts of card holders in Iran. Please help me to get my weblog back.
A year ago (Iran’s last calendar year ended on March 19), Zarefarid discovered the security hole in question, wrote a formal report, and sent it to the CEOs of all the affected banks across the country. He even provided them with information about the bank accounts of 1,000 customers. When the banks ignored his findings, he hacked 3 million bank accounts, belonging to at least 22 different banks, to prove his point.
Zarefarid previously worked as a manager at a company called Eniak, which operates the
Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.
Zarefarid, who is reportedly no longer in Iran, insists he hacked the accounts to highlight the vulnerability in Iran’s banking system. Central bank officials had earlier downplayed the reports, saying the threat was not serious.