The story that I desire to report seems the plot of a movie, Khosrow Zarefarid an Iranian software manager after finding security vulnerability in Iran’s banking system tried to inform the management of the affected banks preparing a detailed report. As usually the bank’s manager ignored the alert so the Iranian expert decided to demonstrate the risk related to the discovered vulnerability, passing from theory to the action.
He hacked 3 million bank accounts, belonging to at least 22 different banks, to support his study. Admirable Zarefarid’s intellectual honesty that is limited to hacking systems not stealing anything from the accounts, he has just exploited the vulnerability retrieving account details of around 3 million individuals, including card numbers and related PINs.
Zarefarid has worked at Eniak company which operates with the Interbank Information Transfer Network System (Shetab), an electronic banking clearance and automated payments system used in Iran. The Eniak is leader in Iran for providing payment systems, a crucial sector in the banking world, within it’s activities there are also manufactoring and the installation of point of sales for the Iranian banking.
What is really seriuos that in occasion of him first alert the expert provided details on the security flaw and also on 1000 bank account, but he was ignored, for this reason Zarefarid decided to make public the events.
Of course the scenario is changed requesting the response of the banks, some Iranian banks such as Saderat, Eghtesad Novin have already started an informative campaign to inform their clients of the hack, inviing them to change their card PINs. Other banks have preferred to block their customers’s accounts to avoid any kind of problem, meanwhile the Central Bank of Iran (CBI) issued a statement announcing that millions of ATM cards have been hacked and inviting all card holders to change their PINs as soon as possible. The warning was repeated on state TV channels. Iran’s Central Bank has announced that the electronic information of 3 million customers of 10 Iranian banks have been compromised.
Other precautionary measure taken by some banks is the block of many ATMs for dispensing cash.
What is really incredible of the event is the behaviour of the Central Bank of Iran is its position on the vulnerability discovered, it has confirmed that the threat is not serious and hasn’t provided any information regarding its fix, let’s remind in fact that the change of the PIN is a temporary solution for exposed accounts, but the hack could happen again is the right solution is not applied.
More details can be found on the expert’s personal blog inside the post “Are your bank card Between 3000000 these cards?”
As usual let’s make some reflections on the event, the vulnerability discovery raises serious questions about the security level of the bank infrastructure. According to Iran expert almost all of the banks are vulnerable to the hack demonstrated. Think for a moment what could happen if the same vulnerability was over in the wrong hands, be they cyber criminals, groups of hackers hired by foreign hostile governments or groups of hacktivists. The banking sector is a vital component of the infrastructure of a country, it is considered in every most meticulous cyber strategies as critical Infrastructure. Blockade of the banking system, hacking of payment systems on a large scale can be a catastrophe for any country, incalculable losses in terms of direct damage caused by theft of money and indirect damage related to the image of the company. The is also another worrysome aspect, a country attacked on its financial institution fails in the panic creating the right environment for other cyber and military operations, that is a typical cyber war scenario.
Obviously knowing the real answer to the incident of Iranian institutions is impossible, but judging by their focus on cyber warfare is expected kidnapped a government response for the resolution of the problem, even before the banking institutions. In a scenario like that of warfare the synergies between the sectors of a country and the strong commitment of the central government are preconditions for the implementation of a suitable and efficient cyber strategy.