Iranian Bank Accounts Hacked: A Cyber Warfare Hypothesis

Tuesday, April 17, 2012

Plagiarist Paganini


(Translated from the original Italian)

The story that I desire to report on seems it could be the plot of a movie. Khosrow Zarefarid, an Iranian software manager, found security vulnerabilities in Iran’s banking system and tried to inform the management of the affected banks by preparing a detailed report. 

As usual the bank's managers ignored the alert, so the Iranian expert decided to demonstrate the risk related to the discovered vulnerability, moving from theory to action.

He hacked 3 million bank accounts belonging to at least 22 different banks to support his study. Zarefarid's intellectual honesty is admirable, as he limited his actions to hacking systems, stealing anything from the accounts. He simply exploited the vulnerability by retrieving account details of around 3 million individuals, including card numbers and related PINs.

Zarefarid works at Eniak, which operates the Interbank Information Transfer Network System (Shetab), an electronic banking clearance and automated payments system used in Iran. Eniak is a leader in providing payment systems in Iran for point of sale, a crucial sector in the banking world and also manufacturing.

What is really seriuos is that on occasion of his first alert, the expert provided details on the security flaw and also on 1000 bank accounts, but he was ignored, and for this reason Zarefarid decided to make public the vulnerability.

Of course, the scenario is different for the banks. Some such as Saderat, Eghtesad Novin have already started a campaign to alert their clients of the hack, inviting them to change their card PINs. Other banks have decided to block their customers's accounts to avoid any kind of problems.

Meanwhile, the Central Bank of Iran (CBI) issued a statement announcing that millions of ATM cards have been hacked and urged all card holders to change their PINs as soon as possible. The warning was repeated on state TV channels. Iran's Central Bank also announced that the electronic information of 3 million customers of 10 Iranian banks have been compromised.

Other precautionary measures taken by some banks included blocking many ATMs from dispensing cash.

What is really incredible about the event is the behaviour of the Central Bank of Iran in its position once the vulnerability discovered, as it confirmed that the threat is not serious and hasn't provided any information regarding a fix. Let's remember that the changing of the PIN is a temporary solution for exposed accounts, but the hack could still happen again if the right solution is not applied.

More details can be found on the expert's personal blog inside the post "Are your bank card Between 3000000 these cards?"

Let's make some reflections on the event, as the vulnerability discovery raises serious questions about the security level of the banking infrastructure. According to Iranian experts, almost all of the banks are vulnerable to the hack demonstrated. 

Think for a moment what could happen if the same vulnerability was in the wrong hands, be they cyber criminals, groups of hackers those hired by hostile foreign governments or groups of hacktivists.

The banking sector is a vital component of the infrastructure of a country, it is considered in every meticulous cyber strategy as critical Infrastructure. A blockade of the banking system or hacking of payment systems on a large scale can be a catastrophe for any country, with incalculable losses in terms of direct damage caused by the theft of money and indirect damage related to the image of the companies involved.

There is also another worrisome aspect: A country could be attacked so that its financial institutions fail, creating a panic that produces the right environment for other cyber and military operations, which is a typical cyberwar scenario.

Obviously, knowing the real story of the incident at these Iranian institutions is impossible, but judging by their focus on cyber warfare, it can be expected that there be a government response for the resolution of the problem, even before one is issued by the banking institutions.

In a scenario like that of cyber warfare, the synergies between different sectors of a country and the strong commitment of the central government are preconditions for the implementation of a suitable and efficient cyber strategy.

Cross-posted from Security Affairs

Possibly Related Articles:
Enterprise Security
Information Security
Security Strategy Iran Banking Cyberwar Attacks Infrastructure Financial hackers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.