In a new post on his blog, Khosrow Zarefarid, the Iranian software manager who obtained and published 3 million card accounts, has explained the motivation and the history behind his actions. He is not a hacker, he claims. He didn't do it for personal profit, and did not release enough information to compromise the card holders."It can not to have any danger for accounts," he writes. He merely published enough data so that the "card holders are able to recognize their card number and PIN."
He explains, "Card numbers must be used with expiration date and CVV2 plus PIN2 for cardless transactions in our country. And physical card have track 2 information that is not in my weblog."
All of this was a last resort. As a software manager for Eniac, an Iranian payment service provider for a number of different banks, he was aware that "Not only we had not HSM [hardware security module] device," but furthermore, the "Switch Development Company did not exclude PIN information from log files." He spent a year trying to solve this problem, firstly by attempting to get Eniac to install an HSM and for the PINs to be removed from the logs. When he failed, he left Eniac.
He then anonymously sent 1000 card examples to the banks' CEOs - but the only response from them was to report him to the police. Finally, he writes, "I went to IT deputy of Refah Bank and explained all problems. IT manager and his deputy were venal." Only then did he leave the country and publish the card details. "This is not a Hack," he writes. "This is a philanthropy action." What would you call it, he asks?
We would call it 'whistleblowing'. His problem is that while most governments publicly support whistleblowing, they don't want it in their own back yard. Now "our government wants to catch me," he adds. He is appealing for help from international human rights organizations.
One thing is clear - this was genuine whistleblowing. Infosecurity has been talking to Zarefarid. We asked him to expand on his use of the word 'venal'. We asked him to comment on the planned Iranian walled internet, the so-called 'halal intranet'. He flatly refused. To Zarefarid, this is purely a security issue.