Zarefarid was the Software Department Manager at Eniac Tech from September 2007 to March 2011. Eniac Tech designed and installed POS systems, and operated the SHETAB payment network, the interbank card switch that was introduced in 2002.
"Around one year ago I found a critical bug in the system. Then I wrote and sent a formal report to all the CEO of banks in Iran but none of them replied to me. Now I decided to publish the information. Governments tried to catch me by Iran Cyber Army but they failed," he told Kabir News. To be precise, Zarefarid obtained the debit card details of 3,000,000 or so Iranians from ten separate banks and published them on his blog – where they are, this morning, still visible.
The blog makes it clear that Zarefarid was not merely concerned about the security flaw; he was equally concerned with the management of Eniac Tech, “improper management company owned by two brothers, Mr. Nasser Hjazyan (CEO) and rare Hjazyan (Business Manager) wallowing in furnishing your property and assets across borders...” (Google translations). But he also makes it clear that he has no feud with the company itself. “ENIAC company is in the interest of all my efforts. Banking colleagues who were in contact with me are fully aware of this point,” he blogs.
The Eniac website is currently unavailable, displaying simply: “This account has been suspended. Either the domain has been overused, or the reseller ran out of resources.” Google’s cache, however, shows that it was still available on 14 April.
Zarefarid has had to leave Iran and is appealing for support. Meanwhile, the Iranian Central Bank advised people to change their debit card passwords. Kabir News reported that it posted an ‘important’ declaration on its website: “According to the rumors which are published in virtual world, We ask people to change the password of their debit cards if they have not changed the main password in the previous months. This will maximize the security of your accounts and improve the restrictions of illegal usage of debit cards. Some banks have changed or block their customers accounts because of this action, so we are sorry about what has happened for these customers.”