
Saudi Arabian Hackers Leak Credit Card Details of 400,000 Israeli Citizens - Ohadr
http://pastebay.com/150288
======
yuvadam
I just gave a talk last week at 28C3 [1,2] about how all the personal details
of Israeli citizens are up for grabs for anyone inclined enough to get them.

I'm ashamed to see that we've learned nothing in the past 10 years.

[1] - <http://www.youtube.com/watch?v=ow7cvZOzp6w>

[2] - [http://speakerdeck.com/u/yuvadm/p/28c3-data-mining-the-
israe...](http://speakerdeck.com/u/yuvadm/p/28c3-data-mining-the-israeli-
population-census)

EDIT: Israeli media now claims that 400K is an exaggerated number, and the
actual number of leaked CC is much smaller.

EDIT2: I'm gonna go ahead and publish a mirror list [3] for the leaked data
and for affected accounts by email [4]. I might be affected and I prefer to
know if I am ASAP, even if this means the data leaks more, which it will
anyway.

[3] - <http://pastebay.com/186092>

[4] - <http://pastebin.com/EnY7E0Hw>

~~~
maayank
what's the password of the rar inside the rar? the page referenced in the
"readme" file is unavailable

~~~
runn1ng
At least the file, hosted on hacked sites, called israeli.rar, is without a
password.

~~~
maayank
I downloaded one of the files yuvadam posted (not sure if it's the same one
there now - the post was edited) and it had a password protected rar in a rar

------
waffle_ss
I have a very hard time resolving how this type of attack could fall under the
umbrella of Anonymous. Saudis specifically attacking Israel implies a
nationalistic attitude, given their history. They also affiliate their hacker
group with Wahabbism, which is a strict branch of Islam that most would brand
as fundamentalist (and sometimes extreme).

I can't really see the ideals of Anonymous coexisting with nationalism and
religious fundamentalism.

~~~
pjscott
It's inspired by the Anonymous style: find someone you dislike, attack their
computers somehow (e.g. private information theft, DDoS, web site defacing),
and brag about it online. The ideals are very different, but the method is
pretty similar.

~~~
noduerme
The difference being that the people involved wouldn't be aware there was oil
under their feet if our country hadn't invented the market for it, told them
it was there and given them the equipment to drill it. Left to their own
devices, the only thing they'd be hacking right now would be the back end of a
camel. What do you think the chances are that their brute force method wasn't
one of a million snippets written by someone in the west? Or in Israel, for
that matter? How about the computers they used to get on the network they
benefit from, but didn't create? Reckon the intel chips were made in Israel?

After all the petty bullshit, Saudis like to party too. The problem is their
government and society is repressive as hell, and they're so scared to
confront it, they have to go into this whole make-believe world where they act
as heroes by attacking Israeli servers. It's pretty funny. I'm sure Israelis
will recover. The Saudis on the other hand still live in a medieval hellhole
where women can't drive a car... and this really doesn't do much to change
anything. Their time and energy would be better spent trying to bring
civilization to their own wasteland.

[Edit] I should add, the fact that if you did this in your own country, you'd
probably have your hands cut off, is a powerful motivation to go after
somebody with more liberal values.

~~~
agilo
Ironic how despite all this, the american government finds it fit to support
this repressive regime, while demonizing countries like Syria where citizens
(or at least women) enjoy greater freedoms. One could say it all depends on
your stance vis-a-vis Israel. The fact of the matter is that, countries like
Saudi Arabia, Jordan, Yemen, old Egypt, North Korea etc. have normalized or at
least neutral relations with Israel (despite the hypocritical rhetoric to
appease the masses), and hence are supported or allowed to have their way
(even their bombs).

I think this hacking incident is a mere accident, and the ruling Saudis will
be quick to repress it and assure Israel none of this will happen again.

~~~
berntb
>>demonizing countries like Syria

How can you "demonize" that type of brutal regimes? What _more_ can you say
about them? That Assad eats children?

>>One could say it all depends on your stance vis-a-vis Israel.

>>the ruling Saudis will be quick to repress it and assure Israel none of this
will happen again

Sigh, so Saudi Arabia is pro Israel? :-)

[http://en.wikipedia.org/wiki/Antisemitism_in_the_Arab_world#...](http://en.wikipedia.org/wiki/Antisemitism_in_the_Arab_world#Saudi_Arabia)

This is a model of what happens there without conspiracy theories:

Saudi Arabia is _needed_ as an ally by the US. It is called "realpolitik" --
all countries, including democracies, use it and lie about it. (The difference
with democracies is that they do support human rights, as long as it doesn't
cost too much.)

North Korea sells/sold nuclear tech to Syria/Iran; are you really claiming
they have "neutral" relations with Israel?

And so on... please don't write this kind of thing on HN.

~~~
rbanffy
I would say this whole thread took a wrong turn with noduerme's deeply rude,
ignorant, arrogant an plain racist post. We would all have gained something
had it never existed.

~~~
ThaddeusQuay2
"We would all have gained something had it never existed."

Fuck off, Mr. Wannabe Censor. Progress requires unfettered conversation of all
types, not just the ones of which you approve.

"... noduerme's deeply rude, ignorant, arrogant an[d] plain racist post."

It was none of those things. What he said is basically correct, and it
reminded me of 2005's Syriana, in which there was a conversation between Matt
Damon as Bryan Woodman, an energy analyst, and Alexander Siddig as Prince
Nasir Al-Subaai, successor to the Emir.

NASIR: An ancestor of mine owned this bird's [falcon's] ancestor before Christ
was born. Six more North Field blocks will be available for development. We
would like to offer your firm the right to represent them.

WOODMAN: If I were your economic advisor I'd tell you it's not the dumbest
thing you've ever done, but it'll probably be the dumbest thing you do today.
Probably. But why would you need an economic advisor? Twenty years ago you had
the highest GNP in the world and now you're tied with Paraguay. Your second
biggest export is second-hand goods. Followed by dates on which you lose five
cents a pound. You want to know what the business world thinks of you. They
think a hundred years ago you were chopping each other's heads off in the
desert and that's exactly where you'll be in another hundred. So, yes, on
behalf of my firm, I accept your money.

<http://en.wikipedia.org/wiki/Syriana>

I included the first sentence, about the falcon, because it shows that Nasir
is proud of his people having been around for a long time, but that apparent
plus is effectively countered by Woodman's observation about their primitive
nature, and how the oil money is really the only thing keeping them from
regressing. Sure, the film is fictional, but there is a lot of truth to be
found in it.

~~~
rbanffy
> Fuck off, Mr. Wannabe Censor

I'm not one who wants to impose restraint on others. I merely suggest a little
bit of tact makes dialog possible. Or, more important, that its lack may make
dialog impossible.

> Progress requires unfettered conversation of all types, not just the ones of
> which you approve.

It also requires the conversation itself, which may be rendered unproductive
by the kind of comment made upstream.

> it reminded me of 2005's Syriana, in which there was a conversation between
> Matt Damon as Bryan Woodman, an energy analyst, and Alexander Siddig as
> Prince Nasir Al-Subaai

Is all your knowledge in Middle East affairs derived from a movie?

------
Ohadr
Anonymous just declared that they are not responsible for this:

<https://twitter.com/anonyops/status/153969476277248000>

"We have no love for Israeli gov't but targeting 1000s for being Israeli?
Sorry, you are not #Anonymous pastebay.com/148920"

~~~
runn1ng
Heh. I like how Anonymous keep on repeating how are they "decentralized" and
the only thing really needed to join is to call yourself Anonymous - and at
the same time keep on telling trough semi-official twitter accounts, how this
Wahhabi attack or that Stratfor attack was not official Anonymous and blah
blah blah.

Hypocrisy on hypocrisy.

~~~
pdeuchler
I would argue that the purpose of allowing anyone to call themselves
"Anonymous" places the group's identity on their actions, not who they say
they are. It's kind of the whole point of calling themselves "Anonymous" and
leads right into the "we are legion" bit. There is no individual, only the
movement.

However, by performing actions that are contrary to the Anonymous ideology the
Saudi attackers distanced themselves farther from Anonymous than any name
could

~~~
jonhendry
But what is "Anonymous' ideology" if anyone is part of Anonymous?

Maybe Anonymous should have chosen a different name. Other groups could then
remain anonymous, without being assumed to be Anonymous.

~~~
runn1ng
Well, actually, Anonymous didn't really chose the name - it was a joke made on
default "Anonymous" username on 4chan. And it really grew somehow organically
into this point.

That's what I don't like about people saying "You are not true Anonymous".
First hackers under the name "Anonymous" posted other people MySpace passwords
on 4chan and put blinking lights on epilepsy website. And the whole
scientology movement was first meant as a joke, as a reaction to the leaked
Tom Cruise video.

Really, people calling other people "not true Anonymous" are hypocritical. I
think.

------
asjd
This is the IP of the hacker: 188.75.86.66 (It's possible this is a bounce
server, but geo locating it suggests against this.)

I know because I was involved in cleaning up one of the hacks. (I have to stay
anonymous, but my main account has more than 7000 karma.)

In the one I dealt with they did not copy stored cards (because they
couldn't), but rather added extra code that would email a copy of the details
to the hacker as the order was placed.

(So even with PCI compliance credit card numbers can still be stolen.)

~~~
3pt14159
Right now, right this second edit this post. Get right of the karma count and
remove the rest of what you posted besides the IP of the hacker. Word
frequency analysis + knowledge of your karma count will easily identify you.

------
krembo
My CC was in the list that the hackers published. Just canceled it...

Does anyone have good arguments against leaving the files where they are now
and not deleting them from pastebin/megaupload/...? Since the beast is already
out of it's cage, there is no point in chasing it. It is even better to let
the public d/l the file and try to find themselves if their card and other
details like emails, passwords were stolen.

~~~
darklajid
Do you have any idea where your card was leaked from? Can you share what card
provider you used? I was already paranoid about credit cards before I came,
now it's really affecting my blood pressure..

(nice username btw, learned the word here..)

~~~
krembo
I'm not sure if they stole it directly from the sites (coupon site in my case)
or from the clearance company. In any case it seems that the site who store
the details broke the law by storing the CVV (not to mention that passwords
were not encrypted..)

~~~
ceejayoz
Broke the law, or broke the PCI standards?

~~~
krembo
i think in IL standing in the PCI standards is a must for clearance comapnies.

------
darklajid
I have an israeli credit card. I'd have liked to understand where this was
leaked from. And - well - make sure that mine is not among them.

Unfortunately (or fortunately?) the file isn't available any more.

~~~
Ohadr
I also have three of them...

I think once that file was online even for a few minutes, the card numbers
mentioned in it are not safe anymore. It will be leaked again.

If it's not some kind of provocation (files with false data) then this is a
pretty big crisis. I'm going to have to monitor my credit card logs closely in
the next few weeks...

~~~
krembo
Since i found my CC details over there I assume this is not false data. Can we
call it a cyber terror attack?

~~~
HotKFreshSwag
I would call it black hat hacking, hacktivism or sabotage. I wouldn't call it
a terror attack unless you feel terror when you realize you have to call your
credit card provider.

Lets save the word terror for things that terrify people like say bodily harm
or death.

------
hack_edu
Curious to see how the general consensus of Anonymous falls in line with this.
Lets not forget the long history of black hats in Israel.

------
theunixbeard
Interesting. I wonder, have there been other examples of religiously-motivated
hacks on this scale?

~~~
nostromo
Religious or political? I suppose in the Middle East the two are conflated.

------
usaar333
When I went to Israel a few years back I could not believe my eyes when I
noticed that my entire CC number was printed on every receipt.

I don't imagine online CC security being much better..

~~~
eliben
That was mostly fixed, AFAIK. Now only the last 4 digits are printed on
receipts.

------
vsviridov
I thought Anonymous were against corrupt politicians et al, and not just
general populace :(

------
teyc
Don't VISA et al require some kind of PCI compliance for storing credit card
details?

~~~
jacquesm
PCI compliance is worth as much as the party that signs off on you being
compliant, in most cases that is you.

Audits are few and far between, lots of places have shoddy security but claim
they are Fort Knox.

PCI compliancy is quite meaningless unless the people that implement it take
their job seriously. That's very frequently not the case, it is just seen as a
small obstacle in the way of doing business.

~~~
teyc
Thanks. Odd that VISA would let the third party auditors get away with it,
until they don't... which I'd hope so in this case.

Related: [http://serverfault.com/questions/293217/our-security-
auditor...](http://serverfault.com/questions/293217/our-security-auditor-is-
an-idiot-how-do-i-give-him-the-information-he-wants)

~~~
rdtsc
It is mostly to cover their behinds not really to protect your data. When it
comes to litigation they basically want to point to a piece of paper with your
signature on it and say "see they agreed to be compliant" it is not our fault,
we did all we could.

~~~
teyc
I saw an Australian company offering tokenising solutions for credit card
transactions. Glancing briefly, they talked about replacing credit card number
with "tokens" that can be stored on the customer's premises, while the actual
card numbers are securely stored on theirs. To me it seems to be a sensible
approach to reducing the attack surface or auditable surface. Is this what
Stripe does?

~~~
rdtsc
Visa has the "visa verify" and it is a web service that basically asks extra
security questions during authorization. That works online only. Relies on the
merchant to provide the extra security.

Another thing is temporary one-use credit card numbers. My Discover card as
that feature. Of course then it also relies on me to assess the risk of a
merchant and go through the steps of getting that number.

------
desireco42
Just because is easy, it doesn't mean you should do it. Stealing from ordinary
people even from nation that you feel so much hostility to, still it is wrong.

------
samstave
Faction warfare.

EDIT: I got downvoted, without a reply. So, explain how doing this sort of
thing is not faction warfare?

The details of israeli credit is leaked by anons from the house of Saud. This
is clearly a faction issue. It is not likely government sponsored (though
likely condoned) and as a religious rift exists between jews and muslims, the
word faction applies perfectly.

Jews, muslims, christians; all factions within religious zealotry.

~~~
jonhendry
I think the term is 'sectarian'.

~~~
samstave
A sectarian word for factions.

Tomato Potato

\--- Sectarian:

of, relating to, or characteristic of a sect or sectarian

limited in character or scope

\---

Faction

a party or group (as within a government) that is often contentious or self-
seeking : clique

party spirit especially when marked by dissension

\---

You would be a fool to claim that sectarian skirmishes are not also political,
given the widespread theocratic nature of governments under both muslim and
jewish rule.

In this case - this is an attack, while premised on the appearance of
religion, is actually a theocratic/political-religious attack.

------
saljam
I find it odd they call themselves “Wahhabis.” For starters, that term isn't
something a “Wahhabi” would call himself. I've never been able to trace when
it was first used. However, it's often used by western scholars to refer to
“the Saudi guys” when classifying Muslims.

Does anyone know more about this group?

------
gokhan
> We have posted this message in pastebin, but it seems they have deleted the
> file.

That Stratfor dump with 75.000 card details is still on Pastebin. Why this one
deleted and the other is still there? (I believe both should be deleted.)

------
pm90
Attacking the general (innocent) populace for the faults of their
government/military? That's the definition of terrorism... and not activism.

~~~
rdtsc
> Attacking the general (innocent) populace for the faults of their
> government/military?

Generally agree but with one exception -- in places were the government claims
it represents the people and most people agree with that. Then everyone who
votes basically shares the guilt of what the government does.

~~~
dvirsky
Most democracies I know are usually divided between conservatives of some sort
and liberals of some sort, who agree and nothing, and usually just over 50% of
the voters if not less, agree with their government's policies.

I totally disagree with the Israeli gov's policies and often protest them.
Guess what? My personal info was inside those files (deprecated credit card
and email though).

Attacking citizens of democracies because they are inseparable from their
government and responsible for its actions, is a common argument for
terrorism, btw.

~~~
rdtsc
Democracies (or just "advertised" democracies) can't have it both ways. They
get to tell the world about their superior system of government where citizens
have a say in how their government runs (sometimes they even invade others to
impose this "superior" system on them). And that's great. But then there is
the other side of the coin when the said govt. screws up, then citizens should
man up and take responsibility. I am responsible for US invading Iraq and
Afghanistan. If I am in those countries and I would be afraid for my safety
(and rightly so). I didn't vote for it, and I don't think realistically people
have the power and the voice in most advertised democracies. But then, one can
argue, they are also responsible for now changing the system (and therefor the
99% Occupy stuff is happening all over, it is not about economy it is about
who has the power, control and responsability).

------
shn
too much fuss for something you can not verify. a)are they really valid
identities. %100 of them? b) how do you know that these were done by Saudis?

------
billpg
I've set up a site to check if your card was on the list. Just go to my site
and type in your card number...

------
kingkilr
Stay classy...

------
noduerme
From what I can see, the real Anonymous at least has the balls to go after
their _own_ government. Sure it's easy to hate on Israel, and these douchebags
will no doubt get some props from fellow haters for their little hack, but if
they had a pair of testicles between the lot of 'em, they'd start leaking info
on the dictatorship they live in, rather than stealing credit cards from the
democracy next door.

