Slashdot Mirror
Indian Call Center Employees Hack US Bank Accounts
The Ascended One writes "Call center employees working for an Indian software company, MSource, supposedly used confidential client information to transfer client funds to themselves. The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency. They were caught after the victims alerted the bank officials in the US, who then traced the crime to the Indian city of Pune. While the name of the bank has not been revealed, the article indicates that the bank in question is Citibank."
I'm a system administrator and most of my customers are in the UK. So when I'm investigating an incident on our servers, and the logs show some activity from Brazil, it makes my job a lot easier.
It doesn't matter where people are located. What matters is that you have trustworthy people handling your business. And, you know what? Untrustworthy people are everywhere.
I, for one, do not buy into this Lou Dobbs racist/nationalist claptrap that says that we can't trust foreigners. I'm one of the biggest foreigners around, if you consider all the places I have to travel to that I'm not actually a citizen of.
Hey, bad people are in India. And in the U.S. And in Europe. And in Asia. Oh my god! They are everywhere!
Luckily, the bad people are outnumbered by the good. I can just take a look at my lists and figure that one out.
I know this could happen to anyone given a lax state of security.
But it's surely much tougher to vet people who have access to your systems when their whole culture is different (nevermind the fact that they're half the world away)
A lot more care needs to be taken when outsourcing internationally, otherwise the savings made will end up being spent on PR & the like after a cock up.
When I take credit card info over the phone I could do just the same.
The only slight difference is that it's worth more over there.
So I find it odd that this is considered different.
A blog I run for the wealth
Well, it's not so much a case of us-versus-them, but a matter of accountability and proesecuting them. An earlier poster made the case that this makes it somehow easier to track, but I think this is an absolute load of claptrap
Remind me again, exactly how many people are there in India? So how exactly does the fact that you know it originated from India help you? Or say Brazil, China, etc - all of these places, though poor, are in fact heavily populated, densely packed, and often the authorities are loathe to co-operate with foreign officials (honestly - whose side do you think the Indian police force/bureacrats are on?)
Outsourcing critical infrastructure, and potentially dangerous data that can bite you back later is a recipe for disaster.
I'm Australian, and recently there was a furor over Boeing's court victory allowing them to discriminate against Australian workers, and select only US citizens - a lot of Australian's were mad, but I myself thought that Boeing had a perfectly logical argument.
You can call me a racist (fyi, I'm chinese - and the US's witch-hunting of Chinese "spies" irks me, but hey, it's another one on a growing pile of 'em...lol), so what the heck...
Victor Hooi
So they should start aborting outsourcing attempts because the US doesn't have data privacy laws?
Rather than phoning up your banks and finding out where your information is ending up, which can be a tedious process, shouldn't you be phoning up your congress representatives and asking them to enact laws which provide for your privacy?
I just have to say that this is a bigger problem than a simple "I told you so".
When you outsource certain operations you are giving people who have no connection with your customers their private information. Banking account numbers? Some people still don't use online banking because it scares them and we don't see this as a huge liability?
Really, what if a few thousand credit card and bank account numbers got into the hands of suspected terrorists? If they made a one time shot at getting items to fence or cash withdraws (wire transfers) and split, they suddenly have resources that was taken right from the American people.
I'm by no means saying that you should be suspect of *any* foreign person or enterprise. I'm thinking of the type of people who *might* get their hands on my/our information. What good is it to give to the people like EPIC when we give our information to people we can't necessarily track down? Can anyone guarantee that we will be able to bring someone to justice, under our laws (and equally for their benefit the Constitution)? I've worked on the phone making sales, and the problem we had was we were banned from taking credit cards because a few people screwed it up for everyone.
Of course, if someone wants the information they can get it. It just makes me wonder why we give our sensitive information to a foreigner when we need parts for our Dell (and by extension everyone else I don't care to list).
Get your Unix fortune now!
I don't think it's racist per se to point out that the scammers were Indian - because they were, and that's not going to change - but it would be racist to extrapolate from that that Indians in general can't be trusted because of the actions of one or two people.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
I only hope this news flashes through the industry and gets in the heads of CEOs and PHBs everywhere who then start aborting outsourcing attempts.
I'm not sure Indians are any more likely to jot down card numbers that thier minimum-wage US counterparts. Except, of course, that an Indian phone jockey makes a better wage (by local standards), arguably giving them less reason to committ such fraud.
It's annoying when you can't understand what someone says on the phone, sure, but I don't think they're any more likely to be criminals than thier western counterparts.
Michael
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency.
I would have thought $350,000 is a large sum in ANY currency.
Brother, can you spare $350K?
www.eissq.com/BandP.html Ball and Plate System. Amuse your friends. Crush your enemies.
This brings into issue all the medical, supposidly confidental, data that gets sent to India for transscribing. I hope companies from around the world take a look at the amount of personal information they are sending to around the world with out thought of who might be watching it.
Because I choose to?
It's not important that the scammers were Indian, it is important that employees of an outsourced company were perpetrators of a crime.
I also happen to have my own startup which has an offshore branch - personally, I'd be scared if personal client information were to be misused.
The one reason I did post the Indian part is because I'm hoping that this would get a lot of publicity, and Indian offices would smarten up to such acts by their employees. If you hear about one, you can be assured that there are many more that you don't.
Offshoring and outsourcing is a big thing for India and Indian companies need to take that seriously. If an employee is able to garner significant personal information of clients, then they aren't doing a good job of it.
The only way for them to get that message if this were to get publicity - and business of the said company were to suffer a significant loss for people to send a strong message that they need to do something about this sort of thing.
Bad publicity affects business, and money speaks strongest.
Security is a 'system', and altering or extending a system, can open it to risk that were not originally envisaged when it was established. Adding a new site, adding additional computer systems, new network(s), new operative etc all can alter the security threat mix.
Extending a secure system to a new country, a new language group, a new multi-cultural mix, will also expose the system to a new mix of threats. Ths issue of extending such a system to a different continent, particularly if the operatives there are working at the higher(est) levels, entails exposing the system to all the differences between the new location and the old.
Whether the staff are physically in India or hold Indian state passports is incidental. The significant factors are, a) how close or removed they are from the cultural assumptions of the systems designers, b) how exposed they are to personal weakness, c) how exposed they are to external influence. These are sometimes referred to as Antipathy, Jealousy, Poverty, and Corruption. Placing a call centre in Dehli, Amritsar or Goa would vary the mix, as would placing it in Belfast, Glasgow or Ipswitch.
The plural of anecdote is not evidence.
Looks like a slow day for Slashot if this type of stories get posted =)
According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers' e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank's New York-based customers into their own accounts, opened under fictitious names.The story doesn't even have enough info to classify it as social engineering. People used confidential information to transfet funds. Ok, they used the Internet to do the transfer. Ok, they got PINs from customer emails. What's in there to learn? Where are the "news for nerds" here?
http://www.automatiq.se
You misunderstood, Im not saying they're any different from non-outsourced workers, im just saying i HOPE that people in charge get a knee-jerk reaction to stop outsourcing so that jobs can go back home, in fact in many cases, outsourced people work harder and are more loyal! - thats the whole problem!! who wants to compete with hard-working, loyal and cheap employees? we want our jobs to stay at home.
This comment does not represent the views or opinions of the user.
However, outsourcing to people in less developed parts of the world means that much smaller (and presumably more "readily available") sums of money can provide them with a very good living still & make committing fraud worthwhile in the firstplace.
There are no intended racial overtones in these comments, just observations, and quite frankly it's the mega-corporations I laugh at now that they will start to get their "just desserts" for messing up the economies and lives of so many people for the sake of a few bucks.
Let's face it, if you're a Citibank (if that's who it is) customer that got ripped off by this, you'll get your money back anyway because it's obviously a security issue with the bank themselves, not the customer's fault.
I say good luck to the Indian call centre workers - they're being used as the 21st century equivalent of sweatshop labourers anyway so they should grab what they can before they demand too high wages and they themselves get dumped by the corporations like a lot of the rest of us have.
[INSERT LOUD SCORNING "HA! HA!" HERE]
Gentoo Linux - another day, another USE flag.
What no one's pointed out is that the much maligned Indian police swung into action rather quickly and all accused have been arrested. But no, we're trying to highlight some other facts here. All's well that ends well? And these guys got caught because, let's face it, they were too naive to think they could get away with it. It's darn stupid, never mind the nationality. I doubt we would have seen this story around here if someone sitting in California would have done such a thing. In which case the amount in question would have been much higher as well - while an "evil greedy" Indian is happy a few hundred thousand dollars, I'm sure the American "evil greedy" counterpart would be talking in millions of USD. Reason FOR outsourcing #65241 A "greedy evil" Indian steals less money than their "greedy evil" American counterparts.
What connection do local call centres have with a banks customers that people who live further don't? ...
it's cheaper than giving it to a `fellow American`. I should have thought that were obvious.
A Ha, and you've discovered my complaint. We get paid a lot more, we have less motivation to steal. We depend on that job, we have built a life around it. The paychecks are okay, so the risk to benefit ratio tells me not to steal from customers. On top of that, they are fellow countrymen.
However, in India it is a different story (don't flame, just an example).
The Indian worker is getting paid a fraction of what you've just spent. I sure hope there was no contempt in your voice - contempt breeds contempt. The tech looks at his check and sees a nice amount of money but he sees another option. Really, if he loses this job there will be another American company who will come around (best part is, they don't talk to each other). We've created the economic situation where it makes sense to work for a few weeks and rip a few hundred people off. An organized effort could be dangerous.
No matter... bring the work home and solve the whole problem that way.
Get your Unix fortune now!
Ok I have an abbey account and I recently needed to contact them regarding some information I required so I called them. A woman answered the phone and she was noticebly indian her accent was way to heavy anyway I conclude my business with her (only having to repeat myself a couple of times.
I then did some checking aparently the credit card division had been sold to an american company who then outsourced the call centre to india. I had not been told about this by my bank. So without my express written permision they had exported my personal information to america who then exported it to india.
So are they in breach of the eu data protection act or not ?
I am pretty sure that the dataprotection act states that the data cannot be exported to a country that does not have a data protection act (ala india) but america does have one so that's okay however I don't think americas data protection type act has any such conditions in it so technically they haven't broken it.
I expected slashdot to at least notice this!
It is time to not berate the concept of Outsourcing. We created the Internet, the Communications Network and now we reap the benefits. We Have decided to find the cheapest and best ways to maximize profits That is the Capitalist Model. Criminal activity has and shall always be a part of doing business. You create organizations like the SEC to monitor and police. But when society (The Seasoned Capitalist) clamours for Small Government then be prepared to face the consequences. Unfortunately when we get to taste our own recipes we dont necessarily like it. It has always been the case the last 500 years, that Europe and the US have been able to dictate terms to the rest of the world and when they dont anticipate how things are going to play out they quietly change or withdraw. Unfortunately for them The next 100 years are going to be tumutous as 2 plus billions in China and India shall be in a position to dictate terms we may not like and may have to either retract or create the myth of how Bad "THEY" are. Lets see if we as a society can play by the rules we created but now dont like.
Right, he means piracy.
The other posts are talking about copyright infringement, an act which has been mislabeled by the RIAA et al as "piracy" in order to make it sound horrible.
All HAIL OUTSOURCING. Just imagine this: I live in a POOR country, grew up without clothes on my back, had nothing all my life, still have nothing. A western company comes along. They still pay me $hit (because the reason they're in my country is to save money in the 1st place). I can buy bread, but I am still poor. This bank opens up their customer's accounts to me A battle in now brewing inside of my head: Do I stay a poor slave, or take a chance at the HIGH life. My good side (If I have one) is saying: No, don't do it.....it's wrong.
But the gravity is much stronger on the other side. I've been poor and unfed all my life......living in a place where being in jail could mean I get fed at least daily.....WHAT DO I HAVE TO LOSE?!?!?! Welcome to the beginning of the END
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
Whatever you tink about Lou Dobbs, it's very irresponsible to just dismiss him as a racist.
Even "nationalist" is nonsense, he's merely pointing out one of the problems with unresitriced and unbalanced "unfair" trade. Now, you could argue this is a good thing, and we could point out the problems and have a discussion. But by labeling him a racist, the only thing you're trying to do is to "shut down" any arguments by coming up with ridiculous ad hominem attacks.
I'm an immigrant to this country, and I'm not a fan of outsourcing. I'm all for other immigrants from all over the world to continue coming here and contributing their talents to our local economies, but there is a problem when now people don't even want to become US residents, because they jobs are being drained away from here. We're about to face a serious crisis, when our technological workforce is being decimated by these companies. And there's nothing racist in pointing that out, nothing.
As for security, I don't think most if any people here are saying that a particular nationality is less trustworthy. But you'd be a fool if you don't recognize that some of the safety mechanism we enjoy in this country, are not as robust or even exist in other parts of the less developed world. As we deal with the poorest of nations, with our sensitive data, we have to be *extremely* careful. Already, there have been incidents of bribing by local crime syndicates in some of these countries to obtain data to steal identities. Can that happen in the US? Of course! But the question is, where is it more likely, and what are the protections we need to employ in these situations.
There's a rich discussion to be had on this topic, but please, try to come up with something better than "they're racist".
- sigs are for wimps.
Slashdot makes me sad sometimes.
All the outsourcing arguments aside:
With my work experience I can say that I it's so scary, that it makes me want to switch to cash and money orders for everything.
NOTE: I have access to 1 million new SSNs a month.
Consider some of my offshore counter-parts that US law inforcement would have a hard time prosecuting. Someone could sell that data for $250k or, then buy themselves protection from US authorities in a state that doesn't extradite.
This, the Choicepoint, and Lexus Nexus scandals are only the beginning. I'm certain that there are incidents that haven't ever, no will ever even be known. There isn't a law, other than in CA, that forces companies to disclose that there was theft.
This proves that the trouble with outsourcing a call center is with confidential information. Another major problem is pissing off your customers/clients because they can't understand the customer service agents strong accent. I've read several major publications all claiming the above two reasons for not outsourcing their customer service to another country.
There are new laws in the US for privacy. These laws are forcing financial institutions and health insurance companies to better secure their customer/client data. I work in an enterprise environment where we are currently implementing major security changes across all systems just because of the privacy laws. Here's a list of only some of the changes:
1. All users who have access to customer confidential data are completely logged with a full audit log. i.e. you just query a client and only read the data, it's logged. You query a client you shouldn't need to query and a red flag goes up. All transactions are logged and audited. Customer service reps have FULL ACCESS to all client data and transaction history. This need to be protected as much as possible.
2. All users who do not 'need' access to the client data have been removed from access. This includes programmers who once had access to production systems and live customer data. If a production problem occurs, the user has to contact their manager and request a special temporary user ID that is set to expire in 24 hours. This temporary id is issued to the user and reset. When the programmer or engineer is done with the user id, it's returned and reset. If the id is not returned, it's reset automatically within 24 hours or less. These special temp ID's have extra security and logging is more aggressive.
3. All access to client accounts, even access via clients themselves is logged.
4. All call center calls are recorded and archived for long term storage. Clients are told they are on a recorded line three different ways, once the automated voice system tells the user that all calls are recorded, the agent answers the phone and tells the client they are on a recorded line, and three there is a beep now and then to remind the client. Also they are recorded while on hold (just because it's easier then trying to stop recording). I would love to hear what people say when they think they are on hold and no longer being recorded! Call center manager frequently listen in on their service agent calls and review recordings daily.
5. There are departments such as special investigations and some legal departments that end up researching and reviewing logs when necessary. i.e. constantly looking for fraud or assisting the SEC, FBI, or police in an investigation.
Now, you outsource a customer call center to India and you let them access your client data. They need full access just like your local staff did. Trying to secure that data becomes much more difficult then if you are doing it here. Situations like what happened to Citibank are just one possibility. Another one, would be if the Indian Companies network is breached or their servers hijacked? Who really knows, because it's no longer on your network, how do you control the security? Obviously, you can't just host the servers in the US and provide the Indians a secure uplink, the cost is prohibitive and the speed is not great enough. You would have to put the servers in India. Imagine a 1,000 call center reps hitting the servers 24/7 with queries, you can't just pipe that to the US over a leased line!
Outsourcing customer data access to another country opens up major security questions as well as customer relations. I called 411 (information for local telco) and ended up talking to an Indian who couldn't get the name of the restaurant right even though I spelled it for him (Alpha Tango Foxtrot, etc) and kept giving me the wrong number. I gave up and went to the Internet to get the phone number! Try calling Circuit City sometime! I love how they answer the phone with a thick Indian accent but say their name is Chris or Richard! What a hoot, aliases to make them sound American!
While this is just a bunch of individuals being unscrupulous in their handling of other people's money, just wait...
Wait until some unscrupulous coder hand your outsources CVS source tree over to a company in a former Soviet State.
Sure, you have "legal contracts" to prevent that. But once your course is out there, no amount of legal action (even if you do manage to find the people responsible, and manage to get them into a sympathetic jurisdiction) will get your IP back under your control.
Some things are not outsourced, ever, no matter the cost advantage. Some things that should not ever have been outsourced, already have been, because the bean-counters had no sense of the pain to which they could be subject as a result.
Give it time. The access methods to the customer data of major financial and insurance agencies, as well as the sources of major retail packages, are quite likely to be floating around as we speak. And even if they don't get disseminated, they're worth a king's ransom, and such ransom will be due in due time.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
Seriously, someone calls you and says they are from your financial institution and need info??? Yeah, right.
In the case of Discover, it was legit. Call me crazy, but its a precaution and extra 15 minutes of trouble I'm willing to take.
Come play Moral Decay!
Habib is what is called a "hatchet man". He is brought in to give people the hatchet, to chop or cull them out of the business. In the end, when the hatchet man has cut enough people, he himself is given the hatchet. Unfortuantely for the American workforce, hatchet men move from company to company, being used like a freelance assassin with a seriously overdriven work ethic, wiping out hordes of workers. Habib is the ultimate expression of the mercenary consultant. In a way, we are all guilty of creating people like him.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
It's too easy to scapegoat Indian call center workers and saying "I told you so". There have to be far more instances of this taking place stateside in the past. I'm sure banks went into overdrive to spin the media coverage on them. Now, we'll probably see a littany of op-eds from morons at the NY Times eluding to how Indian workers can't be trusted.
This is a CITIBANK(unnamed bank) problem, not an outsourcing or Indian workforce problem. Citibank is just too big for it's britches and someone in Citibank's NJ HQ probably got a cut of this scam. Bet you'll see it come out in the investigation months from now, and how other banks are investigating stateside workers who are setting up these scams with workers abroad.
The only difference between what you just described and the western world is in the methods used.
People ask me for money every day as I travel to and from work. A few times a week some company will cold call me and attempt to part me from my money. My inbox is full of spam and phishing emails trying to get me to give away my money - knowingly or otherwise. There are probably people working in the call centers of my bank selling my details to criminals.
I live in New York, one of the richest cities in the world.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"