Slashdot Mirror
Indian Call Center Employees Hack US Bank Accounts
The Ascended One writes "Call center employees working for an Indian software company, MSource, supposedly used confidential client information to transfer client funds to themselves. The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency. They were caught after the victims alerted the bank officials in the US, who then traced the crime to the Indian city of Pune. While the name of the bank has not been revealed, the article indicates that the bank in question is Citibank."
I'm a system administrator and most of my customers are in the UK. So when I'm investigating an incident on our servers, and the logs show some activity from Brazil, it makes my job a lot easier.
It doesn't matter where people are located. What matters is that you have trustworthy people handling your business. And, you know what? Untrustworthy people are everywhere.
I, for one, do not buy into this Lou Dobbs racist/nationalist claptrap that says that we can't trust foreigners. I'm one of the biggest foreigners around, if you consider all the places I have to travel to that I'm not actually a citizen of.
Hey, bad people are in India. And in the U.S. And in Europe. And in Asia. Oh my god! They are everywhere!
Luckily, the bad people are outnumbered by the good. I can just take a look at my lists and figure that one out.
When I take credit card info over the phone I could do just the same.
The only slight difference is that it's worth more over there.
So I find it odd that this is considered different.
A blog I run for the wealth
So they should start aborting outsourcing attempts because the US doesn't have data privacy laws?
Rather than phoning up your banks and finding out where your information is ending up, which can be a tedious process, shouldn't you be phoning up your congress representatives and asking them to enact laws which provide for your privacy?
I just have to say that this is a bigger problem than a simple "I told you so".
When you outsource certain operations you are giving people who have no connection with your customers their private information. Banking account numbers? Some people still don't use online banking because it scares them and we don't see this as a huge liability?
Really, what if a few thousand credit card and bank account numbers got into the hands of suspected terrorists? If they made a one time shot at getting items to fence or cash withdraws (wire transfers) and split, they suddenly have resources that was taken right from the American people.
I'm by no means saying that you should be suspect of *any* foreign person or enterprise. I'm thinking of the type of people who *might* get their hands on my/our information. What good is it to give to the people like EPIC when we give our information to people we can't necessarily track down? Can anyone guarantee that we will be able to bring someone to justice, under our laws (and equally for their benefit the Constitution)? I've worked on the phone making sales, and the problem we had was we were banned from taking credit cards because a few people screwed it up for everyone.
Of course, if someone wants the information they can get it. It just makes me wonder why we give our sensitive information to a foreigner when we need parts for our Dell (and by extension everyone else I don't care to list).
Get your Unix fortune now!
I don't think it's racist per se to point out that the scammers were Indian - because they were, and that's not going to change - but it would be racist to extrapolate from that that Indians in general can't be trusted because of the actions of one or two people.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
I only hope this news flashes through the industry and gets in the heads of CEOs and PHBs everywhere who then start aborting outsourcing attempts.
I'm not sure Indians are any more likely to jot down card numbers that thier minimum-wage US counterparts. Except, of course, that an Indian phone jockey makes a better wage (by local standards), arguably giving them less reason to committ such fraud.
It's annoying when you can't understand what someone says on the phone, sure, but I don't think they're any more likely to be criminals than thier western counterparts.
Michael
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency.
I would have thought $350,000 is a large sum in ANY currency.
Brother, can you spare $350K?
www.eissq.com/BandP.html Ball and Plate System. Amuse your friends. Crush your enemies.
Security is a 'system', and altering or extending a system, can open it to risk that were not originally envisaged when it was established. Adding a new site, adding additional computer systems, new network(s), new operative etc all can alter the security threat mix.
Extending a secure system to a new country, a new language group, a new multi-cultural mix, will also expose the system to a new mix of threats. Ths issue of extending such a system to a different continent, particularly if the operatives there are working at the higher(est) levels, entails exposing the system to all the differences between the new location and the old.
Whether the staff are physically in India or hold Indian state passports is incidental. The significant factors are, a) how close or removed they are from the cultural assumptions of the systems designers, b) how exposed they are to personal weakness, c) how exposed they are to external influence. These are sometimes referred to as Antipathy, Jealousy, Poverty, and Corruption. Placing a call centre in Dehli, Amritsar or Goa would vary the mix, as would placing it in Belfast, Glasgow or Ipswitch.
The plural of anecdote is not evidence.
Looks like a slow day for Slashot if this type of stories get posted =)
According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers' e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank's New York-based customers into their own accounts, opened under fictitious names.The story doesn't even have enough info to classify it as social engineering. People used confidential information to transfet funds. Ok, they used the Internet to do the transfer. Ok, they got PINs from customer emails. What's in there to learn? Where are the "news for nerds" here?
http://www.automatiq.se
However, outsourcing to people in less developed parts of the world means that much smaller (and presumably more "readily available") sums of money can provide them with a very good living still & make committing fraud worthwhile in the firstplace.
There are no intended racial overtones in these comments, just observations, and quite frankly it's the mega-corporations I laugh at now that they will start to get their "just desserts" for messing up the economies and lives of so many people for the sake of a few bucks.
Let's face it, if you're a Citibank (if that's who it is) customer that got ripped off by this, you'll get your money back anyway because it's obviously a security issue with the bank themselves, not the customer's fault.
I say good luck to the Indian call centre workers - they're being used as the 21st century equivalent of sweatshop labourers anyway so they should grab what they can before they demand too high wages and they themselves get dumped by the corporations like a lot of the rest of us have.
[INSERT LOUD SCORNING "HA! HA!" HERE]
Gentoo Linux - another day, another USE flag.
What connection do local call centres have with a banks customers that people who live further don't? ...
it's cheaper than giving it to a `fellow American`. I should have thought that were obvious.
A Ha, and you've discovered my complaint. We get paid a lot more, we have less motivation to steal. We depend on that job, we have built a life around it. The paychecks are okay, so the risk to benefit ratio tells me not to steal from customers. On top of that, they are fellow countrymen.
However, in India it is a different story (don't flame, just an example).
The Indian worker is getting paid a fraction of what you've just spent. I sure hope there was no contempt in your voice - contempt breeds contempt. The tech looks at his check and sees a nice amount of money but he sees another option. Really, if he loses this job there will be another American company who will come around (best part is, they don't talk to each other). We've created the economic situation where it makes sense to work for a few weeks and rip a few hundred people off. An organized effort could be dangerous.
No matter... bring the work home and solve the whole problem that way.
Get your Unix fortune now!
"This brings into issue all the medical, supposidly confidental, data that gets sent to India for transscribing. I hope companies from around the world take a look at the amount of personal information they are sending to around the world with out thought of who might be watching it.
Corporations as a whole do not care at all about the personal data that they send anywhere; the data is simply a commodity. To companies that are used to dealing with large amounts of commodities (including personal information), the loss or compromise of a certain percentage of the commodity is tolerated and expected. For corporations it is cheaper to pay for the loss than it is to prevent the loss.
Ok I have an abbey account and I recently needed to contact them regarding some information I required so I called them. A woman answered the phone and she was noticebly indian her accent was way to heavy anyway I conclude my business with her (only having to repeat myself a couple of times.
I then did some checking aparently the credit card division had been sold to an american company who then outsourced the call centre to india. I had not been told about this by my bank. So without my express written permision they had exported my personal information to america who then exported it to india.
So are they in breach of the eu data protection act or not ?
I am pretty sure that the dataprotection act states that the data cannot be exported to a country that does not have a data protection act (ala india) but america does have one so that's okay however I don't think americas data protection type act has any such conditions in it so technically they haven't broken it.
Whatever you tink about Lou Dobbs, it's very irresponsible to just dismiss him as a racist.
Even "nationalist" is nonsense, he's merely pointing out one of the problems with unresitriced and unbalanced "unfair" trade. Now, you could argue this is a good thing, and we could point out the problems and have a discussion. But by labeling him a racist, the only thing you're trying to do is to "shut down" any arguments by coming up with ridiculous ad hominem attacks.
I'm an immigrant to this country, and I'm not a fan of outsourcing. I'm all for other immigrants from all over the world to continue coming here and contributing their talents to our local economies, but there is a problem when now people don't even want to become US residents, because they jobs are being drained away from here. We're about to face a serious crisis, when our technological workforce is being decimated by these companies. And there's nothing racist in pointing that out, nothing.
As for security, I don't think most if any people here are saying that a particular nationality is less trustworthy. But you'd be a fool if you don't recognize that some of the safety mechanism we enjoy in this country, are not as robust or even exist in other parts of the less developed world. As we deal with the poorest of nations, with our sensitive data, we have to be *extremely* careful. Already, there have been incidents of bribing by local crime syndicates in some of these countries to obtain data to steal identities. Can that happen in the US? Of course! But the question is, where is it more likely, and what are the protections we need to employ in these situations.
There's a rich discussion to be had on this topic, but please, try to come up with something better than "they're racist".
- sigs are for wimps.