Slashdot Mirror
Indian Call Center Employees Hack US Bank Accounts
The Ascended One writes "Call center employees working for an Indian software company, MSource, supposedly used confidential client information to transfer client funds to themselves. The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency. They were caught after the victims alerted the bank officials in the US, who then traced the crime to the Indian city of Pune. While the name of the bank has not been revealed, the article indicates that the bank in question is Citibank."
I wonder if this can be called hacking, looks more like a combination of poor process and security management on the part of Citi (if it is indeed Citi). Companies in the US should be wary of the extent of employee churn that happens in BPO firms in India. I'm in India, and I often get to hear of ex-employees stealing databases when they leave...
Citicards, the Credit card division of Citibank, got a new CIO several months ago. Mitchell Habib. He came from GE Medical. Before leaving there, he outsourced about 75% of their IT staff to India. He's currently doing the same at Citi. I worked there as a contractor. Two other contractors on the team and I were unable to get our contracts renewed because it came down from on high that all new contracts had to go thru TCS, Tata Consulting Services. They are the Indian outsourcing company that he used in the past. I recently went back to visit some friends and met my replacement. A nice young Indian guy making a third to a quarter of what I made there.
c =rl
r /20020411_ge_medical.htm
From what I understand, the standard rate for calculating your budget for contract work went from $70/hr to $22/hr. Of course, I believe they charge around $40/hr for their workers in the states.
Can't compete with that.
Here are some links about Mitchell Habib and TCS:
http://www.rediff.com/money/2003/apr/03tcs.htm?zc
http://www.tcs.com/0_media_room/releases/200204ap
-- Jason
I once called a creditor of mine and was obviously routed to an overseas call center. The gentleman on the other end of the phone after asking me my issue asked me my social security number. I was hesitant to give it away to a guy in india making $.50 an hour but figured I was being paranoid. I gave him the number and he said please hold. The next thing I knew he put me on hold and I was transferred to another service representative (in the us) who also asked for my social security number. Well needless to say I let them have it basically "Why would they ask me for my social security number to transfer me?" I started checking my credit report and stopped doing business with the bank. Nothing came of it and I was being paranoid but the reality is this sort of thing can happen anywhere. At a restaurant you give the server your card. Most servers make low wages and they take your card off to the back room usually.
I work in InfoSec and did a consulting project for a company that sells software (for clearing checks) to a lot of major banks. I was amazed how insecure banks realy are ! however the banks rely on thier ability to audit all transactions more than secure policys and procedures. So to sum up, it is easy to steal from banks it is hard not to get caught.
Sanity is the trademark of a weak mind. -- Mark Harrold
Piracy in the UK:
4 406575.stm
Unlimited fine and 10 years in prison.
Vote rigging in the UK:
Unlimited fine and 2 years in prison...
e.g.
http://news.bbc.co.uk/1/hi/england/west_midlands/
Government of the people, by corporate executives, for corporate profits.
I find this odd. Many Jobs that I have tried to get they will not give you if you have bad credit because you are a potential security risk. But now those same companies outsource to some of the poorest countries. How is this not a security risk?
Thats exactly the problem though. If you are willing to work for $22/hr. You need to get a job with TCS first, and then get sent to Citi. Now it's a lot like going to work a staffing firm based in the US, who has a contract with another company in the US...
How easy is it for you to get a job with TCS if you are already based in America ? Not very easy. Plus if a company like USAA and Citibank have given exclusive contracts to TCS, then it makes it extremely hard for local recruiting agencies and talent to get the job. How come every company that has a contract with TCS ends up having 20-30 new indian contractors ? Something needs to be done about these exclusive contracts, and TCS needs to be told to first look for local talent. I know lots of people who have lowered their rates, just to compete with the Indians, but these exclusive contracts to companies who naturally are averted to experienced local candidates (can't exploit them as well), needs to be changed.
PS: I am an indian immigrant myself, I moved here when I was 13. And, I am competing for my job with classmates I had in India. I'm not racist or a bigot. I haven't lost my job to an outsourcing firm etc, but thats because I rarely work for large firms that can afford outsourcing in the first place.
Having recently returned from India, one of the biggest things I found was that almost everyone was trying to find a way to part you with your money. Strangely enough, the only place that this wasn't true was in the area near Pakistan (the desert) where the only industry is tourism and the most important need is water.
Leading up to our trip, everyone told us to watch out for pick-pockets. We did not find this to be common. Of course, there were countless people who are willing to tell you anything, including flat-out lies, to take your money.
Basically he hooked up a T1/T3 analyzer to one of their main trunks and started showing how you can split out and split in datastreams to check things like per-channel BER and stuff. Then he hooked up a datacom analyzer to one of the split out channels that had modem traffic on it (which you could see on the T1/T3 analyzer). One of the useful features of the datacom box was a modem which would dump the decode modem traffic on a phone channel into ascii and pump it on the the datacom's screen. So they started watching the data traffic in real time.
Pretty quickly it became apparent that he had picked up an ATM transaction. It also become apparent that the entire transaction including account numbers, names, pins and transaction commands were being transmitted 100% in cleartext ascii over modem! The Well Fargo IT manager saw this too and, wait for it, he kicked out the HP Sales Rep and AE yelling and screaming how never wanted to see any HP test equipment enter a Wells Fargo facility ever again or hear that HP was talking to Wells Fargo IT employees about telecom or datacom products ever again.
Gee, security through obscurity. Needless to say, probably (?) most banks are using at least SSL or SSH by now, but for a measly $20K (in 1990 dollars, far cheaper today) in off-the-shelf equipment you could trivially do a man-in-the-middle replay attack just be putting some cones down and wearing a hardhat and hooking up to one of those telephone boxes outside the bank! And what audit trail other than your word some poor slob have against an "obvious secure" ATM transaction? None really.
This is absolutely true, unfortunately.