Slashdot Mirror
Indian Call Center Employees Hack US Bank Accounts
The Ascended One writes "Call center employees working for an Indian software company, MSource, supposedly used confidential client information to transfer client funds to themselves. The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency. They were caught after the victims alerted the bank officials in the US, who then traced the crime to the Indian city of Pune. While the name of the bank has not been revealed, the article indicates that the bank in question is Citibank."
I'm a system administrator and most of my customers are in the UK. So when I'm investigating an incident on our servers, and the logs show some activity from Brazil, it makes my job a lot easier.
We are sorry to inform you, but your account information has fallen into the hands of employees at an Indian Call center we do work with. Unfortunately, your account may be compromised.
To protect your account, please log into our panel using the link below to change your username and password:
http://www.citibank.com/
Thank you for choosing Citi.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
It doesn't matter where people are located. What matters is that you have trustworthy people handling your business. And, you know what? Untrustworthy people are everywhere.
I, for one, do not buy into this Lou Dobbs racist/nationalist claptrap that says that we can't trust foreigners. I'm one of the biggest foreigners around, if you consider all the places I have to travel to that I'm not actually a citizen of.
Hey, bad people are in India. And in the U.S. And in Europe. And in Asia. Oh my god! They are everywhere!
Luckily, the bad people are outnumbered by the good. I can just take a look at my lists and figure that one out.
I wonder if this can be called hacking, looks more like a combination of poor process and security management on the part of Citi (if it is indeed Citi). Companies in the US should be wary of the extent of employee churn that happens in BPO firms in India. I'm in India, and I often get to hear of ex-employees stealing databases when they leave...
I know this could happen to anyone given a lax state of security.
But it's surely much tougher to vet people who have access to your systems when their whole culture is different (nevermind the fact that they're half the world away)
A lot more care needs to be taken when outsourcing internationally, otherwise the savings made will end up being spent on PR & the like after a cock up.
If the TPS reports had of had the correct coversheet on them, none of this would have happened!
I only hope this news flashes through the industry and gets in the heads of CEOs and PHBs everywhere who then start aborting outsourcing attempts.
If you're in Europe, fear not, the data protection act bars your personal information from leaving the EU (i think?).. unless its going to the CIA so they can have you extradited without trial.. Either way, if you're worried, call up your bank and demand to know where they send your data, its public information by law.
This comment does not represent the views or opinions of the user.
When I take credit card info over the phone I could do just the same.
The only slight difference is that it's worth more over there.
So I find it odd that this is considered different.
A blog I run for the wealth
Well, it's not so much a case of us-versus-them, but a matter of accountability and proesecuting them. An earlier poster made the case that this makes it somehow easier to track, but I think this is an absolute load of claptrap
Remind me again, exactly how many people are there in India? So how exactly does the fact that you know it originated from India help you? Or say Brazil, China, etc - all of these places, though poor, are in fact heavily populated, densely packed, and often the authorities are loathe to co-operate with foreign officials (honestly - whose side do you think the Indian police force/bureacrats are on?)
Outsourcing critical infrastructure, and potentially dangerous data that can bite you back later is a recipe for disaster.
I'm Australian, and recently there was a furor over Boeing's court victory allowing them to discriminate against Australian workers, and select only US citizens - a lot of Australian's were mad, but I myself thought that Boeing had a perfectly logical argument.
You can call me a racist (fyi, I'm chinese - and the US's witch-hunting of Chinese "spies" irks me, but hey, it's another one on a growing pile of 'em...lol), so what the heck...
Victor Hooi
What is it with Indians counting numbers? Even when typing large amounts in numericals, they seem to put commas in unusual places. Could someone explain the system, please?
Citicards, the Credit card division of Citibank, got a new CIO several months ago. Mitchell Habib. He came from GE Medical. Before leaving there, he outsourced about 75% of their IT staff to India. He's currently doing the same at Citi. I worked there as a contractor. Two other contractors on the team and I were unable to get our contracts renewed because it came down from on high that all new contracts had to go thru TCS, Tata Consulting Services. They are the Indian outsourcing company that he used in the past. I recently went back to visit some friends and met my replacement. A nice young Indian guy making a third to a quarter of what I made there.
c =rl
r /20020411_ge_medical.htm
From what I understand, the standard rate for calculating your budget for contract work went from $70/hr to $22/hr. Of course, I believe they charge around $40/hr for their workers in the states.
Can't compete with that.
Here are some links about Mitchell Habib and TCS:
http://www.rediff.com/money/2003/apr/03tcs.htm?zc
http://www.tcs.com/0_media_room/releases/200204ap
-- Jason
I just have to say that this is a bigger problem than a simple "I told you so".
When you outsource certain operations you are giving people who have no connection with your customers their private information. Banking account numbers? Some people still don't use online banking because it scares them and we don't see this as a huge liability?
Really, what if a few thousand credit card and bank account numbers got into the hands of suspected terrorists? If they made a one time shot at getting items to fence or cash withdraws (wire transfers) and split, they suddenly have resources that was taken right from the American people.
I'm by no means saying that you should be suspect of *any* foreign person or enterprise. I'm thinking of the type of people who *might* get their hands on my/our information. What good is it to give to the people like EPIC when we give our information to people we can't necessarily track down? Can anyone guarantee that we will be able to bring someone to justice, under our laws (and equally for their benefit the Constitution)? I've worked on the phone making sales, and the problem we had was we were banned from taking credit cards because a few people screwed it up for everyone.
Of course, if someone wants the information they can get it. It just makes me wonder why we give our sensitive information to a foreigner when we need parts for our Dell (and by extension everyone else I don't care to list).
Get your Unix fortune now!
I don't think it's racist per se to point out that the scammers were Indian - because they were, and that's not going to change - but it would be racist to extrapolate from that that Indians in general can't be trusted because of the actions of one or two people.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency.
I would have thought $350,000 is a large sum in ANY currency.
Brother, can you spare $350K?
www.eissq.com/BandP.html Ball and Plate System. Amuse your friends. Crush your enemies.
I once called a creditor of mine and was obviously routed to an overseas call center. The gentleman on the other end of the phone after asking me my issue asked me my social security number. I was hesitant to give it away to a guy in india making $.50 an hour but figured I was being paranoid. I gave him the number and he said please hold. The next thing I knew he put me on hold and I was transferred to another service representative (in the us) who also asked for my social security number. Well needless to say I let them have it basically "Why would they ask me for my social security number to transfer me?" I started checking my credit report and stopped doing business with the bank. Nothing came of it and I was being paranoid but the reality is this sort of thing can happen anywhere. At a restaurant you give the server your card. Most servers make low wages and they take your card off to the back room usually.
I really should update my account details in Citibank, as per the email that I got awhile ago.
They said my monies will be stoeled if I don't
This brings into issue all the medical, supposidly confidental, data that gets sent to India for transscribing. I hope companies from around the world take a look at the amount of personal information they are sending to around the world with out thought of who might be watching it.
Security is a 'system', and altering or extending a system, can open it to risk that were not originally envisaged when it was established. Adding a new site, adding additional computer systems, new network(s), new operative etc all can alter the security threat mix.
Extending a secure system to a new country, a new language group, a new multi-cultural mix, will also expose the system to a new mix of threats. Ths issue of extending such a system to a different continent, particularly if the operatives there are working at the higher(est) levels, entails exposing the system to all the differences between the new location and the old.
Whether the staff are physically in India or hold Indian state passports is incidental. The significant factors are, a) how close or removed they are from the cultural assumptions of the systems designers, b) how exposed they are to personal weakness, c) how exposed they are to external influence. These are sometimes referred to as Antipathy, Jealousy, Poverty, and Corruption. Placing a call centre in Dehli, Amritsar or Goa would vary the mix, as would placing it in Belfast, Glasgow or Ipswitch.
The plural of anecdote is not evidence.
Looks like a slow day for Slashot if this type of stories get posted =)
According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers' e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank's New York-based customers into their own accounts, opened under fictitious names.The story doesn't even have enough info to classify it as social engineering. People used confidential information to transfet funds. Ok, they used the Internet to do the transfer. Ok, they got PINs from customer emails. What's in there to learn? Where are the "news for nerds" here?
http://www.automatiq.se
'Ivan Samuel Thomas' doesn't sound like an Indian name... but that could just be my racist background showing (?).
deus does not exist but if he does
Piracy in the UK:
4 406575.stm
Unlimited fine and 10 years in prison.
Vote rigging in the UK:
Unlimited fine and 2 years in prison...
e.g.
http://news.bbc.co.uk/1/hi/england/west_midlands/
Government of the people, by corporate executives, for corporate profits.
I own a a company in Europe and part of one in ****.
I ordered products from the **** company and transfered the money to them from Citibank by telephone banking.
I had a call back from Citibank, an 'anti-money laundering' call to check the purpose of the money transfer requesting the telephone number of the **** company to receive the money.
A day later the ***** company receives a call asking for wholesale pricing information from a Indian company that competes with me to the FINANCIAL CONTROLLERS telephone number, not the usual secretaries number.
How did they get that number?
Some background on Citibank's unresolved history of association with serious fraud:
here
and
here
Anyone else see the irony with the citibank advertisement smacked right in the middle of the story? Even if the story doesn't identify them, bad publicity is still publicity.
Truth is realized, not told...
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
blakespot
-- Heisenberg may have slept here.
iPod Hacks.com
However, outsourcing to people in less developed parts of the world means that much smaller (and presumably more "readily available") sums of money can provide them with a very good living still & make committing fraud worthwhile in the firstplace.
There are no intended racial overtones in these comments, just observations, and quite frankly it's the mega-corporations I laugh at now that they will start to get their "just desserts" for messing up the economies and lives of so many people for the sake of a few bucks.
Let's face it, if you're a Citibank (if that's who it is) customer that got ripped off by this, you'll get your money back anyway because it's obviously a security issue with the bank themselves, not the customer's fault.
I say good luck to the Indian call centre workers - they're being used as the 21st century equivalent of sweatshop labourers anyway so they should grab what they can before they demand too high wages and they themselves get dumped by the corporations like a lot of the rest of us have.
[INSERT LOUD SCORNING "HA! HA!" HERE]
Gentoo Linux - another day, another USE flag.
With this event, something much more serious has taken place. We have begun to outsource criminal activity. Oh the horror. What about the children of the criminals in the US? Where will they get their crack money?
This is very serious. We need to act now to prevent tossing away the lives of those in the US who have worked sometimes for their entire lives committing crime. While it might be possible for an engineer or call center employee to be retrained for a new job, we have lots of experience that says we are not very good at retraining out crimininals. After all, there are only so many CEO positions available in the US.
--- Liberty in our Lifetime
What no one's pointed out is that the much maligned Indian police swung into action rather quickly and all accused have been arrested. But no, we're trying to highlight some other facts here. All's well that ends well? And these guys got caught because, let's face it, they were too naive to think they could get away with it. It's darn stupid, never mind the nationality. I doubt we would have seen this story around here if someone sitting in California would have done such a thing. In which case the amount in question would have been much higher as well - while an "evil greedy" Indian is happy a few hundred thousand dollars, I'm sure the American "evil greedy" counterpart would be talking in millions of USD. Reason FOR outsourcing #65241 A "greedy evil" Indian steals less money than their "greedy evil" American counterparts.
I have an Indian guy in my office, and I got him to make a list of several very offensive curses in his native language. If I suspect I'm on the line with someone in India that is faking a name and accent, I play along for a bit and then say something on the list (I have no idea what they mean). A lot of times the American accent breaks down and I hear some yelling but it appears to be an effective litmus test. An American on the line just says "huh? cell phone going out?"
What connection do local call centres have with a banks customers that people who live further don't? ...
it's cheaper than giving it to a `fellow American`. I should have thought that were obvious.
A Ha, and you've discovered my complaint. We get paid a lot more, we have less motivation to steal. We depend on that job, we have built a life around it. The paychecks are okay, so the risk to benefit ratio tells me not to steal from customers. On top of that, they are fellow countrymen.
However, in India it is a different story (don't flame, just an example).
The Indian worker is getting paid a fraction of what you've just spent. I sure hope there was no contempt in your voice - contempt breeds contempt. The tech looks at his check and sees a nice amount of money but he sees another option. Really, if he loses this job there will be another American company who will come around (best part is, they don't talk to each other). We've created the economic situation where it makes sense to work for a few weeks and rip a few hundred people off. An organized effort could be dangerous.
No matter... bring the work home and solve the whole problem that way.
Get your Unix fortune now!
Thats exactly the problem though. If you are willing to work for $22/hr. You need to get a job with TCS first, and then get sent to Citi. Now it's a lot like going to work a staffing firm based in the US, who has a contract with another company in the US...
How easy is it for you to get a job with TCS if you are already based in America ? Not very easy. Plus if a company like USAA and Citibank have given exclusive contracts to TCS, then it makes it extremely hard for local recruiting agencies and talent to get the job. How come every company that has a contract with TCS ends up having 20-30 new indian contractors ? Something needs to be done about these exclusive contracts, and TCS needs to be told to first look for local talent. I know lots of people who have lowered their rates, just to compete with the Indians, but these exclusive contracts to companies who naturally are averted to experienced local candidates (can't exploit them as well), needs to be changed.
PS: I am an indian immigrant myself, I moved here when I was 13. And, I am competing for my job with classmates I had in India. I'm not racist or a bigot. I haven't lost my job to an outsourcing firm etc, but thats because I rarely work for large firms that can afford outsourcing in the first place.
Having recently returned from India, one of the biggest things I found was that almost everyone was trying to find a way to part you with your money. Strangely enough, the only place that this wasn't true was in the area near Pakistan (the desert) where the only industry is tourism and the most important need is water.
Leading up to our trip, everyone told us to watch out for pick-pockets. We did not find this to be common. Of course, there were countless people who are willing to tell you anything, including flat-out lies, to take your money.
Now they're outsourcing our crimes!
I expected slashdot to at least notice this!
Comment removed based on user account deletion
"Then the New York Times article, titled "We're From Bangalore (But We're Not Allowed To Tell You)" revealed all. Indian call centers now had to acquire American accents and generic Anglo names..."
From http://www.corpwatch.org/article.php?id=10048
Before you design for reuse, make sure to design it for use.
Having recently returned from India, one of the biggest things I found was that almost everyone was trying to find a way to part you with your money...Of course, there were countless people who are willing to tell you anything, including flat-out lies, to take your money.
You sure that was India, and not Washington DC?
It is tax season in the US.
H&R Block outsources much of its tax prep.
Same deal. The work is being done, with your personal information, a hemisphere away, by people who are not bound by our laws.
All HAIL OUTSOURCING. Just imagine this: I live in a POOR country, grew up without clothes on my back, had nothing all my life, still have nothing. A western company comes along. They still pay me $hit (because the reason they're in my country is to save money in the 1st place). I can buy bread, but I am still poor. This bank opens up their customer's accounts to me A battle in now brewing inside of my head: Do I stay a poor slave, or take a chance at the HIGH life. My good side (If I have one) is saying: No, don't do it.....it's wrong.
But the gravity is much stronger on the other side. I've been poor and unfed all my life......living in a place where being in jail could mean I get fed at least daily.....WHAT DO I HAVE TO LOSE?!?!?! Welcome to the beginning of the END
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
Whatever you tink about Lou Dobbs, it's very irresponsible to just dismiss him as a racist.
Even "nationalist" is nonsense, he's merely pointing out one of the problems with unresitriced and unbalanced "unfair" trade. Now, you could argue this is a good thing, and we could point out the problems and have a discussion. But by labeling him a racist, the only thing you're trying to do is to "shut down" any arguments by coming up with ridiculous ad hominem attacks.
I'm an immigrant to this country, and I'm not a fan of outsourcing. I'm all for other immigrants from all over the world to continue coming here and contributing their talents to our local economies, but there is a problem when now people don't even want to become US residents, because they jobs are being drained away from here. We're about to face a serious crisis, when our technological workforce is being decimated by these companies. And there's nothing racist in pointing that out, nothing.
As for security, I don't think most if any people here are saying that a particular nationality is less trustworthy. But you'd be a fool if you don't recognize that some of the safety mechanism we enjoy in this country, are not as robust or even exist in other parts of the less developed world. As we deal with the poorest of nations, with our sensitive data, we have to be *extremely* careful. Already, there have been incidents of bribing by local crime syndicates in some of these countries to obtain data to steal identities. Can that happen in the US? Of course! But the question is, where is it more likely, and what are the protections we need to employ in these situations.
There's a rich discussion to be had on this topic, but please, try to come up with something better than "they're racist".
- sigs are for wimps.
All the outsourcing arguments aside:
With my work experience I can say that I it's so scary, that it makes me want to switch to cash and money orders for everything.
NOTE: I have access to 1 million new SSNs a month.
Consider some of my offshore counter-parts that US law inforcement would have a hard time prosecuting. Someone could sell that data for $250k or, then buy themselves protection from US authorities in a state that doesn't extradite.
This, the Choicepoint, and Lexus Nexus scandals are only the beginning. I'm certain that there are incidents that haven't ever, no will ever even be known. There isn't a law, other than in CA, that forces companies to disclose that there was theft.
This proves that the trouble with outsourcing a call center is with confidential information. Another major problem is pissing off your customers/clients because they can't understand the customer service agents strong accent. I've read several major publications all claiming the above two reasons for not outsourcing their customer service to another country.
There are new laws in the US for privacy. These laws are forcing financial institutions and health insurance companies to better secure their customer/client data. I work in an enterprise environment where we are currently implementing major security changes across all systems just because of the privacy laws. Here's a list of only some of the changes:
1. All users who have access to customer confidential data are completely logged with a full audit log. i.e. you just query a client and only read the data, it's logged. You query a client you shouldn't need to query and a red flag goes up. All transactions are logged and audited. Customer service reps have FULL ACCESS to all client data and transaction history. This need to be protected as much as possible.
2. All users who do not 'need' access to the client data have been removed from access. This includes programmers who once had access to production systems and live customer data. If a production problem occurs, the user has to contact their manager and request a special temporary user ID that is set to expire in 24 hours. This temporary id is issued to the user and reset. When the programmer or engineer is done with the user id, it's returned and reset. If the id is not returned, it's reset automatically within 24 hours or less. These special temp ID's have extra security and logging is more aggressive.
3. All access to client accounts, even access via clients themselves is logged.
4. All call center calls are recorded and archived for long term storage. Clients are told they are on a recorded line three different ways, once the automated voice system tells the user that all calls are recorded, the agent answers the phone and tells the client they are on a recorded line, and three there is a beep now and then to remind the client. Also they are recorded while on hold (just because it's easier then trying to stop recording). I would love to hear what people say when they think they are on hold and no longer being recorded! Call center manager frequently listen in on their service agent calls and review recordings daily.
5. There are departments such as special investigations and some legal departments that end up researching and reviewing logs when necessary. i.e. constantly looking for fraud or assisting the SEC, FBI, or police in an investigation.
Now, you outsource a customer call center to India and you let them access your client data. They need full access just like your local staff did. Trying to secure that data becomes much more difficult then if you are doing it here. Situations like what happened to Citibank are just one possibility. Another one, would be if the Indian Companies network is breached or their servers hijacked? Who really knows, because it's no longer on your network, how do you control the security? Obviously, you can't just host the servers in the US and provide the Indians a secure uplink, the cost is prohibitive and the speed is not great enough. You would have to put the servers in India. Imagine a 1,000 call center reps hitting the servers 24/7 with queries, you can't just pipe that to the US over a leased line!
Outsourcing customer data access to another country opens up major security questions as well as customer relations. I called 411 (information for local telco) and ended up talking to an Indian who couldn't get the name of the restaurant right even though I spelled it for him (Alpha Tango Foxtrot, etc) and kept giving me the wrong number. I gave up and went to the Internet to get the phone number! Try calling Circuit City sometime! I love how they answer the phone with a thick Indian accent but say their name is Chris or Richard! What a hoot, aliases to make them sound American!
While this is just a bunch of individuals being unscrupulous in their handling of other people's money, just wait...
Wait until some unscrupulous coder hand your outsources CVS source tree over to a company in a former Soviet State.
Sure, you have "legal contracts" to prevent that. But once your course is out there, no amount of legal action (even if you do manage to find the people responsible, and manage to get them into a sympathetic jurisdiction) will get your IP back under your control.
Some things are not outsourced, ever, no matter the cost advantage. Some things that should not ever have been outsourced, already have been, because the bean-counters had no sense of the pain to which they could be subject as a result.
Give it time. The access methods to the customer data of major financial and insurance agencies, as well as the sources of major retail packages, are quite likely to be floating around as we speak. And even if they don't get disseminated, they're worth a king's ransom, and such ransom will be due in due time.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
"Do I stay a poor slave, or take a chance at the HIGH life. My good side (If I have one) is saying: No, don't do it.....it's wrong. But the gravity is much stronger on the other side. I've been poor and unfed all my life......living in a place where being in jail could mean I get fed at least daily....."
Do you even know what you area talking about? Call center workers are not 'poor slaves'... they make more money than the average Indian, and have better working conditions. Heck, please do get out of your well and learn more about the world around you.
"When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
Did anyone notice the mastermind's name was Ivan Samuel Thomas? I don't know any Indian guys named Ivan, Samuel, or Thomas. What's up with that? Are we exporting our criminals too?
It's too easy to scapegoat Indian call center workers and saying "I told you so". There have to be far more instances of this taking place stateside in the past. I'm sure banks went into overdrive to spin the media coverage on them. Now, we'll probably see a littany of op-eds from morons at the NY Times eluding to how Indian workers can't be trusted.
This is a CITIBANK(unnamed bank) problem, not an outsourcing or Indian workforce problem. Citibank is just too big for it's britches and someone in Citibank's NJ HQ probably got a cut of this scam. Bet you'll see it come out in the investigation months from now, and how other banks are investigating stateside workers who are setting up these scams with workers abroad.
There are liberals in congress? I see democrats but no liberals.