Slashdot Mirror
Indian Call Center Employees Hack US Bank Accounts
The Ascended One writes "Call center employees working for an Indian software company, MSource, supposedly used confidential client information to transfer client funds to themselves. The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency. They were caught after the victims alerted the bank officials in the US, who then traced the crime to the Indian city of Pune. While the name of the bank has not been revealed, the article indicates that the bank in question is Citibank."
I'm a system administrator and most of my customers are in the UK. So when I'm investigating an incident on our servers, and the logs show some activity from Brazil, it makes my job a lot easier.
We are sorry to inform you, but your account information has fallen into the hands of employees at an Indian Call center we do work with. Unfortunately, your account may be compromised.
To protect your account, please log into our panel using the link below to change your username and password:
http://www.citibank.com/
Thank you for choosing Citi.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
It doesn't matter where people are located. What matters is that you have trustworthy people handling your business. And, you know what? Untrustworthy people are everywhere.
I, for one, do not buy into this Lou Dobbs racist/nationalist claptrap that says that we can't trust foreigners. I'm one of the biggest foreigners around, if you consider all the places I have to travel to that I'm not actually a citizen of.
Hey, bad people are in India. And in the U.S. And in Europe. And in Asia. Oh my god! They are everywhere!
Luckily, the bad people are outnumbered by the good. I can just take a look at my lists and figure that one out.
I wonder if this can be called hacking, looks more like a combination of poor process and security management on the part of Citi (if it is indeed Citi). Companies in the US should be wary of the extent of employee churn that happens in BPO firms in India. I'm in India, and I often get to hear of ex-employees stealing databases when they leave...
If the TPS reports had of had the correct coversheet on them, none of this would have happened!
When I take credit card info over the phone I could do just the same.
The only slight difference is that it's worth more over there.
So I find it odd that this is considered different.
A blog I run for the wealth
So they should start aborting outsourcing attempts because the US doesn't have data privacy laws?
Rather than phoning up your banks and finding out where your information is ending up, which can be a tedious process, shouldn't you be phoning up your congress representatives and asking them to enact laws which provide for your privacy?
Citicards, the Credit card division of Citibank, got a new CIO several months ago. Mitchell Habib. He came from GE Medical. Before leaving there, he outsourced about 75% of their IT staff to India. He's currently doing the same at Citi. I worked there as a contractor. Two other contractors on the team and I were unable to get our contracts renewed because it came down from on high that all new contracts had to go thru TCS, Tata Consulting Services. They are the Indian outsourcing company that he used in the past. I recently went back to visit some friends and met my replacement. A nice young Indian guy making a third to a quarter of what I made there.
c =rl
r /20020411_ge_medical.htm
From what I understand, the standard rate for calculating your budget for contract work went from $70/hr to $22/hr. Of course, I believe they charge around $40/hr for their workers in the states.
Can't compete with that.
Here are some links about Mitchell Habib and TCS:
http://www.rediff.com/money/2003/apr/03tcs.htm?zc
http://www.tcs.com/0_media_room/releases/200204ap
-- Jason
I just have to say that this is a bigger problem than a simple "I told you so".
When you outsource certain operations you are giving people who have no connection with your customers their private information. Banking account numbers? Some people still don't use online banking because it scares them and we don't see this as a huge liability?
Really, what if a few thousand credit card and bank account numbers got into the hands of suspected terrorists? If they made a one time shot at getting items to fence or cash withdraws (wire transfers) and split, they suddenly have resources that was taken right from the American people.
I'm by no means saying that you should be suspect of *any* foreign person or enterprise. I'm thinking of the type of people who *might* get their hands on my/our information. What good is it to give to the people like EPIC when we give our information to people we can't necessarily track down? Can anyone guarantee that we will be able to bring someone to justice, under our laws (and equally for their benefit the Constitution)? I've worked on the phone making sales, and the problem we had was we were banned from taking credit cards because a few people screwed it up for everyone.
Of course, if someone wants the information they can get it. It just makes me wonder why we give our sensitive information to a foreigner when we need parts for our Dell (and by extension everyone else I don't care to list).
Get your Unix fortune now!
I don't think it's racist per se to point out that the scammers were Indian - because they were, and that's not going to change - but it would be racist to extrapolate from that that Indians in general can't be trusted because of the actions of one or two people.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
I only hope this news flashes through the industry and gets in the heads of CEOs and PHBs everywhere who then start aborting outsourcing attempts.
I'm not sure Indians are any more likely to jot down card numbers that thier minimum-wage US counterparts. Except, of course, that an Indian phone jockey makes a better wage (by local standards), arguably giving them less reason to committ such fraud.
It's annoying when you can't understand what someone says on the phone, sure, but I don't think they're any more likely to be criminals than thier western counterparts.
Michael
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency.
I would have thought $350,000 is a large sum in ANY currency.
Brother, can you spare $350K?
www.eissq.com/BandP.html Ball and Plate System. Amuse your friends. Crush your enemies.
It's just a different way of grouping of decimal places. In India it's common to have them group two decimal places instead of three. Get a better description here: http://www.answers.com/topic/indian-numbering-syst em
Globalisation is however making indians, albeit reluctantly, shift to the million/billion system, but it'll take time...
I once called a creditor of mine and was obviously routed to an overseas call center. The gentleman on the other end of the phone after asking me my issue asked me my social security number. I was hesitant to give it away to a guy in india making $.50 an hour but figured I was being paranoid. I gave him the number and he said please hold. The next thing I knew he put me on hold and I was transferred to another service representative (in the us) who also asked for my social security number. Well needless to say I let them have it basically "Why would they ask me for my social security number to transfer me?" I started checking my credit report and stopped doing business with the bank. Nothing came of it and I was being paranoid but the reality is this sort of thing can happen anywhere. At a restaurant you give the server your card. Most servers make low wages and they take your card off to the back room usually.
I really should update my account details in Citibank, as per the email that I got awhile ago.
They said my monies will be stoeled if I don't
Security is a 'system', and altering or extending a system, can open it to risk that were not originally envisaged when it was established. Adding a new site, adding additional computer systems, new network(s), new operative etc all can alter the security threat mix.
Extending a secure system to a new country, a new language group, a new multi-cultural mix, will also expose the system to a new mix of threats. Ths issue of extending such a system to a different continent, particularly if the operatives there are working at the higher(est) levels, entails exposing the system to all the differences between the new location and the old.
Whether the staff are physically in India or hold Indian state passports is incidental. The significant factors are, a) how close or removed they are from the cultural assumptions of the systems designers, b) how exposed they are to personal weakness, c) how exposed they are to external influence. These are sometimes referred to as Antipathy, Jealousy, Poverty, and Corruption. Placing a call centre in Dehli, Amritsar or Goa would vary the mix, as would placing it in Belfast, Glasgow or Ipswitch.
The plural of anecdote is not evidence.
Looks like a slow day for Slashot if this type of stories get posted =)
According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers' e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank's New York-based customers into their own accounts, opened under fictitious names.The story doesn't even have enough info to classify it as social engineering. People used confidential information to transfet funds. Ok, they used the Internet to do the transfer. Ok, they got PINs from customer emails. What's in there to learn? Where are the "news for nerds" here?
http://www.automatiq.se
The system is the, afaik, British/European.
The Least significant 3 digits are grouped together, then it is in groups of two digits each.
For example, 3000000 in American notation is: 3,000,000 [3 million] and in the Indian system is 30,00,000 [30 lakhs].
Also, the commonly used powers of 10 include:
1 lakh - 1/10ths of a million
and
1 crore - 10 millions.
Piracy in the UK:
4 406575.stm
Unlimited fine and 10 years in prison.
Vote rigging in the UK:
Unlimited fine and 2 years in prison...
e.g.
http://news.bbc.co.uk/1/hi/england/west_midlands/
Government of the people, by corporate executives, for corporate profits.
I own a a company in Europe and part of one in ****.
I ordered products from the **** company and transfered the money to them from Citibank by telephone banking.
I had a call back from Citibank, an 'anti-money laundering' call to check the purpose of the money transfer requesting the telephone number of the **** company to receive the money.
A day later the ***** company receives a call asking for wholesale pricing information from a Indian company that competes with me to the FINANCIAL CONTROLLERS telephone number, not the usual secretaries number.
How did they get that number?
Some background on Citibank's unresolved history of association with serious fraud:
here
and
here
However, outsourcing to people in less developed parts of the world means that much smaller (and presumably more "readily available") sums of money can provide them with a very good living still & make committing fraud worthwhile in the firstplace.
There are no intended racial overtones in these comments, just observations, and quite frankly it's the mega-corporations I laugh at now that they will start to get their "just desserts" for messing up the economies and lives of so many people for the sake of a few bucks.
Let's face it, if you're a Citibank (if that's who it is) customer that got ripped off by this, you'll get your money back anyway because it's obviously a security issue with the bank themselves, not the customer's fault.
I say good luck to the Indian call centre workers - they're being used as the 21st century equivalent of sweatshop labourers anyway so they should grab what they can before they demand too high wages and they themselves get dumped by the corporations like a lot of the rest of us have.
[INSERT LOUD SCORNING "HA! HA!" HERE]
Gentoo Linux - another day, another USE flag.
With this event, something much more serious has taken place. We have begun to outsource criminal activity. Oh the horror. What about the children of the criminals in the US? Where will they get their crack money?
This is very serious. We need to act now to prevent tossing away the lives of those in the US who have worked sometimes for their entire lives committing crime. While it might be possible for an engineer or call center employee to be retrained for a new job, we have lots of experience that says we are not very good at retraining out crimininals. After all, there are only so many CEO positions available in the US.
--- Liberty in our Lifetime
I have an Indian guy in my office, and I got him to make a list of several very offensive curses in his native language. If I suspect I'm on the line with someone in India that is faking a name and accent, I play along for a bit and then say something on the list (I have no idea what they mean). A lot of times the American accent breaks down and I hear some yelling but it appears to be an effective litmus test. An American on the line just says "huh? cell phone going out?"
What connection do local call centres have with a banks customers that people who live further don't? ...
it's cheaper than giving it to a `fellow American`. I should have thought that were obvious.
A Ha, and you've discovered my complaint. We get paid a lot more, we have less motivation to steal. We depend on that job, we have built a life around it. The paychecks are okay, so the risk to benefit ratio tells me not to steal from customers. On top of that, they are fellow countrymen.
However, in India it is a different story (don't flame, just an example).
The Indian worker is getting paid a fraction of what you've just spent. I sure hope there was no contempt in your voice - contempt breeds contempt. The tech looks at his check and sees a nice amount of money but he sees another option. Really, if he loses this job there will be another American company who will come around (best part is, they don't talk to each other). We've created the economic situation where it makes sense to work for a few weeks and rip a few hundred people off. An organized effort could be dangerous.
No matter... bring the work home and solve the whole problem that way.
Get your Unix fortune now!
"This brings into issue all the medical, supposidly confidental, data that gets sent to India for transscribing. I hope companies from around the world take a look at the amount of personal information they are sending to around the world with out thought of who might be watching it.
Corporations as a whole do not care at all about the personal data that they send anywhere; the data is simply a commodity. To companies that are used to dealing with large amounts of commodities (including personal information), the loss or compromise of a certain percentage of the commodity is tolerated and expected. For corporations it is cheaper to pay for the loss than it is to prevent the loss.
Thats exactly the problem though. If you are willing to work for $22/hr. You need to get a job with TCS first, and then get sent to Citi. Now it's a lot like going to work a staffing firm based in the US, who has a contract with another company in the US...
How easy is it for you to get a job with TCS if you are already based in America ? Not very easy. Plus if a company like USAA and Citibank have given exclusive contracts to TCS, then it makes it extremely hard for local recruiting agencies and talent to get the job. How come every company that has a contract with TCS ends up having 20-30 new indian contractors ? Something needs to be done about these exclusive contracts, and TCS needs to be told to first look for local talent. I know lots of people who have lowered their rates, just to compete with the Indians, but these exclusive contracts to companies who naturally are averted to experienced local candidates (can't exploit them as well), needs to be changed.
PS: I am an indian immigrant myself, I moved here when I was 13. And, I am competing for my job with classmates I had in India. I'm not racist or a bigot. I haven't lost my job to an outsourcing firm etc, but thats because I rarely work for large firms that can afford outsourcing in the first place.
Having recently returned from India, one of the biggest things I found was that almost everyone was trying to find a way to part you with your money. Strangely enough, the only place that this wasn't true was in the area near Pakistan (the desert) where the only industry is tourism and the most important need is water.
Leading up to our trip, everyone told us to watch out for pick-pockets. We did not find this to be common. Of course, there were countless people who are willing to tell you anything, including flat-out lies, to take your money.
Ok I have an abbey account and I recently needed to contact them regarding some information I required so I called them. A woman answered the phone and she was noticebly indian her accent was way to heavy anyway I conclude my business with her (only having to repeat myself a couple of times.
I then did some checking aparently the credit card division had been sold to an american company who then outsourced the call centre to india. I had not been told about this by my bank. So without my express written permision they had exported my personal information to america who then exported it to india.
So are they in breach of the eu data protection act or not ?
I am pretty sure that the dataprotection act states that the data cannot be exported to a country that does not have a data protection act (ala india) but america does have one so that's okay however I don't think americas data protection type act has any such conditions in it so technically they haven't broken it.
Now they're outsourcing our crimes!
Comment removed based on user account deletion
Whatever you tink about Lou Dobbs, it's very irresponsible to just dismiss him as a racist.
Even "nationalist" is nonsense, he's merely pointing out one of the problems with unresitriced and unbalanced "unfair" trade. Now, you could argue this is a good thing, and we could point out the problems and have a discussion. But by labeling him a racist, the only thing you're trying to do is to "shut down" any arguments by coming up with ridiculous ad hominem attacks.
I'm an immigrant to this country, and I'm not a fan of outsourcing. I'm all for other immigrants from all over the world to continue coming here and contributing their talents to our local economies, but there is a problem when now people don't even want to become US residents, because they jobs are being drained away from here. We're about to face a serious crisis, when our technological workforce is being decimated by these companies. And there's nothing racist in pointing that out, nothing.
As for security, I don't think most if any people here are saying that a particular nationality is less trustworthy. But you'd be a fool if you don't recognize that some of the safety mechanism we enjoy in this country, are not as robust or even exist in other parts of the less developed world. As we deal with the poorest of nations, with our sensitive data, we have to be *extremely* careful. Already, there have been incidents of bribing by local crime syndicates in some of these countries to obtain data to steal identities. Can that happen in the US? Of course! But the question is, where is it more likely, and what are the protections we need to employ in these situations.
There's a rich discussion to be had on this topic, but please, try to come up with something better than "they're racist".
- sigs are for wimps.