Slashdot Mirror
Call Center Operator and His Cousin Steal $645,000 From UK Water Supplier (bleepingcomputer.com)
An anonymous reader writes: "An unnamed UK-based regional water supply company lost over $645,000 in a sophisticated scam that involved social engineering, an inside man, and international bank transfers," reports BleepingComputer. According to a recently disclosed report, one of the water supplier's call center operators was taking screenshots of customer details and sending this data to his cousin in the UK. This person would trick other call center operators to reset the passwords for those accounts, add his bank account info to the account, and request a refund for previous transactions. Their operation was discovered after customers, usually small-to-medium businesses, discovered they couldn't access their accounts anymore, and also reported new bank account details. A search of the CRM logs revealed that only one call center operator had accessed those profiles, albeit he never initiated or approved refunds. When questioned, the arrogant employee signed an affidavit allowing investigators to search his home PC, thinking they would never discover anything, since he already wiped his hard drive. They did because he forgot to delete his shadow volume copies, where investigators discovered copies of emails sent to his cousin in the UK. These emails contained the screenshots of his work PC with SMB client data. In the end, the call center employee ended up helping authorities secure a conviction for his cousin.
Never do a job you can't do by yourself and have to do more than once.
Today on the family channel, the heartwarming story of a call center operator who engineers a complicated scam and then rats out the relative who helped him. Brought to you by your friends at Hallmark. Don't forget mother's day!
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Let me guess... call center... corruption... India?
From the article (because the summary sounds insane -> if MS has found a way to keep Shadow Volume copies of files after a full disk wipe, the Pentagon needs to know about this), it sounds like he was running something akin to selective cleaning (i.e. CC Cleaner). The OS and other applications remained, while personal data was removed.
Bill Gates once said: $640K ought to be enough for anybody.
But this guy took $645K.
3 pass secure erase that shit.
Outsource to India, while betraying local citizens out of a job? That's treason, and I have no sympathy for a "water company". Go fuck yourselves the same way you fuck over your own citizens.
And no system, human or technical, realised that new bank details were being entered for multiple accounts that all then requested refunds? I would hazard that some of those accounts might even have been the same.
But your system didn't detect a pattern of "change bank details", "request refund", etc.
That said, I would question why screenshots were possible - if indeed we are talking about proper screenshots rather than just taking a photo with his phone (which would presumably attract a bit more attention).
If he did this from the work PC, you have serious failings - he's sending emails from work (presumably on an unblocked personal account) with screenshots of personal data.
If he's holding his phone up to the screen and clicking on a regular basis? That's just as bad.
The next question I have is why is the agent allowed to see the details, rather than just get prompted for security details? Why is there a page where they just see everything, rather than go through the same set of questions on the system that they would need to ask the customer? And if the answers aren't on display in front of him, but he has to type them in and let the system authorise whatever it is he's doing (e.g. I imagine changing bank details requires at least customer, account numbers, etc.), then a screenshot is basically useless.
Least privilege principle. The agent doesn't need the other information on the customer unless he's specifically asked for it - in which case the request is recorded and you'd be able to see "Oh, Employee A requested Customer X, Customer Y and Customer Z's account numbers on all three occasions that those bank details were changed and then the customer complained."
If I ran a call-centre, I would literally have PC's with encrypted data over serial consoles (no general purpose operating system access at all). There's no need for even a GUI. And every phone call would go through a list of options for the operative. They would see no information, but be prompted for the user details that they have to prompt for anyway. The system would prompt, the operative would relay the prompt and answer, the system would decide whether to grant access to the next FUNCTION (not just a screen full of customer data). Every keypress recorded in tandem with the call they're dealing with (storage is dirt cheap for such things, hell most schools record every phone call nowadays, let alone a call centre dealing with millions of pounds of product/service sales)
If you need to check, say, the customer's email to let them know what one they used to sign up, you request it. The system returns a masked copy. If in doubt, you just request a change of email for the customer to ensure the one they want to use is the one that's entered in the system. If there's no change (i.e. you entered the same email as the system already has), the system can know that what you were asking is much less suspicious.
If a function is risky (changing bank details), there's still no way for the operative to screenshot, and it might even need the mythical, never-present "supervisor" to press a button on his computer to authorise a change too. If your boss has to know you're doing it, authorise it and/or be in cahoots with it, then you're much less likely to even try.
Anything really complex that does require the full customer record (like what? I can't imagine)? Done in a recorded full-access session available only on the superviser's authorisation and kept rare deliberately.
This also automatically fulfills your data protection requirements as none of the people or computers have access to any information that's not required for their job. Literally, their job requires no more information than the system ever gives them.
You then have the need (which is present anyway) to ban pen, paper, smartphones, etc. while working.
And no minimum-wage prat can steal your customer database, spam every customer email, pull off stuff like this anywhere near as easily, disrupt the syste
Nice
Please report in the current stolen, and then the conversion afterward, as in the original article.
GBP £500,000 was stolen, equivalent to around USD $645,000, CAD $885,000, AUD $876,000, CUC $646,000, or EUR 595,000.
Please try to remember that there are a lot of people who read this site who are not from USA, so even the use of $ is ambiguous in an international community.
don't use windows and expect to get away with it.
On a long enough timeline, the survival rate for everyone drops to zero.
So you change the password and change the bank account, got it. What I can't understand is why would a water company give you a refund? Are they pre-paying for water? Usually you pay for the water that was used. Maybe a difference in the UK?
Their "job" is to generate traffic and ad impressions. By trolling people who care, they accomplish the mission of their job quite well.
In short, editors, get off your ass and do your fucking jobs or get the fuck out.
The words from and idiot.
Hmm... let me guess. Indians? Pakistanis? Say it ain't so!
Isn't 'diversity' wonderful. We can't have white people simply having their own countries, can we.
The people running the call center are equally if not more at fault than the person who was stealing the account information.
I worked at a large hosting company that has in house support. Cell phones are NOT allowed in the call center. In fact you can't even have a pen or pencil there. They use 8 x 10 white boards for immediate notes and those never leave the area. Access to external email is blocked. I don't know the rest of the security procedures but I have no doubt their internal email was screened as well.
What they did was illegal, immoral, and just plain wrong. Overall it was a decently well thought out plan but there were inevitable points that would lead back to the source. The kicker was the CRM system tracking. If the guy had been more security aware on his home computer they probably wouldn't have had enough evidence to convict him of anything.
A timely reminder of how far people will go to find ways around security measures.
You should take your intelligent and insightful comments to Reddit. Oh, we will manage on our own without you. However, you'll be much more appreciated at Reddit. You should go there.
How's life in the hypocrite lane?