Call Center Operator and His Cousin Steal $645,000 From UK Water Supplier

An anonymous reader writes: "An unnamed UK-based regional water supply company lost over $645,000 in a sophisticated scam that involved social engineering, an inside man, and international bank transfers," reports BleepingComputer. According to a recently disclosed report, one of the water supplier's call center operators was taking screenshots of customer details and sending this data to his cousin in the UK. This person would trick other call center operators to reset the passwords for those accounts, add his bank account info to the account, and request a refund for previous transactions. Their operation was discovered after customers, usually small-to-medium businesses, discovered they couldn't access their accounts anymore, and also reported new bank account details. A search of the CRM logs revealed that only one call center operator had accessed those profiles, albeit he never initiated or approved refunds. When questioned, the arrogant employee signed an affidavit allowing investigators to search his home PC, thinking they would never discover anything, since he already wiped his hard drive. They did because he forgot to delete his shadow volume copies, where investigators discovered copies of emails sent to his cousin in the UK. These emails contained the screenshots of his work PC with SMB client data. In the end, the call center employee ended up helping authorities secure a conviction for his cousin.

Where?

Let me guess... call center... corruption... India?

Re: Fucking turncoat!

[ShanghaiBill]

how every single one just kept on doing the same thing over and over thinking if it works once or twice, it'll surely work 200 times...

That is selection bias. You only know about those dumb enough to get caught.

Sigh.

[ledow]

And no system, human or technical, realised that new bank details were being entered for multiple accounts that all then requested refunds? I would hazard that some of those accounts might even have been the same.

But your system didn't detect a pattern of "change bank details", "request refund", etc.

That said, I would question why screenshots were possible - if indeed we are talking about proper screenshots rather than just taking a photo with his phone (which would presumably attract a bit more attention).

If he did this from the work PC, you have serious failings - he's sending emails from work (presumably on an unblocked personal account) with screenshots of personal data.

If he's holding his phone up to the screen and clicking on a regular basis? That's just as bad.

The next question I have is why is the agent allowed to see the details, rather than just get prompted for security details? Why is there a page where they just see everything, rather than go through the same set of questions on the system that they would need to ask the customer? And if the answers aren't on display in front of him, but he has to type them in and let the system authorise whatever it is he's doing (e.g. I imagine changing bank details requires at least customer, account numbers, etc.), then a screenshot is basically useless.

Least privilege principle. The agent doesn't need the other information on the customer unless he's specifically asked for it - in which case the request is recorded and you'd be able to see "Oh, Employee A requested Customer X, Customer Y and Customer Z's account numbers on all three occasions that those bank details were changed and then the customer complained."

If I ran a call-centre, I would literally have PC's with encrypted data over serial consoles (no general purpose operating system access at all). There's no need for even a GUI. And every phone call would go through a list of options for the operative. They would see no information, but be prompted for the user details that they have to prompt for anyway. The system would prompt, the operative would relay the prompt and answer, the system would decide whether to grant access to the next FUNCTION (not just a screen full of customer data). Every keypress recorded in tandem with the call they're dealing with (storage is dirt cheap for such things, hell most schools record every phone call nowadays, let alone a call centre dealing with millions of pounds of product/service sales)

If you need to check, say, the customer's email to let them know what one they used to sign up, you request it. The system returns a masked copy. If in doubt, you just request a change of email for the customer to ensure the one they want to use is the one that's entered in the system. If there's no change (i.e. you entered the same email as the system already has), the system can know that what you were asking is much less suspicious.

If a function is risky (changing bank details), there's still no way for the operative to screenshot, and it might even need the mythical, never-present "supervisor" to press a button on his computer to authorise a change too. If your boss has to know you're doing it, authorise it and/or be in cahoots with it, then you're much less likely to even try.

Anything really complex that does require the full customer record (like what? I can't imagine)? Done in a recorded full-access session available only on the superviser's authorisation and kept rare deliberately.

This also automatically fulfills your data protection requirements as none of the people or computers have access to any information that's not required for their job. Literally, their job requires no more information than the system ever gives them.

You then have the need (which is present anyway) to ban pen, paper, smartphones, etc. while working.

And no minimum-wage prat can steal your customer database, spam every customer email, pull off stuff like this anywhere near as easily, disrupt the syste

valuable lesson learned

[sad_]

don't use windows and expect to get away with it.