Slashdot Mirror
Call Center Operator and His Cousin Steal $645,000 From UK Water Supplier (bleepingcomputer.com)
An anonymous reader writes: "An unnamed UK-based regional water supply company lost over $645,000 in a sophisticated scam that involved social engineering, an inside man, and international bank transfers," reports BleepingComputer. According to a recently disclosed report, one of the water supplier's call center operators was taking screenshots of customer details and sending this data to his cousin in the UK. This person would trick other call center operators to reset the passwords for those accounts, add his bank account info to the account, and request a refund for previous transactions. Their operation was discovered after customers, usually small-to-medium businesses, discovered they couldn't access their accounts anymore, and also reported new bank account details. A search of the CRM logs revealed that only one call center operator had accessed those profiles, albeit he never initiated or approved refunds. When questioned, the arrogant employee signed an affidavit allowing investigators to search his home PC, thinking they would never discover anything, since he already wiped his hard drive. They did because he forgot to delete his shadow volume copies, where investigators discovered copies of emails sent to his cousin in the UK. These emails contained the screenshots of his work PC with SMB client data. In the end, the call center employee ended up helping authorities secure a conviction for his cousin.
Today on the family channel, the heartwarming story of a call center operator who engineers a complicated scam and then rats out the relative who helped him. Brought to you by your friends at Hallmark. Don't forget mother's day!
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I worked right besides a fraud department for a major credit card company.. it never ceases to amaze me how ingenious the scammers we're, how the first few times were completely missed by all the fraud detection, and how every single one just kept on doing the same thing over and over thinking if it works once or twice, it'll surely work 200 times...
Let me guess... call center... corruption... India?
From the article (because the summary sounds insane -> if MS has found a way to keep Shadow Volume copies of files after a full disk wipe, the Pentagon needs to know about this), it sounds like he was running something akin to selective cleaning (i.e. CC Cleaner). The OS and other applications remained, while personal data was removed.
how every single one just kept on doing the same thing over and over thinking if it works once or twice, it'll surely work 200 times...
That is selection bias. You only know about those dumb enough to get caught.
Bill Gates once said: $640K ought to be enough for anybody.
But this guy took $645K.
The problem is all the other "clever" ones we will never hear about, and who will never be caught.
Slashdot, fix the reply notifications... You won't get away with it...
And no system, human or technical, realised that new bank details were being entered for multiple accounts that all then requested refunds? I would hazard that some of those accounts might even have been the same.
But your system didn't detect a pattern of "change bank details", "request refund", etc.
That said, I would question why screenshots were possible - if indeed we are talking about proper screenshots rather than just taking a photo with his phone (which would presumably attract a bit more attention).
If he did this from the work PC, you have serious failings - he's sending emails from work (presumably on an unblocked personal account) with screenshots of personal data.
If he's holding his phone up to the screen and clicking on a regular basis? That's just as bad.
The next question I have is why is the agent allowed to see the details, rather than just get prompted for security details? Why is there a page where they just see everything, rather than go through the same set of questions on the system that they would need to ask the customer? And if the answers aren't on display in front of him, but he has to type them in and let the system authorise whatever it is he's doing (e.g. I imagine changing bank details requires at least customer, account numbers, etc.), then a screenshot is basically useless.
Least privilege principle. The agent doesn't need the other information on the customer unless he's specifically asked for it - in which case the request is recorded and you'd be able to see "Oh, Employee A requested Customer X, Customer Y and Customer Z's account numbers on all three occasions that those bank details were changed and then the customer complained."
If I ran a call-centre, I would literally have PC's with encrypted data over serial consoles (no general purpose operating system access at all). There's no need for even a GUI. And every phone call would go through a list of options for the operative. They would see no information, but be prompted for the user details that they have to prompt for anyway. The system would prompt, the operative would relay the prompt and answer, the system would decide whether to grant access to the next FUNCTION (not just a screen full of customer data). Every keypress recorded in tandem with the call they're dealing with (storage is dirt cheap for such things, hell most schools record every phone call nowadays, let alone a call centre dealing with millions of pounds of product/service sales)
If you need to check, say, the customer's email to let them know what one they used to sign up, you request it. The system returns a masked copy. If in doubt, you just request a change of email for the customer to ensure the one they want to use is the one that's entered in the system. If there's no change (i.e. you entered the same email as the system already has), the system can know that what you were asking is much less suspicious.
If a function is risky (changing bank details), there's still no way for the operative to screenshot, and it might even need the mythical, never-present "supervisor" to press a button on his computer to authorise a change too. If your boss has to know you're doing it, authorise it and/or be in cahoots with it, then you're much less likely to even try.
Anything really complex that does require the full customer record (like what? I can't imagine)? Done in a recorded full-access session available only on the superviser's authorisation and kept rare deliberately.
This also automatically fulfills your data protection requirements as none of the people or computers have access to any information that's not required for their job. Literally, their job requires no more information than the system ever gives them.
You then have the need (which is present anyway) to ban pen, paper, smartphones, etc. while working.
And no minimum-wage prat can steal your customer database, spam every customer email, pull off stuff like this anywhere near as easily, disrupt the syste
don't use windows and expect to get away with it.
On a long enough timeline, the survival rate for everyone drops to zero.
Many years ago I talked with somebody who did control at a large supermarket in Europe. She told me that the way they cought people stealing from the till was because they always took the same amount.
Sure it can happen that you have a short in your till, but if it is always the same amount, they will become suspicious and it will gets you fired.
If you take a 20 bill each day, it will soon be clear you did so.
One person did it the smart way and was fired because he told cow orkers:
Taking different amounts each time and even sometimes had too much in the till, although obviously more in his favor than in his disadvantage. Also he never took one bill as most would do, but also took some coins. This person was looked up as sloppy, not dishonest.
Don't fight for your country, if your country does not fight for you.
How's life in the hypocrite lane?