Indian Call Center Employees Hack US Bank Accounts 550
The Ascended One writes "Call center employees working for an Indian software company, MSource, supposedly used confidential client information to transfer client funds to themselves. The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency. They were caught after the victims alerted the bank officials in the US, who then traced the crime to the Indian city of Pune. While the name of the bank has not been revealed, the article indicates that the bank in question is Citibank."
Easier to track (Score:5, Insightful)
I'm a system administrator and most of my customers are in the UK. So when I'm investigating an incident on our servers, and the logs show some activity from Brazil, it makes my job a lot easier.
Indian, Native American, Ukrainian, Nigerian (Score:4, Insightful)
I, for one, do not buy into this Lou Dobbs racist/nationalist claptrap that says that we can't trust foreigners. I'm one of the biggest foreigners around, if you consider all the places I have to travel to that I'm not actually a citizen of.
Hey, bad people are in India. And in the U.S. And in Europe. And in Asia. Oh my god! They are everywhere!
Luckily, the bad people are outnumbered by the good. I can just take a look at my lists and figure that one out.
International Outsourcing (Score:2, Insightful)
But it's surely much tougher to vet people who have access to your systems when their whole culture is different (nevermind the fact that they're half the world away)
A lot more care needs to be taken when outsourcing internationally, otherwise the savings made will end up being spent on PR & the like after a cock up.
Comment removed (Score:1, Insightful)
Odd that this article is here (Score:5, Insightful)
The only slight difference is that it's worth more over there.
So I find it odd that this is considered different.
Us versus Them (Score:2, Insightful)
Well, it's not so much a case of us-versus-them, but a matter of accountability and proesecuting them. An earlier poster made the case that this makes it somehow easier to track, but I think this is an absolute load of claptrap
Remind me again, exactly how many people are there in India? So how exactly does the fact that you know it originated from India help you? Or say Brazil, China, etc - all of these places, though poor, are in fact heavily populated, densely packed, and often the authorities are loathe to co-operate with foreign officials (honestly - whose side do you think the Indian police force/bureacrats are on?)
Outsourcing critical infrastructure, and potentially dangerous data that can bite you back later is a recipe for disaster.
I'm Australian, and recently there was a furor over Boeing's court victory allowing them to discriminate against Australian workers, and select only US citizens - a lot of Australian's were mad, but I myself thought that Boeing had a perfectly logical argument.
You can call me a racist (fyi, I'm chinese - and the US's witch-hunting of Chinese "spies" irks me, but hey, it's another one on a growing pile of 'em...lol), so what the heck...
Victor Hooi
Re:Not to be a troll but.. (Score:4, Insightful)
Rather than phoning up your banks and finding out where your information is ending up, which can be a tedious process, shouldn't you be phoning up your congress representatives and asking them to enact laws which provide for your privacy?
Re:Indian, Native American, Ukrainian, Nigerian (Score:5, Insightful)
The current relentless drive to reduce employee costs to a minimum does not help in that respect, in any country. From what I understand, Indians are currently happy with their current wages (and often very odd working hours). But what will happen when the squeeze from even cheaper Chinese workers is on?
It's not that simple... (Score:5, Insightful)
When you outsource certain operations you are giving people who have no connection with your customers their private information. Banking account numbers? Some people still don't use online banking because it scares them and we don't see this as a huge liability?
Really, what if a few thousand credit card and bank account numbers got into the hands of suspected terrorists? If they made a one time shot at getting items to fence or cash withdraws (wire transfers) and split, they suddenly have resources that was taken right from the American people.
I'm by no means saying that you should be suspect of *any* foreign person or enterprise. I'm thinking of the type of people who *might* get their hands on my/our information. What good is it to give to the people like EPIC [epic.org] when we give our information to people we can't necessarily track down? Can anyone guarantee that we will be able to bring someone to justice, under our laws (and equally for their benefit the Constitution)? I've worked on the phone making sales, and the problem we had was we were banned from taking credit cards because a few people screwed it up for everyone.
Of course, if someone wants the information they can get it. It just makes me wonder why we give our sensitive information to a foreigner when we need parts for our Dell (and by extension everyone else I don't care to list).
Re:Begin the racist rants (Score:5, Insightful)
Re:Indian, Native American, Ukrainian, Nigerian (Score:5, Insightful)
Re:Not to be a troll but.. (Score:4, Insightful)
I'm not sure Indians are any more likely to jot down card numbers that thier minimum-wage US counterparts. Except, of course, that an Indian phone jockey makes a better wage (by local standards), arguably giving them less reason to committ such fraud.
It's annoying when you can't understand what someone says on the phone, sure, but I don't think they're any more likely to be criminals than thier western counterparts.
Michael
It's all relative... (Score:5, Insightful)
I would have thought $350,000 is a large sum in ANY currency.
Brother, can you spare $350K?
Sigh.... (Score:3, Insightful)
Re:Easier to track (Score:4, Insightful)
Re:Begin the racist rants (Score:1, Insightful)
It's not important that the scammers were Indian, it is important that employees of an outsourced company were perpetrators of a crime.
I also happen to have my own startup which has an offshore branch - personally, I'd be scared if personal client information were to be misused.
The one reason I did post the Indian part is because I'm hoping that this would get a lot of publicity, and Indian offices would smarten up to such acts by their employees. If you hear about one, you can be assured that there are many more that you don't.
Offshoring and outsourcing is a big thing for India and Indian companies need to take that seriously. If an employee is able to garner significant personal information of clients, then they aren't doing a good job of it.
The only way for them to get that message if this were to get publicity - and business of the said company were to suffer a significant loss for people to send a strong message that they need to do something about this sort of thing.
Bad publicity affects business, and money speaks strongest.
Re:Indian, Native American, Ukrainian, Nigerian (Score:2, Insightful)
Luckily, the bad people are outnumbered by the good.
might i add:
Luckily the the smart bad people are outnumbered by the dumb bad people. 8)
Re:Easier to track (Score:5, Insightful)
Don't forget music piracy!
But security threats are multi-faceted (Score:3, Insightful)
Security is a 'system', and altering or extending a system, can open it to risk that were not originally envisaged when it was established. Adding a new site, adding additional computer systems, new network(s), new operative etc all can alter the security threat mix.
Extending a secure system to a new country, a new language group, a new multi-cultural mix, will also expose the system to a new mix of threats. Ths issue of extending such a system to a different continent, particularly if the operatives there are working at the higher(est) levels, entails exposing the system to all the differences between the new location and the old.
Whether the staff are physically in India or hold Indian state passports is incidental. The significant factors are, a) how close or removed they are from the cultural assumptions of the systems designers, b) how exposed they are to personal weakness, c) how exposed they are to external influence. These are sometimes referred to as Antipathy, Jealousy, Poverty, and Corruption. Placing a call centre in Dehli, Amritsar or Goa would vary the mix, as would placing it in Belfast, Glasgow or Ipswitch.
What's the news??? (Score:3, Insightful)
Looks like a slow day for Slashot if this type of stories get posted =)
According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers' e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank's New York-based customers into their own accounts, opened under fictitious names.The story doesn't even have enough info to classify it as social engineering. People used confidential information to transfet funds. Ok, they used the Internet to do the transfer. Ok, they got PINs from customer emails. What's in there to learn? Where are the "news for nerds" here?
Re:Not to be a troll but.. (Score:3, Insightful)
Re:Indian, Native American, Ukrainian, Nigerian (Score:4, Insightful)
Re:Indian, Native American, Ukrainian, Nigerian (Score:5, Insightful)
A second contributing factor is the culture of greed that dominates in the modern world. Wealth without labor is the new goal. One of the most elequent discussions of this I have seen was by harvey pekar, in an issue of American Splendor (sorry, don't remember what issue). But we have a culture (which we are aggresively exporting) which places more importance on the possession of wealth than on honesty, integrity, or a strong work ethic.
I'm hoping that this is actually changing, that the Bernard Ebbers, the Dick Cheneys, the Kenneth Lays and Darrel McBride's become outcasts and pariahs, shunned and hated enough by society at large that people feel a strong enough social pressure to mitigate their greediest instincts.
Re:It's not that simple... (Score:3, Insightful)
I know you say 'I'm by no means saying you should be suspect of *any* foreign person..' - but really you don't mean it. You wouldn't have made such a post in the first place if you didn't really mean it.
At the end of the day we are a global economy.. our card numbers and personal bits of information have been flying all over the globe for years now. Quite frankly I trust the people working in the indian call centres as much as I trust the person working down the high street in my own city bank.. i've worked with a number of consultants from India on coding projects here in the UK and have found them to be nothing but exceptionally dedicated, meticulous and hard working.
Just because they are foreign, it doesn't automatically make them a potential terrorist for christs sake.
Comment removed (Score:5, Insightful)
Re:It's not that simple... (Score:5, Insightful)
I for one am glad of the security I can place in trusting my fellow national. Ever since foreigners started bombing federal buildings, sending bombs to universities, sniping people randomly in Washington, and god knows what else, it's good to know that we can draw a clear line between "us" and "them"
Re:Easier to track (Score:1, Insightful)
I'm pretty confident that Citibank will survive without your allowance money.
What no one's pointed out. (Score:2, Insightful)
Nail on the head! (Score:5, Insightful)
it's cheaper than giving it to a `fellow American`. I should have thought that were obvious.
A Ha, and you've discovered my complaint. We get paid a lot more, we have less motivation to steal. We depend on that job, we have built a life around it. The paychecks are okay, so the risk to benefit ratio tells me not to steal from customers. On top of that, they are fellow countrymen.
However, in India it is a different story (don't flame, just an example).
The Indian worker is getting paid a fraction of what you've just spent. I sure hope there was no contempt in your voice - contempt breeds contempt. The tech looks at his check and sees a nice amount of money but he sees another option. Really, if he loses this job there will be another American company who will come around (best part is, they don't talk to each other). We've created the economic situation where it makes sense to work for a few weeks and rip a few hundred people off. An organized effort could be dangerous.
No matter... bring the work home and solve the whole problem that way.
Re:Sigh.... (Score:5, Insightful)
Corporations as a whole do not care at all about the personal data that they send anywhere; the data is simply a commodity. To companies that are used to dealing with large amounts of commodities (including personal information), the loss or compromise of a certain percentage of the commodity is tolerated and expected. For corporations it is cheaper to pay for the loss than it is to prevent the loss.
Re:Not to be a troll but.. (Score:3, Insightful)
I then did some checking aparently the credit card division had been sold to an american company who then outsourced the call centre to india. I had not been told about this by my bank. So without my express written permision they had exported my personal information to america who then exported it to india.
So are they in breach of the eu data protection act or not ?
I am pretty sure that the dataprotection act states that the data cannot be exported to a country that does not have a data protection act (ala india) but america does have one so that's okay however I don't think americas data protection type act has any such conditions in it so technically they haven't broken it.
Re:It's not that simple... (Score:5, Insightful)
if you DON'T outsource- aren't you still giving people who have no connection with your customers their private information?
C'mon, it doesn't matter if the call center is in bangalore or in tampa bay, what matters is the legal hoops required to get it back/make reparations...
remember the afghanni woman who had been hired as a medical transcriptionist but not paid for her work? and threatened to make US citizens medical records public? she wasn't breaking any afghanni law, and she had NO OTHER RECOURSE for recompse for her labors.. (and good for her) the only real bonuses to outsourcing can be mitigated by differing laws, and the ability to 'seek damages' internationally...
These kinds of (employee, white collar) thefts occur.
The fact that it was overseas should not make it
HACK? (Score:2, Insightful)
I expected slashdot to at least notice this!
Outsourcing Of America.. (Score:1, Insightful)
Re:Easier to track (Score:5, Insightful)
take it a couple of steps further. Since $1 USD
goes so much further in India, instead of just
off-shore out-sourcing the "worker-bee" jobs there,
we really should be moving the corporate officers
and board of directors jobs there.
Just think, instead of a "Bernie Ebbers" who cooks
the books to the tune of $11 Billion USD in order
to keep that quarterly profit/quarterly bonus pyramid
scheme going at MCI/WorldCom, or a "Fiorina" that
has to be bribed $45 Million USD to leave HP,
the major shareholders could be looking at an
immediate 80% cut in pay and bonuses to their
corporate leadership by moving those jobs off-shore.
It isn't as if these US corporations wouldn't
directly benefit from hiring the top 1% of
Indian corporate officers, instead of the ethically
challenged USA-trained MBAs that we have now.
Re:Nail on the head! (Score:5, Insightful)
And here is the fallacy in your argument.
That indian tech may be getting a fraction of what YOU make per year. But, he is getting MANY TIMES as much as as the average Indian worker. Wealth is RELATIVE to your PEERS. Read any news story on outsourced workers and you see that they have some of the best living and working conditions in their country. Some even better than a lot of American workers.
And who says that Indian guy doesn't depend on his job? Why couldn't he have built a life around it? Just because they make fewer "American" dollars than you do, doesn't mean they're poor or any less deserving of what they have.
Everything is cheaper over there. The cost of living is way lower. This is why companies move their business there. They can pay him half what you make, and he still makes 3x as much as the next INDIAN worker.
Stop making the same WRONG argument that less american $$ = less skilled or less dedicated to one's job.
There was more contempt in your post than in its parent. You could do the SAME crime working as a first level hell-desk worker in the states. But I guess that would be okay because you "brought that work home."
Re:Or interfering with the democratic process (Score:3, Insightful)
The other posts are talking about copyright infringement, an act which has been mislabeled by the RIAA et al as "piracy" in order to make it sound horrible.
Re:Easier to track (Score:5, Insightful)
So when your logs show activity in Brazil, how is this easier then if your logs show activity in Maine?
Re:It's not that simple... (Score:1, Insightful)
The real issue here is the danger of outsourcing functions which require personally identifiable information and other sensitive data.
I mean let's face it. Embezzling is not a new thing and it happens more often from within than from outside.
And on that note, I found some "Insightful" stuff about those "GODDAMNED FOREIGN TERRORISTessesssess":
Ted Kaczynski
aka The Unabomber
Born May 22, 1942, Chicago, IL.
Timothy McVeigh
aka The Oklahoma Bomber
Born April 23, 1968, Lockport, NY
John Allen Williams
aka John Allen Muhammad
aka The Washington Sniper
Born December 31, 1960, New Orleans, LA
Re:Just a matter of time (Score:2, Insightful)
But the gravity is much stronger on the other side. I've been poor and unfed all my life......living in a place where being in jail could mean I get fed at least daily.....WHAT DO I HAVE TO LOSE?!?!?! Welcome to the beginning of the END
Dobbs racist? Please stop irrational accusations (Score:5, Insightful)
Even "nationalist" is nonsense, he's merely pointing out one of the problems with unresitriced and unbalanced "unfair" trade. Now, you could argue this is a good thing, and we could point out the problems and have a discussion. But by labeling him a racist, the only thing you're trying to do is to "shut down" any arguments by coming up with ridiculous ad hominem attacks.
I'm an immigrant to this country, and I'm not a fan of outsourcing. I'm all for other immigrants from all over the world to continue coming here and contributing their talents to our local economies, but there is a problem when now people don't even want to become US residents, because they jobs are being drained away from here. We're about to face a serious crisis, when our technological workforce is being decimated by these companies. And there's nothing racist in pointing that out, nothing.
As for security, I don't think most if any people here are saying that a particular nationality is less trustworthy. But you'd be a fool if you don't recognize that some of the safety mechanism we enjoy in this country, are not as robust or even exist in other parts of the less developed world. As we deal with the poorest of nations, with our sensitive data, we have to be *extremely* careful. Already, there have been incidents of bribing by local crime syndicates in some of these countries to obtain data to steal identities. Can that happen in the US? Of course! But the question is, where is it more likely, and what are the protections we need to employ in these situations.
There's a rich discussion to be had on this topic, but please, try to come up with something better than "they're racist".
Re:Nail on the head! (Score:5, Insightful)
And here's the fallacy in your argument - that same difference in pay scale/cost of living means that the $350K US that they made off with was worth a whole heck of a lot more to them than it would be to you.
Would I risk something like this for 10 years' salary? Nope.
Would I risk something like this for 50 years' salary? I'd like to think no, but I've never been tempted like this...
Would I risk something like this for for more money than I could otherwise reasonably expect to earn in my lifetime? Maybe. Imagine yourself in a situation where a few minutes effort would net you $10 million of someone else's money. Can you be sure that you wouldn't consider that at all tempting?
I'm not sure where these guys ended up on that scale, but I suspect that you're still talking about enough money to live comfortably for 20-30 years. The cynical part of me says that their real problem was that they didn't steal enough. If it had been a few hundred million, then they wouldn't be thieves, just international market speculators...
Re:No one listened to us, but... (Score:1, Insightful)
I you people only knew... (Score:3, Insightful)
With my work experience I can say that I it's so scary, that it makes me want to switch to cash and money orders for everything.
NOTE: I have access to 1 million new SSNs a month.
Consider some of my offshore counter-parts that US law inforcement would have a hard time prosecuting. Someone could sell that data for $250k or, then buy themselves protection from US authorities in a state that doesn't extradite.
This, the Choicepoint, and Lexus Nexus scandals are only the beginning. I'm certain that there are incidents that haven't ever, no will ever even be known. There isn't a law, other than in CA, that forces companies to disclose that there was theft.
Trouble with Outsourcing Call Centers (Score:3, Insightful)
There are new laws in the US for privacy. These laws are forcing financial institutions and health insurance companies to better secure their customer/client data. I work in an enterprise environment where we are currently implementing major security changes across all systems just because of the privacy laws. Here's a list of only some of the changes:
1. All users who have access to customer confidential data are completely logged with a full audit log. i.e. you just query a client and only read the data, it's logged. You query a client you shouldn't need to query and a red flag goes up. All transactions are logged and audited. Customer service reps have FULL ACCESS to all client data and transaction history. This need to be protected as much as possible.
2. All users who do not 'need' access to the client data have been removed from access. This includes programmers who once had access to production systems and live customer data. If a production problem occurs, the user has to contact their manager and request a special temporary user ID that is set to expire in 24 hours. This temporary id is issued to the user and reset. When the programmer or engineer is done with the user id, it's returned and reset. If the id is not returned, it's reset automatically within 24 hours or less. These special temp ID's have extra security and logging is more aggressive.
3. All access to client accounts, even access via clients themselves is logged.
4. All call center calls are recorded and archived for long term storage. Clients are told they are on a recorded line three different ways, once the automated voice system tells the user that all calls are recorded, the agent answers the phone and tells the client they are on a recorded line, and three there is a beep now and then to remind the client. Also they are recorded while on hold (just because it's easier then trying to stop recording). I would love to hear what people say when they think they are on hold and no longer being recorded! Call center manager frequently listen in on their service agent calls and review recordings daily.
5. There are departments such as special investigations and some legal departments that end up researching and reviewing logs when necessary. i.e. constantly looking for fraud or assisting the SEC, FBI, or police in an investigation.
Now, you outsource a customer call center to India and you let them access your client data. They need full access just like your local staff did. Trying to secure that data becomes much more difficult then if you are doing it here. Situations like what happened to Citibank are just one possibility. Another one, would be if the Indian Companies network is breached or their servers hijacked? Who really knows, because it's no longer on your network, how do you control the security? Obviously, you can't just host the servers in the US and provide the Indians a secure uplink, the cost is prohibitive and the speed is not great enough. You would have to put the servers in India. Imagine a 1,000 call center reps hitting the servers 24/7 with queries, you can't just pipe that to the US over a leased line!
Outsourcing customer data access to another country opens up major security questions as well as customer relations. I called 411 (information for local telco) and ended up talking to an Indian who couldn't get the name of the restaurant right even though I spelled it for him (Alpha Tango Foxtrot, etc) and kept giving me the wrong number. I gave up and went to the Internet to get the phone number! Try calling Circuit City sometime! I love how they answer the phone with a thick Indian accent but say their name is Chris or Richard! What a hoot, aliases to make them sound American!
Tip of the iceberg (Score:2, Insightful)
Wait until some unscrupulous coder hand your outsources CVS source tree over to a company in a former Soviet State.
Sure, you have "legal contracts" to prevent that. But once your course is out there, no amount of legal action (even if you do manage to find the people responsible, and manage to get them into a sympathetic jurisdiction) will get your IP back under your control.
Some things are not outsourced, ever, no matter the cost advantage. Some things that should not ever have been outsourced, already have been, because the bean-counters had no sense of the pain to which they could be subject as a result.
Give it time. The access methods to the customer data of major financial and insurance agencies, as well as the sources of major retail packages, are quite likely to be floating around as we speak. And even if they don't get disseminated, they're worth a king's ransom, and such ransom will be due in due time.
Re:Well that explains a lot (Score:3, Insightful)
Seriously, someone calls you and says they are from your financial institution and need info??? Yeah, right.
In the case of Discover, it was legit. Call me crazy, but its a precaution and extra 15 minutes of trouble I'm willing to take.
Re:Easier to track (Score:3, Insightful)
Re:It's not that simple... (Score:5, Insightful)
Yes, because Jefferson, Franklin, Hamilton, et al set off carts full of blasting powder in front of crowded Offices of the Crown, randomly killing people, and this is how the US won the war of independence.
Not that killing children in daycare is a good thing. But why were people in a federal building hiding behind children anyway? They know wackos attack federal people from time to time
WTF are you talking about? Name one attack on a Federal building prior to (or after!) McVeigh. They weren't "hiding behind children" because they had no idea there was anyone to hide from.
Bet some government wonk was dumb enough to beleive that nobody would ever think of attacking them with children as a flesh shield.
Bet it never occured to anyone that some dumbass would think it worthwhile to set off a bomb in front of a building full of boring, miscellaneous government drones smack dab in the middle of Dullsville. Really, what kind of tard do you have to be to pick such a stupid target? If he wanted a symbolic hit against the FBI or BATF, he should have picked a FBI or BATF field office, instead of a building with mostly Social Security and postal service workers.
McVeigh did some fucked up shit, but I still cannot help but feel some respect for having the balls to do what he did.
I have trouble respecting mental midgets with delusions of grandeur simply because they fancy themselves super-patriots. A man walking down the street randomly cutting of people's heads while shouting "no taxation without representation" is no patriot in my book either. I might agree with the premise McVeigh started from, but I'd have to give him a big fat zero for his chosen conclusion. Fuck McVeigh. Fuck him twice. He was a typical macho failed-to-get-into-Ranger-school-so-he-left-the-Ar my dumbfuck that gave other Desert Storm vets like me a bad name for a long time.
If more Americans had the nuts to take their government to task for oppressive things they have done to this great country, things wouldn't be as shitty and corp-controlled as they are.
Yes, but blowing one another up is not going to get the feds off our back. I guarantee that no amount of purely symbolic random bombing is going result in anything more than further oppression.
But here I am posting anonymously because I am afraid of what the government might do to me for speaking outside of the "official truth".
Talk about delusions of grandeur. The government doesn't care about some guy on a message board spouting off about patriotism. Really, you sound like an actual tin-foil hatter who thinks the government is trying to read his thoughts. The flaw in that line of reasoning is the presumption that the feds even give a fuck about a a nobody like you (or me, for that matter). They don't care about people like us! Get over yourself!
Re:Citibank Outsourcing (Score:3, Insightful)
Re:Nail on the head! (Score:5, Insightful)
Scapegoating Indian workers/outsourcing too easy (Score:3, Insightful)
This is a CITIBANK(unnamed bank) problem, not an outsourcing or Indian workforce problem. Citibank is just too big for it's britches and someone in Citibank's NJ HQ probably got a cut of this scam. Bet you'll see it come out in the investigation months from now, and how other banks are investigating stateside workers who are setting up these scams with workers abroad.
Re:It doesn't supprise me... (Score:1, Insightful)
Re:It doesn't supprise me... (Score:3, Insightful)
I live in New York, one of the richest cities in the world.
Re:Easier to track (Score:1, Insightful)