Forgot your password?
typodupeerror
The Almighty Buck Security

Indian Call Center Employees Hack US Bank Accounts 550

Posted by CowboyNeal
from the easy-money dept.
The Ascended One writes "Call center employees working for an Indian software company, MSource, supposedly used confidential client information to transfer client funds to themselves. The alleged perpetrators used the personal information of four NY-based clients to transfer ~$350,000 (Rs. 1.5 crores) in their names, a large sum in Indian currency. They were caught after the victims alerted the bank officials in the US, who then traced the crime to the Indian city of Pune. While the name of the bank has not been revealed, the article indicates that the bank in question is Citibank."
This discussion has been archived. No new comments can be posted.

Indian Call Center Employees Hack US Bank Accounts

Comments Filter:
  • not hacking (Score:5, Interesting)

    by romit_icarus (613431) on Friday April 08, 2005 @05:56AM (#12174252) Journal
    I wonder if this can be called hacking, looks more like a combination of poor process and security management on the part of Citi (if it is indeed Citi). Companies in the US should be wary of the extent of employee churn that happens in BPO firms in India. I'm in India, and I often get to hear of ex-employees stealing databases when they leave...
  • by t_allardyce (48447) on Friday April 08, 2005 @06:00AM (#12174273) Journal
    I only hope this news flashes through the industry and gets in the heads of CEOs and PHBs everywhere who then start aborting outsourcing attempts.

    If you're in Europe, fear not, the data protection act bars your personal information from leaving the EU (i think?).. unless its going to the CIA so they can have you extradited without trial.. Either way, if you're worried, call up your bank and demand to know where they send your data, its public information by law.
  • Citibank Outsourcing (Score:5, Interesting)

    by Coward the Anonymous (584745) on Friday April 08, 2005 @06:12AM (#12174309)
    Citicards, the Credit card division of Citibank, got a new CIO several months ago. Mitchell Habib. He came from GE Medical. Before leaving there, he outsourced about 75% of their IT staff to India. He's currently doing the same at Citi. I worked there as a contractor. Two other contractors on the team and I were unable to get our contracts renewed because it came down from on high that all new contracts had to go thru TCS, Tata Consulting Services. They are the Indian outsourcing company that he used in the past. I recently went back to visit some friends and met my replacement. A nice young Indian guy making a third to a quarter of what I made there.

    From what I understand, the standard rate for calculating your budget for contract work went from $70/hr to $22/hr. Of course, I believe they charge around $40/hr for their workers in the states.

    Can't compete with that.

    Here are some links about Mitchell Habib and TCS:

    http://www.rediff.com/money/2003/apr/03tcs.htm?zcc =rl [rediff.com]

    http://www.tcs.com/0_media_room/releases/200204apr /20020411_ge_medical.htm [tcs.com]
  • by neckdeepinspecialsau (756133) on Friday April 08, 2005 @06:20AM (#12174345) Homepage
    I once called a creditor of mine and was obviously routed to an overseas call center. The gentleman on the other end of the phone after asking me my issue asked me my social security number. I was hesitant to give it away to a guy in india making $.50 an hour but figured I was being paranoid. I gave him the number and he said please hold. The next thing I knew he put me on hold and I was transferred to another service representative (in the us) who also asked for my social security number. Well needless to say I let them have it basically "Why would they ask me for my social security number to transfer me?" I started checking my credit report and stopped doing business with the bank. Nothing came of it and I was being paranoid but the reality is this sort of thing can happen anywhere. At a restaurant you give the server your card. Most servers make low wages and they take your card off to the back room usually.
  • Re:Easier to track (Score:5, Interesting)

    by TTL0 (546351) on Friday April 08, 2005 @06:49AM (#12174430)
    I work in InfoSec and did a consulting project for a company that sells software (for clearing checks) to a lot of major banks. I was amazed how insecure banks realy are ! however the banks rely on thier ability to audit all transactions more than secure policys and procedures. So to sum up, it is easy to steal from banks it is hard not to get caught.
  • by Moderation abuser (184013) on Friday April 08, 2005 @06:58AM (#12174454)
    Piracy in the UK:

    Unlimited fine and 10 years in prison.

    Vote rigging in the UK:

    Unlimited fine and 2 years in prison...

    e.g.
    http://news.bbc.co.uk/1/hi/england/west_midlands/4 406575.stm [bbc.co.uk]

  • by Anonymous Coward on Friday April 08, 2005 @07:21AM (#12174539)
    "If money was transferred illegitimately from a US customer to somewhere in the US, it would be much harder to figure out what was going on than if it was being sent to India."

    Right. Because its so much easier for the FBI to trace money in India than in the U.S. Do you even think things through a *little* before you post?

    That ranks up there with the stupidest things I've read in about 3 weeks.
  • by mAineAc (580334) <.moc.liamtoh. .ta. ._____cAeniAm.> on Friday April 08, 2005 @07:44AM (#12174620) Homepage
    Because it's cheaper than giving it to a `fellow American`. I should have thought that were obvious.

    I find this odd. Many Jobs that I have tried to get they will not give you if you have bad credit because you are a potential security risk. But now those same companies outsource to some of the poorest countries. How is this not a security risk?

  • by DarkHelmet (120004) * <mark@nOspam.seventhcycle.net> on Friday April 08, 2005 @07:52AM (#12174654) Homepage
    Okay, to add to the prank, I just created an fake-phishing site:

    http://64.182.120.114/citibank/ [64.182.120.114]

    Try putting in any bogus information into the username / password field.. You'll be redirected (via javascript, nothing posts), to a page with big yellow lettering saying "YOU MORON!"

    I thought the "Protect yourself from identity theft" blurb on the page was classic.

    This will all be part of a new site I'm going to make called:

    http://www.hahathatswhatyouget.com [hahathatswhatyouget.com]

    I just got the site, so it'll take a little bit for DNS to resolve :)

    Feel free to try and fool people with this URL. I'll try submitting the link to slashdot in a few days for shits and giggles.

  • Thats exactly the problem though. If you are willing to work for $22/hr. You need to get a job with TCS first, and then get sent to Citi. Now it's a lot like going to work a staffing firm based in the US, who has a contract with another company in the US...

    How easy is it for you to get a job with TCS if you are already based in America ? Not very easy. Plus if a company like USAA and Citibank have given exclusive contracts to TCS, then it makes it extremely hard for local recruiting agencies and talent to get the job. How come every company that has a contract with TCS ends up having 20-30 new indian contractors ? Something needs to be done about these exclusive contracts, and TCS needs to be told to first look for local talent. I know lots of people who have lowered their rates, just to compete with the Indians, but these exclusive contracts to companies who naturally are averted to experienced local candidates (can't exploit them as well), needs to be changed.

    PS: I am an indian immigrant myself, I moved here when I was 13. And, I am competing for my job with classmates I had in India. I'm not racist or a bigot. I haven't lost my job to an outsourcing firm etc, but thats because I rarely work for large firms that can afford outsourcing in the first place.
  • by Anonymous Coward on Friday April 08, 2005 @08:00AM (#12174686)
    Having recently returned from India, one of the biggest things I found was that almost everyone was trying to find a way to part you with your money. Strangely enough, the only place that this wasn't true was in the area near Pakistan (the desert) where the only industry is tourism and the most important need is water.

    Leading up to our trip, everyone told us to watch out for pick-pockets. We did not find this to be common. Of course, there were countless people who are willing to tell you anything, including flat-out lies, to take your money.
  • by Threni (635302) on Friday April 08, 2005 @08:33AM (#12174840)
    > You should care. The costs investigating the theft to try and return the money
    > to you, and the possible subsequent loss to the bank if they never recover (but
    > refunded to you) are built into your bank fees, interest rates, etc. Less theft
    > = lower costs for banks = lower costs for consumers.

    I don't know the details of how banks work in the US but I'm in the UK. I get paid into my current account (think you lot call it a `checking account`). It pays 0.2% interest or something - pretty useless. But the account is free, and I get a debit card with which I can withdraw money from a hole in the wall (ATM) machine, or use it to buy stuff on the net or in shops. I don't get charged for this (the shop does). I have two credit cards, also free (as I don't borrow on them) - one mastercard, one visa - which I use online/other the phone, as you get better protection, free insurance etc. Every month or so I move any money from my current account that doesn't need to be there to pay credit card bills, standing orders etc, into a high interest online account (these average 4.5% to 5.5% in the UK. I think you get something crappy like 2% in the US).

    So, were my bank to lose money (from my account) as a result of fraud, I probably wouldn't even know about it as I wouldn't be the first/only person to suffer, so chances are it'll be discovered and corrected before I know about it. And were I to notice it, I'd demand the bank sort it out, which I have every faith they would. I'd not lose any interest, and I'd never be out of pocket such that I couldn't buy any food (always a good idea to have some cash at home in cash the networks all go down or whatever).

    Sure, some people haven't figured out how little interest they get in a current account and lose a fair bit of money each year by leaving it all there - their problem. Some people need to borrow money - their problem. Some people choose to pay for their account, or credit cards - their problem. At the end of the day, the banks make so much money from mortgage owners, taking 4 or whatever days to process cheques (`checks` in the US) that the money they lose from credit card (or whatever) fraud is negligable. Plus, they have insurance against that too! This is partly why `chip and pin` has taken so long to get sorted in the UK - they could have done it years ago (as they did in France, Denmark, New Zealand etc) but it's not until fraud loses them hundreds of millions rather than just tens of millions that it's worth undertaking such a large project.

  • by MoeDrippins (769977) on Friday April 08, 2005 @08:36AM (#12174852)
    "Then the New York Times article, titled "We're From Bangalore (But We're Not Allowed To Tell You)" revealed all. Indian call centers now had to acquire American accents and generic Anglo names..."

    From http://www.corpwatch.org/article.php?id=10048 [corpwatch.org]
  • by Anonymous Coward on Friday April 08, 2005 @09:09AM (#12175067)

    ...it came down from on high that all new contracts had to go thru TCS, Tata Consulting Services.

    These "preferred vendor" arrangements are admittedly a major pain in the neck for consultants. Pretty much all of them are nothing more than glorified paper pushing middlemen. For operating a repetitive, easily automated process that should cost at most $10 USD per payroll cycle, they want a 5-30% cut. Fortunately, they seem to only infest the larger companies for now. However, they still represent a threat to everyone who wants to leverage the services delivery business model of open source.

    Standing as a monopoly or oligopoly gateway to these larger companies, you flat out don't pass through until you pay their toll. These preferred vendors represent a huge frictional cost to the adoption of open source-based services.

    The larger companies use these middlemen however, because it is more efficient from their point of view to outsource the processes to deal with contractors. Make it even more efficient to do it another way, and these companies will switch to that method. Or technology. So that means stuff that geeks consider very boring, like HR-XML standardization efforts, are actually quite important to make it very easy to operate e-procurement systems which reduce the frictional costs of dealing with business entities.

    I suspect that the vast majority of Slashdotters are 9-to-5'ers rather than contractors, however. So I'm probably just wasting my breath trying to convince anyone here that making it easy to set up contracts and new business relationships would vastly improve their standard of living by enabling them to more easily go into business for themselves.

  • by Anonymous Coward on Friday April 08, 2005 @11:29AM (#12176441)
    --Yes, you know something is wrong, and Brazil is where it happened... so you just call up the local UK police, and tell them to go to Brazil and arrest somebody, right?

    The problem here is not with the particular nationality of anyone involved, but the concept: many Indian employees are paid well compared to local rates, they also know that they are only paid a fraction of what they know the former US workers were. Additionally, (it is my understanding that) many the Indians are essentially hired on a temp/contract employment basis. If you know that you are getting paid a pittance from a rich foreign company and you can reasonably expect that you will eventually be cut loose anyway, then what would motivate you NOT to steal? Certainly not gratitude towards your employer, or the assumption of a permanent position.

    -Additionally, outsourcing companies in India are already getting bit hard by work leaving for places that are even cheaper.

    So to speak: the Indian is not dumb, they may see that the gravy train is coming through town, but it ain't stopping for long. And thus the tempation to get what one can while the getting's good.... Most would not commit such crimes of course--but if just 1/10 of one percent do, the costs to the affected companies would be huge. They might even have to cut back on their CEO severance benefits....

    (somehow I feel no sympathy for companies that get screwed this way, this was all a very predictable risk that reasonable people would have seen coming)
  • by Anonymous Coward on Friday April 08, 2005 @11:37AM (#12176534)
    Sad, but the losses that the banks incur will most likely be written off.

    Banking is a coddled industry of insiders.
    They have been negligent in doing proper security.

    And yet they get to rule us all.
  • Re:Easier to track (Score:3, Interesting)

    by Anonymous Coward on Friday April 08, 2005 @02:25PM (#12178510)
    So true. Back in the early 1990s I worked for HP Test & Measurement (which mades test equipment that is now known as Agilent). My fellow AE who specialized in telecom/datacom test equipment came back from pre-sales demo at Wells Fargo Bank at their main IT center in San Francisco. Apparently HP wasn't going to get any business from them anytime soon: the demo didn't go well. My buddy thought he was showing them something that could help them debug and harden their Automated Teller Machine network.


    Basically he hooked up a T1/T3 analyzer to one of their main trunks and started showing how you can split out and split in datastreams to check things like per-channel BER and stuff. Then he hooked up a datacom analyzer to one of the split out channels that had modem traffic on it (which you could see on the T1/T3 analyzer). One of the useful features of the datacom box was a modem which would dump the decode modem traffic on a phone channel into ascii and pump it on the the datacom's screen. So they started watching the data traffic in real time.

    Pretty quickly it became apparent that he had picked up an ATM transaction. It also become apparent that the entire transaction including account numbers, names, pins and transaction commands were being transmitted 100% in cleartext ascii over modem! The Well Fargo IT manager saw this too and, wait for it, he kicked out the HP Sales Rep and AE yelling and screaming how never wanted to see any HP test equipment enter a Wells Fargo facility ever again or hear that HP was talking to Wells Fargo IT employees about telecom or datacom products ever again.


    Gee, security through obscurity. Needless to say, probably (?) most banks are using at least SSL or SSH by now, but for a measly $20K (in 1990 dollars, far cheaper today) in off-the-shelf equipment you could trivially do a man-in-the-middle replay attack just be putting some cones down and wearing a hardhat and hooking up to one of those telephone boxes outside the bank! And what audit trail other than your word some poor slob have against an "obvious secure" ATM transaction? None really.

    This is absolutely true, unfortunately.

  • Re:Nail on the head! (Score:3, Interesting)

    by pipingguy (566974) on Friday April 08, 2005 @07:53PM (#12182346) Homepage

    Would I risk something like this for for more money than I could otherwise reasonably expect to earn in my lifetime? Maybe. Imagine yourself in a situation where a few minutes effort would net you $10 million of someone else's money. Can you be sure that you wouldn't consider that at all tempting?

    That reminded me of a Twilight Zone(?) episode where the following dialog takes place (stolen from a website):

    "...a dark stranger brings a box to a man's door, promising wealth if he only presses a button on the top. As he is about to do just that, the dark stranger says, "if you press the button, someone you don't know will die."

    The man debates it for a while, and then presses the dark stranger's button. The dark stranger hands the man his reward, and turns to leave, box in hand. As he leaves the man asks, "Where is the box headed now?"

    The dark stranger replies, "Oh, I'm just taking it to someone you don't know."
  • by Anonymous Coward on Friday April 08, 2005 @09:06PM (#12183025)
    Take a hike pal. American Capitalism did exactly the same things to 3rd world Latin American countries if not worse than what Lou Dobbs describes as happening to "Americans" (Read aging white urban professional crowd). His incessent rant about illegal aliens is pathetic. Illegal aliens (mostly mexicans) are everywhere. They do all menial work. Instead of crediting them for doing these jobs, he is trying to make them untouchables. He never presents the other side of the coin and he is a journalist. I dont see why the person who called him a racist should!

    If you are willing to lick shoes to immigrate to America and others are not, thats your problem. (You wearing an american flag for a tshirt doesnt change the fact that you jumped through hoops to achieve immigrant status and everyone knows it.) Whether you like it or not, outsourcing will stay, because thats the way capitalism works. If you dont like it, go back to where you came from - you might find a job. Your opinion doesnt matter unless you are ultra rich.

    Finally: Welcome to America. Land of Opportunity. And Lou Dobbs is a pretty pathetic attempt at covering up racism.

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Working...