Shostack + Friends Blog Archive


Workers Steal PINs, Cash

BANGALORE, India — Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said.

The three former employees of Mphasis BPO, the business process outsourcing operation of Bangalore software and services company Mphasis BFL Group, are charged with collecting and misusing account information from customers they dealt with as part of their work at the call center, according to Sanjay Jadhav, chief of the cybercrime cell of the Pune police.

The threat of data theft and misuse is no higher in India than in other countries, including the U.S., according to the National Association of Software and Service Companies in Delhi. The organization maintains that Indian outsourcing companies have adequate security systems in place.

I expect to see this spun as an outsourcing problem, but it’s not. The problem is that a worker was allowed to see the PIN and account number that goes with it. It used to be that banks (at least pretended) to use a one-off serial number on the paper that you wrote your PIN on, and it was entered elsewhere. The serial number was then discarded. Now, for efficiency, that may have been abandoned. Odds are very good that Citi will eat the loss, now that those responsible have been arrested. But what if they hadn’t been? Did Citi insist that “only you know your PIN?”

(Quotes from ComputerWorld.)

2 comments on "Workers Steal PINs, Cash"

  • Iang says:

    Yes it is almost certainly going to be spun as an outsourcing problem, but it isn’t for two reasons: firstly if it was an outsourcing problem, then bringing it back to the US would mean more work for US crooks, which would be an odd policy.
    Secondly, splitting data across countries and placing the data in countries where the people themselves are more distanced and disinterested is a reasonable governance technique. Balanced against that is that when these people do start to steal the data, it may be much harder to figure out how it is happening.
    What is surprising is how little outsourcing has been breached for data theft. Most insider theft is traced back to the center, not to the outsourced peripheries. Would make for a good research project!

  • Mr. Anonymous says:

    My employer uses MPhasis for outsourcing. Matter of fact, most of the development in my office is going there,including all our stuff for our billing systems.
    I’ve been complaining for several years that we should not have access to passwords, ssns, credit card info etc as easily as we do. No one listens, of course.
    And no, it is not an outsourcing problem. As ticked off as I am at outsourcing at the moment, I have to admit this is a different issue. But we’re definitely opening things up where not only do we have this info so easily available, but who has access to it is spread literally across the globe.
    I could seriously run a query on a production box here and get several thousand CC numbers, with all related info, and it would be untraceable, no logging at all. Not only that, but I can retrieve a list of usernames and passwords that can be used to do anything in the system and have the transaction logged under anyone I choose.
    After a year of this gaping security hole, The Powers That Be finally allowed us to place all this behind a password. The username and password to access it, however, are the same across the dozens of systems we maintain.
    I do not work for a small company, but one that prides itself on “security.” But when these issues are brought up we’re met with blank looks; the problem, I’m told, is outsiders getting in, not insiders doing bad things. So this problem is not going away, and will get worse and more and more people have access to the code that will let them see where the security issues are.

Comments are closed.