CBI on Citigroup Mphasis credit card hacking

This one got away

R.K. Raghavan (source : The Hindu Business Line, 02 May 2005)

Yes, security was breached in the recent incident of fraud at an Indian BPO operation. Which means losing no time to arm ourselves effectively. This is how we can go about it.

A CALL centre in Pune looking after Citigroup customer relations was recently vandalised. Managed by MphasiS BFL, this centre was, by all accounts, an efficient outfit with more than a reasonable accent on security.

Suddenly, at least four Citigroup customers based in the US found that their accounts had been tampered with, and substantial sums of money (totalling about $350,000) transferred to accounts in and around Pune. On a complaint from Citigroup officials in India, the Pune Police sprung into action and did some smart field enquiries that established the involvement of a few former employees of the call centre. Investigation revealed that this gang had won the confidence of the customers victimised and secured their Personal Identification Numbers (PIN) with which they were able to access their accounts online and achieve their criminal objective.

Those who are familiar with security regulations in vogue in well-run call centres would know that employees are searched when they enter and exit the premises. They are not allowed to take even a scrap of paper, not to speak of any implement to copy or record any material. These restrictions are nothing new or special, and are taken for granted by the firm that outsources the job.

Also, telephonic conversations with customers from within centres are monitored at random. You may therefore rightly ask the question: How did the Pune group execute their diabolical plan? (If `diabolical' is a strong expression, I use it deliberately because the damage caused to our image as a secure IT vendor is inestimable.)

I am told that most, if not all the members of the gang, had memorised the crucial numbers, walked thereafter into cyber cafes where they accessed the page relating to each account in Citibank's Web site, opened new e-mail IDs replacing the ones originally given by the customers, and thereafter transferred funds. It is as simple as that.

What do you make of the Pune episode? Was it a case of poor physical security? I don't think so, unless investigation, as it progresses, reveals any collusion between the security guards posted at the centre and the former employees who have now been arrested.

Possibly, it was a case of system vulnerability. Some banks have switched over to double authentification. This may tighten up access and prevent intrusion. Some banks can think of an enhancement to transaction processing by which a customer is notified of unusual transfer of funds. This will be something akin to the practice of a few banks providing for an SMS notification to customers whenever an ATM transaction is made.

Whether these would have helped in Pune is a moot question, because once you win over a customer and persuade him to submit himself to you without reservation, there is precious little the best of brains in cyber security can do.

Was it a case of poor background check? I am not very sure whether any such check was done at all by the company that runs the centre. It is for them to tell the customers on their own as to what they had done in this regard. My preliminary information does not reveal that any of those now in custody had a criminal record. Only if they had any, a check would have yielded valuable information, provided the checking agency had the resources.

My own impression of most of the private agencies who claim to be experts in background checks and who fleece their customers (sometimes as much as Rs 5,000 for each candidate checked) is very poor. Many organisations wanting an employee's past data have unfortunately nothing else to fall back on. However, the Pune incident does reinforce the need for more rigorous checks by all IT companies, especially those in the BPO business.

Some police forces respond to requests for a record check from private companies. Many don't. It is for the Union Home Ministry (MHA) and the IT Ministry to appeal to State governments to be helpful in this regard. This need not be a free service. The police can levy a substantial fee. The National Crime Records Bureau (NCRB) under the MHA does this in a limited way in respect of stolen cars. There is a case for it to expand its database by talking to the State Police through the MHA.

Nasscom is said to be building a database of IT employees. Once this becomes ready, it should help raise the quality of background checks. Additionally, Nasscom has the clout to establish a partnership between IT companies, the IT Ministry in Delhi and State Police forces that would handle the nuances of background checks, at least for IT company recruitment. All the three have a huge stake in preserving our reputation as a security-conscious IT nation.

In the final analysis, what we are discussing here is a case of so-called `social engineering'. This would mean that there is something beyond the well-oiled systems that we have to take care of. Clients of outsourcing financial institutions would do well to step up customer education. It is not as if they are not already doing this. In this instance Citibank would like to study how they could not instil a stronger sense of security in customer minds. Their findings would be useful to others who would also want to plug loopholes in their drill to sensitise customers.

It is easy to dismiss Pune as one of those incidents that happen regularly in many countries in the developed West. The difference is that these countries can afford to be indifferent because of their own wealth and their stringent and swift criminal justice system that ensures quick punishment of the guilty. India cannot afford to be indifferent or complacent. We are the envy of the rest of the world. We should not allow our advantage to slip from our hands purely because of the dishonesty of a few individuals. Let us study Pune in its entirety and take immediate remedial action.

(The author is a former CBI Director and currently Security Adviser to TCS Ltd.)