another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Tuesday, July 05, 2005

Sarbajit Roy, NDTV's sting on Dr. Bajaj

So the truth is out, "Sarbajit Roy is a former hacker for the Government", or so says NDTV. Its comforting to know that we have a free and vibrant media in India, bold enuff to take spycams into the office of India's top cyber investigator Dr. K.K.Bajaj and get to see him blathering away that he has no powers to investigate cyber crime in India, or data theft either. Mind boggling stuff! "Sarbajit"

BPO fraud: Was it a sting or a set up?
Priyam Bhasin

Monday, July 4, 2005 (Gurgaon):

Ten days after the British tabloid Sun claimed its reporter had bought confidential details of British customers from an Indian call centre employee, it's not yet clear who is investigating the BPO fraud.

No formal complaint has been lodged yet though the Prime Minister has said cyber laws in the country need to be strengthened.

But in another twist, a former hacker with the government says it's very easy to get credit details of UK bank customers in India.

Reacting to charges that the Indian BPOs have poor securtiy standards, the industry has fought back saying business is booming only because they have the confidence of their clients.

"There's more security here than in many places in the west," said Pramod Bhasin, global head, Gecis.

"Clients who outsource ensure security standards. They are very good here," said Dr Balakrishnan, head, Supercomputing, IISc.

Data source

Then where did Karan Bahree get the data from?

Sarbajit Roy, a former hacker with the government, says it's not difficult to get credit details of UK bank customers in India.

Roy says these are given by banks themselves to small call centres to chase defaulting customers, which find their way to the markets in the form of CDs.

Perhaps, Bahree could have just bought one of these CDs to sell to Harvey.

So Roy, who has raised this issue with the RBI, has filed an application with the government asking Bahree to appear and reveal where the data came from.

Police investigations into the matter have been far from revealing. More than a week after the story broke, the Haryana police say they are yet to make a breakthrough. A formal police complaint has still not been registered.

In fact, it's not even clear who is investigating the case.

The IT Act says that the certifying authority of the government's IT department is fully empowered to investigate IT thefts.

But the controller of certifying authorities refused to comment saying it's not his job.

The delay means that the trail of crucial electronic evidence will turn cold and the truth may never be out.

Was it a security lapse?

So what was the sting operation trying to expose. Security lapses or just hit at the thriving BPO business?

Security experts and companies themselves see in this whole controversy an attempt to hit at the credibility of India's BPO industry and tarnish its image.

"I agree it's a set up," Dr Balakrishnan said.

"It's not about security, it's about outsourcing. You are at more risk if you use your credit card in a shop," said Bhasin.

But the Bahree case has had some positive fallout. The industry is strengthening systems just so that this one-off incident does not have any long term impact.

Agencies are being appointed to check the background of employees and the government is planning to tighten the IT Act to minimise data theft to make sure that their security standards are internationally recognised.
Business News
Trackback: Sarbajit Roy cyber hacker

Sarbajit Roy, The Insider

The Insider
PRAGYA SINGH (Indian Express Newsline)

Posted online: Sunday, July 03, 2005 at 0000 hours IST

IN the last few days Karan Bahree has become the face, though a reluctant one, of the outsourcing industry. It’s a face that reflects the troubled industry that makes $13 billion a year.

Last Thursday, British tabloid The Sun declared it had Bahree on camera, exchanging British banks’ private information for Rs 3.4 lakh. The Sun says he got the information from call centres in Delhi.

Since then, Bahree has vanished, but the call centres haven’t rested. The papers flash his pictures, the tabloids feast on him and every self-respecting blog underwrites India’s IT industry.

Even Prime Minister Manmohan Singh has stepped in: On Wednesday, he wanted to know how the culprits are being booked and the alleged security loopholes in call centres plugged. These call centres, flagships for India’s equally well-to-do software exports, are taking a lot of the flack.

Bahree, still only 24, emerged briefly in a letter to his employers. In it he said he took the money, gave the CD to Sun’s reporters but says he doesn’t know what was on it. In fact, it wasn’t his CD at all, he claims; it belonged to an acquaintance, with whom he split the booty.

A vortex of allegations has spawned, turning Bahree into a foolish boy, the law enforcement into spectators, The Sun into an evil avenger for ‘Benedict Arnold CEOs’. And call centres, which say Indian security is world class, into victims of racism or of vested interests. BPOs know trouble when they see it, and after dealing with the US, they sense a need to lie low.

In the ruckus, Bahree, a public-school boy brought up in Delhi, turned his cellphone off. Neighbours at his parent’s Dilshad Garden home say they haven’t spotted him for a while. Even his father won’t say where he is.

The evasion may seem ridiculously easy, considering the storm Bahree has raised. But this hide-and-seek could, in fact, be Karan’s life’s work: At Infinity e-Search, a small Gurgaon-based web design firm (not call centre) he was on probation for

Rs 10,000 a month. It fired him without notice on Tuesday, not convinced by his desperate letter. On weekends, Bahree’s closest ally was a gentleman who runs a PCO next door to his home.

In all this, where does a CD wielding 1,000 bank customer’s names, passwords and PIN numbers fit in? The closest anyone has got to an answer is: Palika Bazaar, Nehru Place and Janak Puri.

In one of these buzzing marketplaces, frothing with everything from the contraband to the unusual, someone picked up the troublesome CD and Bahree handed it to the sleuths from The Sun. This much is indicated by a public interest litigation (PIL) filed before the Delhi government on June 28.

The PIL follows up on an eight-month-old legal battle against illegal call centres that allegedly compromise the outsourcing industry. It is the only formal complaint in the Bahree case.

It could be—though that does not excuse Bahree’s role—that he thought he was pulling a fast one on his UK ‘clients,’ by peddling a relatively easy to find CD for big money. If that was the case, then The Sun missed the bigger story.



Re: The Insider

1) As the sole complainant in this matter, my "PIL" (actually its my interim application in the sole "hacking" complaint under IT ACT filed in Delhi till date) simply requests Oliver Harvey and Bahree to help the ongoing investigations into "theft" of banking data which is ongoing for 14 months now. Forensic analysis of the CD in Harvey's possession will lead India's cyber cops to a mother-lode of hacked data (estimated to be over 1.2 million accounts Indian credit card accounts of British Banks) which RBI and the Indian Govt have known about for almost 14 months now and had tried to sweep under the carpet.

2) Its therefore hilarious to see Dr. K.K.Bajaj (Deputy Controller of Certifying Authorities and Director CERT-IN and India's Top Cyber Investigator under section 28 of the IT ACT) caught on hidden spycams by NDTV blathering away that "data theft" does not fall within his investigative powers.

3) As a small newspaper(?) in Delhi says "Let there be Light" shed on this matter and especially why the Cyber Regulatory Tribunal has not been constituted till date thereby bottlenecking all cyber prosecutions in the country. Once again Dr. Bajaj - has a lot to answer for.

Posted by: sarbajit roy, India, 04-07-2005 at 0930 hours IST

Trackback: Sarbajit Roy Insider