Oh, Those Perils of Outsourcing!
The Times of India reports that call-center employees of MSource, a financial services outsourcing arm of MphasiS, ripped off about $350,000 from Citibank account holders:
|They allegedly transferred a total of Rs 1.5 crore (US $3.5 lakh) from a multinational bank into their own accounts, opened under fictitious names. The money was used to splurge on luxuries like cars and mobile phones.|
Twelve people, including the alleged mastermind, have been arrested. The police are trying to determine the extent of the scam and whether the accused committed such crimes earlier...
...Asked to divulge the name of the bank, the accounts of which have been hacked into, Dayal said he could not reveal names of the company’s clients as they had signed a non-disclosure agreement. But, according to sources, the bank is Citibank.
According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers’ e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank’s New York-based customers into their own accounts, opened under fictitious names.
The money was transferred to the accounts on February 22, March 23 and March 31. The amount was later withdrawn by cheques drawn in their (accused’s) names or on the names of other people. The customers, from whose accounts the money had been withdrawn, alerted the bank officials in the US, after which the crime was traced to Pune...
In other words, it appears from this report that Citibank's security operation never detected the fraud: the account-holders apparently were the outer edge of the security perimeter. If this holds true, it's potentially a bigger story than trusting outsourced BPO vendors with key corporate secrets.
Forrester Research is predicting that this incident, in combination with incredibly high attrition rates, will serve to dampen the market for BPO outsourcing by as much as 30%.
A couple of take-aways:
1) MphasiS' Pune centre was both BS-7799 security-certified and CMM Level 5-certified. Certifications are no panacea.
2) Citibank needs to examine whether their account-holders detected the fraud before they did... and, if so, how their security organization dropped the ball.
Times of India: BPO staffers hack bank A/Cs, steal Rs 1.5 cr