| |
India-Based
Call Centers Seek Better Background-Check System
April 29, 2005
Background checks don't necessarily weed out problems, said Bruce
Schneier, CTO at Counterpane Internet security Inc. "Sure,
they'll find known criminals," he said, "but they won't
find people with no criminal records who might steal money when
the opportunity arises."
India's technology
firms are creating a centralized employee information depository,
with employment, education and even credit histories, for conducting
employee background checks.
The issue of background checks for Indian technology job candidates
arose this month after 12 people were arrested for allegedly defrauding
four Citibank account holders in New York of more than $300,000.
Three of those arrested were former call center employees of Mphasis
BFL Group in Mumbai.
This depository, to be launched as a pilot over the next two months
by the Delhi-based National Association of Software and Service
Companies (Nasscom), India's major technology trade group, is
designed to fix a problem in the developing country: a lack of
centralized personal data.
In the U.S., employers can use so-called data brokers, including
two that recently reported security breaches -- ChoicePoint Inc.
and Lexis-Nexis Group -- to get background information on job
candidates. But India doesn't have centralized, national databases.
In fact, it wasn't until last year that a national credit-reporting
agency, the Credit Information Bureau of India Ltd., was formed
to gather data on Indian citizens.
Without access to that type of data, Subbu Venkataraman, a vice
president at Sierra Atlantic Inc., a Fremont, Calif.-based provider
of offshore IT services, depends on former employers and third-party
firms to check the references of Indian job candidates.
Once someone applies for a job at a Sierra Atlantic Indian facility,
the company checks his qualifications with previous employers,
said Venkataraman in an interview from India.
A third-party reference-checking firm is also used, and job candidates
may be asked to provide paper documents, such as credit card bills
and bank records, to help verify their credit histories, he said.
Sierra Atlantic's process is "an India solution for an India
problem. It seems to be working fine," said Venkataraman.
Safeguards in Place
As envisioned, the Nasscom program would allow technology workers
to voluntarily register in the database, said Nasscom Vice President
Sunil Mehta. The registry will be administered by a third party
that will hire a professional reference-checking company to conduct
background checks, he said.
Jeroen Tas, vice chairman of Mphasis, said the theft of data from
his firm may be the result of someone getting customers' phone
numbers and calling them outside of Mphasis facilities to gain
personal identification numbers for account access. "Clearly,
it is important that we keep reminding everybody that they shouldn't
give out PINs," he said.
Mphasis doesn't allow its business process outsourcing employees
to bring in any media that can be used to copy files, and calls
are monitored, Tas said.
Background checks don't necessarily weed out problems, said Bruce
Schneier, chief technology officer at Counterpane Internet security
Inc. in Mountain View, Calif. "Sure, they'll find known criminals,"
he said, "but they won't find people with no criminal records
who might steal money when the opportunity arises."
Reference checks didn't turn up any problems with the arrested
employees, Tas said.
It may be up to employers to sort out best practices in dealing
with offshore firms. The Financial Services Technology Consortium
was developing offshore standards over issues such as the handling
of live data.
But it dropped the project because member financial services firms
worried that any bestpractice book could be used by federal authorities
to develop more-stringent regulations, said Jim Salters, director
of technology initiatives for the FSTC.
© 2005 Computerworld.
© 2005 CRM Daily.
This
one got away
R.K. Raghavan
Yes, security was breached in the recent incident of fraud at
an Indian BPO operation. Which means losing no time to arm ourselves
effectively. This is how we can go about it.
A CALL centre in Pune looking after Citigroup customer relations
was recently vandalised. Managed by MphasiS BFL, this centre was,
by all accounts, an efficient outfit with more than a reasonable
accent on security.
Suddenly, at least four Citigroup customers based in the US found
that their accounts had been tampered with, and substantial sums
of money (totalling about $350,000) transferred to accounts in
and around Pune. On a complaint from Citigroup officials in India,
the Pune Police sprung into action and did some smart field enquiries
that established the involvement of a few former employees of
the call centre. Investigation revealed that this gang had won
the confidence of the customers victimised and secured their Personal
Identification Numbers (PIN) with which they were able to access
their accounts online and achieve their criminal objective.
Those who are familiar with security regulations in vogue in well-run
call centres would know that employees are searched when they
enter and exit the premises. They are not allowed to take even
a scrap of paper, not to speak of any implement to copy or record
any material. These restrictions are nothing new or special, and
are taken for granted by the firm that outsources the job.
Also, telephonic conversations with customers from within centres
are monitored at random. You may therefore rightly ask the question:
How did the Pune group execute their diabolical plan? (If `diabolical'
is a strong expression, I use it deliberately because the damage
caused to our image as a secure IT vendor is inestimable.)
I am told that most, if not all the members of the gang, had memorised
the crucial numbers, walked thereafter into cyber cafes where
they accessed the page relating to each account in Citibank's
Web site, opened new e-mail IDs replacing the ones originally
given by the customers, and thereafter transferred funds. It is
as simple as that.
What do you make of the Pune episode? Was it a case of poor physical
security? I don't think so, unless investigation, as it progresses,
reveals any collusion between the security guards posted at the
centre and the former employees who have now been arrested.
Possibly, it was a case of system vulnerability. Some banks have
switched over to double authentification. This may tighten up
access and prevent intrusion. Some banks can think of an enhancement
to transaction processing by which a customer is notified of unusual
transfer of funds. This will be something akin to the practice
of a few banks providing for an SMS notification to customers
whenever an ATM transaction is made.
Whether these would have helped in Pune is a moot question, because
once you win over a customer and persuade him to submit himself
to you without reservation, there is precious little the best
of brains in cyber security can do.
Was it a case of poor background check? I am not very sure whether
any such check was done at all by the company that runs the centre.
It is for them to tell the customers on their own as to what they
had done in this regard. My preliminary information does not reveal
that any of those now in custody had a criminal record. Only if
they had any, a check would have yielded valuable information,
provided the checking agency had the resources.
My own impression of most of the private agencies who claim to
be experts in background checks and who fleece their customers
(sometimes as much as Rs 5,000 for each candidate checked) is
very poor. Many organisations wanting an employee's past data
have unfortunately nothing else to fall back on. However, the
Pune incident does reinforce the need for more rigorous checks
by all IT companies, especially those in the BPO business.
Some police forces respond to requests for a record check from
private companies. Many don't. It is for the Union Home Ministry
(MHA) and the IT Ministry to appeal to State governments to be
helpful in this regard. This need not be a free service. The police
can levy a substantial fee. The National Crime Records Bureau
(NCRB) under the MHA does this in a limited way in respect of
stolen cars. There is a case for it to expand its database by
talking to the State Police through the MHA.
Nasscom is said to be building a database of IT employees. Once
this becomes ready, it should help raise the quality of background
checks. Additionally, Nasscom has the clout to establish a partnership
between IT companies, the IT Ministry in Delhi and State Police
forces that would handle the nuances of background checks, at
least for IT company recruitment. All the three have a huge stake
in preserving our reputation as a security-conscious IT nation.
In the final analysis, what we are discussing here is a case of
so-called `social engineering'. This would mean that there is
something beyond the well-oiled systems that we have to take care
of. Clients of outsourcing financial institutions would do well
to step up customer education. It is not as if they are not already
doing this. In this instance Citibank would like to study how
they could not instil a stronger sense of security in customer
minds. Their findings would be useful to others who would also
want to plug loopholes in their drill to sensitise customers.
It is easy to dismiss Pune as one of those incidents that happen
regularly in many countries in the developed West. The difference
is that these countries can afford to be indifferent because of
their own wealth and their stringent and swift criminal justice
system that ensures quick punishment of the guilty. India cannot
afford to be indifferent or complacent. We are the envy of the
rest of the world. We should not allow our advantage to slip from
our hands purely because of the dishonesty of a few individuals.
Let us study Pune in its entirety and take immediate remedial
action.
(The author is a former CBI Director and currently Security Adviser
to TCS Ltd.)
Financial
Daily from THE HINDU group of publications
Monday, May 02, 2005
Click
here to return to the E-zine and/or close this window
|
|
