Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
United Kingdom Crime Privacy Security The Almighty Buck Technology

Call Center Operator and His Cousin Steal $645,000 From UK Water Supplier (bleepingcomputer.com) 97

An anonymous reader writes: "An unnamed UK-based regional water supply company lost over $645,000 in a sophisticated scam that involved social engineering, an inside man, and international bank transfers," reports BleepingComputer. According to a recently disclosed report, one of the water supplier's call center operators was taking screenshots of customer details and sending this data to his cousin in the UK. This person would trick other call center operators to reset the passwords for those accounts, add his bank account info to the account, and request a refund for previous transactions. Their operation was discovered after customers, usually small-to-medium businesses, discovered they couldn't access their accounts anymore, and also reported new bank account details. A search of the CRM logs revealed that only one call center operator had accessed those profiles, albeit he never initiated or approved refunds. When questioned, the arrogant employee signed an affidavit allowing investigators to search his home PC, thinking they would never discover anything, since he already wiped his hard drive. They did because he forgot to delete his shadow volume copies, where investigators discovered copies of emails sent to his cousin in the UK. These emails contained the screenshots of his work PC with SMB client data. In the end, the call center employee ended up helping authorities secure a conviction for his cousin.
This discussion has been archived. No new comments can be posted.

Call Center Operator and His Cousin Steal $645,000 From UK Water Supplier

Comments Filter:
  • by Anonymous Coward

    Never do a job you can't do by yourself and have to do more than once.

    • by 0xdeaddead ( 797696 ) on Wednesday May 10, 2017 @08:51PM (#54397411) Homepage Journal

      I worked right besides a fraud department for a major credit card company.. it never ceases to amaze me how ingenious the scammers we're, how the first few times were completely missed by all the fraud detection, and how every single one just kept on doing the same thing over and over thinking if it works once or twice, it'll surely work 200 times...

      • by ShanghaiBill ( 739463 ) on Wednesday May 10, 2017 @09:05PM (#54397479)

        how every single one just kept on doing the same thing over and over thinking if it works once or twice, it'll surely work 200 times...

        That is selection bias. You only know about those dumb enough to get caught.

        • by Anonymous Coward

          Funny how we rarely hear about companies making police reports over this scale of theft, and how the shareholders don't seem to care about it and don't try to hold the C*O's responsible.

          (If it happens as often as you imply, then we'd definitely know about it.)

        • Comment removed (Score:5, Interesting)

          by account_deleted ( 4530225 ) on Thursday May 11, 2017 @06:39AM (#54398745)
          Comment removed based on user account deletion
      • Those uningenious scammers weren't so clever after all.
        • The problem is all the other "clever" ones we will never hear about, and who will never be caught.
          • search his home PC, thinking they would never discover anything, since he already wiped his hard drive. They did because he forgot to delete his shadow volume copies,

            This one was not too bright....

  • by roc97007 ( 608802 ) on Wednesday May 10, 2017 @08:37PM (#54397363) Journal

    Today on the family channel, the heartwarming story of a call center operator who engineers a complicated scam and then rats out the relative who helped him. Brought to you by your friends at Hallmark. Don't forget mother's day!

  • Where? (Score:4, Insightful)

    by Anonymous Coward on Wednesday May 10, 2017 @08:53PM (#54397419)

    Let me guess... call center... corruption... India?

    • Re:Where? (Score:5, Informative)

      by Anonymous Coward on Wednesday May 10, 2017 @10:42PM (#54397767)

      From the article:
      "the law firm investigating the data breach then decided to research how the accounts were managed internally. This led investigators to a call center in Mumbai, India, where the water supply company had outsourced its customer support operations."

      • Re: (Score:1, Flamebait)

        by Hognoxious ( 631665 )

        There was no mention of the call centre's location in TFS, though. Because social justice.

        • The summary did mention "his cousin in the UK", which implied a non-UK call center, so the location was pretty obvious.

          • by Anonymous Coward

            No it wasn't. I was trying to figure out why they kept mentioning "in the UK". Just name the stupid country.

          • There are 200 and a bit countries in the world that aren't the UK. I wouldn't call a half a percent chance ''obvious''.

            In any case, it's shitty journalism. If you're writing a news article don't write it like a detective story.

            • There are 200 and a bit countries in the world that aren't the UK. I wouldn't call a half a percent chance ''obvious''.

              It is obvious, because (from the UK) every time I call a service company I am answered by a person with an Indian accent; it might s starts as a strange-sounding pseudo-British accent but it always lapses into a heavy Indian one as the conversation goes on (and gets more heated, because I have little patience with these bastards). Of course, they could be Indians anywhere in the World, like the USA, or Tunbridge Wells, but then you would expect a proportionate sprinkling of other accents too; but no, it's

        • There was no mention of the call centre's location in TFS, though. Because social justice.

          More like, because it would be redundant. If you're in the UK and you're dealing with an overseas call centre, it's an odds-on bet it will be in India.

          And in any case, what's the difference? An Indian scammer is no different than a Russia or American one.

      • This led investigators to a call center in Mumbai, India, where the water supply company had outsourced its customer support operations.

        The saddest part of all this is that the water supply company only lost $645,000 (which it will probably pass on to its customers) rather than going out of business entirely.

  • by DivineKnight ( 3763507 ) on Wednesday May 10, 2017 @08:55PM (#54397429)

    From the article (because the summary sounds insane -> if MS has found a way to keep Shadow Volume copies of files after a full disk wipe, the Pentagon needs to know about this), it sounds like he was running something akin to selective cleaning (i.e. CC Cleaner). The OS and other applications remained, while personal data was removed.

    • by guruevi ( 827432 )

      If you steal near $700k you can afford a pound of thermite not just for the hard drive but for the entire computer -or- someone that actually knows what they're doing and some 'shush' money.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        If you steal near $700k you can afford a pound of thermite

        So your theory is that he rejected using thermite because of the cost?

    • Yes, TFA says "after wiping his hard drive" but it sounds like like he deleted his browser cache.
      • by Anonymous Coward

        No, the summery says the drive was wiped. The article says he used data wiping software. RTFA.

    • by msauve ( 701917 ) on Wednesday May 10, 2017 @10:30PM (#54397723)
      It was "wiping, like with a cloth or something."
      • Re: (Score:1, Flamebait)

        by Hognoxious ( 631665 )

        Which is ironic, because most Indians can't even wipe their arses.

        • by Megol ( 3135005 )

          I take that you think so by your experience licking the asses of a lot of Indians? Maybe you shouldn't frequent scat-fetish clubs in India...

    • From the article (because the summary sounds insane -> if MS has found a way to keep Shadow Volume copies of files after a full disk wipe,

      I'm assuming that the 'full disk wipe' was really just deleting the folder and the recycle bin.

      • by jabuzz ( 182671 )

        Must have been, because if he had booted from a Linux USB drive and followed this procedure

        https://www.thomas-krenn.com/e... [thomas-krenn.com]

        There is not a cat in hells chance of recovering any data. If that is too complicated then for 9 USD just buy a copy of Parted Magic that has as GUI to do it all easily for you.

        If you are extra paranoid then write some zero's all over the drive first. If you are majorly paranoid write zero's all over the drive, issue a secure erase then smash the drive up into pieces and do a fresh ins

        • If we could only get smarter people to turn to crime!

          • We do, those are ones who never get caught
            Or if really smart you don't even know about it,
            And in the case of criminal genius, they get public endorsement of their crimes every four years...
    • Wiping his computer, like with a cloth?

  • by Anonymous Coward

    Bill Gates once said: $640K ought to be enough for anybody.

    But this guy took $645K.

  • Sigh. (Score:5, Insightful)

    by ledow ( 319597 ) on Thursday May 11, 2017 @02:54AM (#54398249) Homepage

    And no system, human or technical, realised that new bank details were being entered for multiple accounts that all then requested refunds? I would hazard that some of those accounts might even have been the same.

    But your system didn't detect a pattern of "change bank details", "request refund", etc.

    That said, I would question why screenshots were possible - if indeed we are talking about proper screenshots rather than just taking a photo with his phone (which would presumably attract a bit more attention).

    If he did this from the work PC, you have serious failings - he's sending emails from work (presumably on an unblocked personal account) with screenshots of personal data.

    If he's holding his phone up to the screen and clicking on a regular basis? That's just as bad.

    The next question I have is why is the agent allowed to see the details, rather than just get prompted for security details? Why is there a page where they just see everything, rather than go through the same set of questions on the system that they would need to ask the customer? And if the answers aren't on display in front of him, but he has to type them in and let the system authorise whatever it is he's doing (e.g. I imagine changing bank details requires at least customer, account numbers, etc.), then a screenshot is basically useless.

    Least privilege principle. The agent doesn't need the other information on the customer unless he's specifically asked for it - in which case the request is recorded and you'd be able to see "Oh, Employee A requested Customer X, Customer Y and Customer Z's account numbers on all three occasions that those bank details were changed and then the customer complained."

    If I ran a call-centre, I would literally have PC's with encrypted data over serial consoles (no general purpose operating system access at all). There's no need for even a GUI. And every phone call would go through a list of options for the operative. They would see no information, but be prompted for the user details that they have to prompt for anyway. The system would prompt, the operative would relay the prompt and answer, the system would decide whether to grant access to the next FUNCTION (not just a screen full of customer data). Every keypress recorded in tandem with the call they're dealing with (storage is dirt cheap for such things, hell most schools record every phone call nowadays, let alone a call centre dealing with millions of pounds of product/service sales)

    If you need to check, say, the customer's email to let them know what one they used to sign up, you request it. The system returns a masked copy. If in doubt, you just request a change of email for the customer to ensure the one they want to use is the one that's entered in the system. If there's no change (i.e. you entered the same email as the system already has), the system can know that what you were asking is much less suspicious.

    If a function is risky (changing bank details), there's still no way for the operative to screenshot, and it might even need the mythical, never-present "supervisor" to press a button on his computer to authorise a change too. If your boss has to know you're doing it, authorise it and/or be in cahoots with it, then you're much less likely to even try.

    Anything really complex that does require the full customer record (like what? I can't imagine)? Done in a recorded full-access session available only on the superviser's authorisation and kept rare deliberately.

    This also automatically fulfills your data protection requirements as none of the people or computers have access to any information that's not required for their job. Literally, their job requires no more information than the system ever gives them.

    You then have the need (which is present anyway) to ban pen, paper, smartphones, etc. while working.

    And no minimum-wage prat can steal your customer database, spam every customer email, pull off stuff like this anywhere near as easily, disrupt the syste

  • by sad_ ( 7868 ) on Thursday May 11, 2017 @05:44AM (#54398649) Homepage

    don't use windows and expect to get away with it.

  • So you change the password and change the bank account, got it. What I can't understand is why would a water company give you a refund? Are they pre-paying for water? Usually you pay for the water that was used. Maybe a difference in the UK?
    • by Tomahawk ( 1343 )

      Likely these customers are paying the same amount every bill, precalculated based on past usage and payments. If the estimates were wrong, typically the company will adjust the monthly payments downwards for the next year. If that is the case, the customer's account would be in credit due to overpayment, and they should be able to request this money back again.

      Certainly electricity companies here (in Ireland, just next door to UK) do that. And if you switch supplier, the old supplier will refund any over

    • So you change the password and change the bank account, got it. What I can't understand is why would a water company give you a refund? Are they pre-paying for water? Usually you pay for the water that was used. Maybe a difference in the UK?

      Most people in the UK don't have metered water supplies. We may not own half the World any more, but one thing we're rich in is water. It's a bit different from living in Australia or California.

      Energy/water companies here love to over-charge you by taking a ridiculously large monthly direct debit, then generously reducing it after a year or so once you've built up a hefty credit balance. I'm actually impressed this company has a refund facility at all.

  • by Anonymous Coward

    Hmm... let me guess. Indians? Pakistanis? Say it ain't so!

    Isn't 'diversity' wonderful. We can't have white people simply having their own countries, can we.

    • by Megol ( 3135005 )

      White? Pigment-deficient pinkies more like it. And I wonder what you refer to as "white people" given that racists tend to exclude all others than themselves when using that "term".

  • The people running the call center are equally if not more at fault than the person who was stealing the account information.

    I worked at a large hosting company that has in house support. Cell phones are NOT allowed in the call center. In fact you can't even have a pen or pencil there. They use 8 x 10 white boards for immediate notes and those never leave the area. Access to external email is blocked. I don't know the rest of the security procedures but I have no doubt their internal email was screened as w

    • by Wulf2k ( 4703573 )

      The people running the call center provided exactly what was requested, the bare minimum at the lowest cost.

C for yourself.

Working...