Call Center Operator and His Cousin Steal $645,000 From UK Water Supplier (bleepingcomputer.com) 97
An anonymous reader writes: "An unnamed UK-based regional water supply company lost over $645,000 in a sophisticated scam that involved social engineering, an inside man, and international bank transfers," reports BleepingComputer. According to a recently disclosed report, one of the water supplier's call center operators was taking screenshots of customer details and sending this data to his cousin in the UK. This person would trick other call center operators to reset the passwords for those accounts, add his bank account info to the account, and request a refund for previous transactions. Their operation was discovered after customers, usually small-to-medium businesses, discovered they couldn't access their accounts anymore, and also reported new bank account details. A search of the CRM logs revealed that only one call center operator had accessed those profiles, albeit he never initiated or approved refunds. When questioned, the arrogant employee signed an affidavit allowing investigators to search his home PC, thinking they would never discover anything, since he already wiped his hard drive. They did because he forgot to delete his shadow volume copies, where investigators discovered copies of emails sent to his cousin in the UK. These emails contained the screenshots of his work PC with SMB client data. In the end, the call center employee ended up helping authorities secure a conviction for his cousin.
Fucking turncoat! (Score:1)
Never do a job you can't do by yourself and have to do more than once.
Re: Fucking turncoat! (Score:5, Interesting)
I worked right besides a fraud department for a major credit card company.. it never ceases to amaze me how ingenious the scammers we're, how the first few times were completely missed by all the fraud detection, and how every single one just kept on doing the same thing over and over thinking if it works once or twice, it'll surely work 200 times...
Re: Fucking turncoat! (Score:5, Insightful)
how every single one just kept on doing the same thing over and over thinking if it works once or twice, it'll surely work 200 times...
That is selection bias. You only know about those dumb enough to get caught.
Re: (Score:1)
Funny how we rarely hear about companies making police reports over this scale of theft, and how the shareholders don't seem to care about it and don't try to hold the C*O's responsible.
(If it happens as often as you imply, then we'd definitely know about it.)
Comment removed (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
search his home PC, thinking they would never discover anything, since he already wiped his hard drive. They did because he forgot to delete his shadow volume copies,
This one was not too bright....
Today on the family channel: (Score:5, Funny)
Today on the family channel, the heartwarming story of a call center operator who engineers a complicated scam and then rats out the relative who helped him. Brought to you by your friends at Hallmark. Don't forget mother's day!
Re:Today on the family channel: (Score:5, Funny)
How could his cousin possibly know that a lying scamming thief would also be dishonest?
Re: (Score:2)
What, seriously? Well crap you got me. My secret is out. I haven't watched regular TV in years.
Re: Today on the family channel: (Score:4, Funny)
Why? Did "Family Channel" not imply enough gayness?
Where? (Score:4, Insightful)
Let me guess... call center... corruption... India?
Re:Where? (Score:5, Informative)
From the article:
"the law firm investigating the data breach then decided to research how the accounts were managed internally. This led investigators to a call center in Mumbai, India, where the water supply company had outsourced its customer support operations."
Re: (Score:1, Flamebait)
There was no mention of the call centre's location in TFS, though. Because social justice.
Re: (Score:2, Funny)
The fucking SUMMARY, you boong.
Re: Where? (Score:2)
The summary did mention "his cousin in the UK", which implied a non-UK call center, so the location was pretty obvious.
Re: (Score:1)
No it wasn't. I was trying to figure out why they kept mentioning "in the UK". Just name the stupid country.
Re: Where? (Score:1)
Lots of white people used to move to India. Of course, they treated the Indians quite a bit different, back then.
They're not moving there now, because India is a shithole. Race probably doesn't have anything to do with it. Probably...
Re: (Score:2)
If there is any problem(s) it/they are probably caused by the massive amount of people there, more people means one can't know all people around oneself - creating a society with mostly anonymous individuals free to lie, exaggerate, spout racist crap and generally making the place miserable. These anonymous filth like to infiltrate discussions caus... Oh, you are one of them. Should have guessed.
Re: (Score:2)
There are 200 and a bit countries in the world that aren't the UK. I wouldn't call a half a percent chance ''obvious''.
In any case, it's shitty journalism. If you're writing a news article don't write it like a detective story.
Re: (Score:2, Funny)
There's plenty in Ireland, so go and feck yerself. I doubt you could even point to Ireland if you were standing on it, you fat cunt.
Re: (Score:2)
There's plenty [of call centres] in Ireland, so go and feck yerself.
From the UK I have never been answered by a call centre operator with an Irish accent. Maybe they serve the USA.
Re: Where? (Score:1)
Many UK companies have Irish call centres. Out of all the call centres in India, the Philippines, Hungary etc which I've phoned, the person I found hardest to understand was from my car insurers in Northern Ireland. He had such a thick accent that even after asking him to repeat something three times, I still wasn't always sure what he said. I did wonder if the call was as frustrating and embarrassing for him as it was for me.
Re: (Score:2)
There are 200 and a bit countries in the world that aren't the UK. I wouldn't call a half a percent chance ''obvious''.
It is obvious, because (from the UK) every time I call a service company I am answered by a person with an Indian accent; it might s starts as a strange-sounding pseudo-British accent but it always lapses into a heavy Indian one as the conversation goes on (and gets more heated, because I have little patience with these bastards). Of course, they could be Indians anywhere in the World, like the USA, or Tunbridge Wells, but then you would expect a proportionate sprinkling of other accents too; but no, it's
Re: (Score:2)
There was no mention of the call centre's location in TFS, though. Because social justice.
More like, because it would be redundant. If you're in the UK and you're dealing with an overseas call centre, it's an odds-on bet it will be in India.
And in any case, what's the difference? An Indian scammer is no different than a Russia or American one.
Re: (Score:2)
And in any case, what's the difference? An Indian scammer is no different than a Russia or American one.
Wrong. The Indian scammer will be far more polite. And will ask you to do the needful.
The Indian scammer calls you "Sir", a hangover I suppose from the Raj. As in "Sir! I am calling from WIndows. Your computer has a virus SIR!"
Re: (Score:2)
This led investigators to a call center in Mumbai, India, where the water supply company had outsourced its customer support operations.
The saddest part of all this is that the water supply company only lost $645,000 (which it will probably pass on to its customers) rather than going out of business entirely.
Re: (Score:2)
The saddest part is that you have access to the Internet.
Re: (Score:2)
Don't worry, there are plenty of con artists in the UK.
Certainly, and there are plenty of Indians. They have taken it to a new level.
This [metro.co.uk] is the very first Google result I found. They even tried to bribe the jury.
Not exactly 'wiping' the hard drive (Score:3)
From the article (because the summary sounds insane -> if MS has found a way to keep Shadow Volume copies of files after a full disk wipe, the Pentagon needs to know about this), it sounds like he was running something akin to selective cleaning (i.e. CC Cleaner). The OS and other applications remained, while personal data was removed.
Re: (Score:2)
If you steal near $700k you can afford a pound of thermite not just for the hard drive but for the entire computer -or- someone that actually knows what they're doing and some 'shush' money.
Re: (Score:2, Funny)
So your theory is that he rejected using thermite because of the cost?
Re: (Score:2)
Well it couldn't possibly be because it might burn half the street down.
Re: (Score:2)
Re: (Score:1)
No, the summery says the drive was wiped. The article says he used data wiping software. RTFA.
Re: (Score:1)
"summery"? No, it's still spring here.
Re: (Score:1)
Now he can sue the software company for the $700k back Clever!
Re: (Score:2)
Re:Not exactly 'wiping' the hard drive (Score:5, Funny)
Re: (Score:1, Flamebait)
Which is ironic, because most Indians can't even wipe their arses.
Re: (Score:2)
I take that you think so by your experience licking the asses of a lot of Indians? Maybe you shouldn't frequent scat-fetish clubs in India...
Re: (Score:2)
They aren't very good at jokes, either. At least not intentional ones.
Re: (Score:2)
From the article (because the summary sounds insane -> if MS has found a way to keep Shadow Volume copies of files after a full disk wipe,
I'm assuming that the 'full disk wipe' was really just deleting the folder and the recycle bin.
Re: (Score:3)
Must have been, because if he had booted from a Linux USB drive and followed this procedure
https://www.thomas-krenn.com/e... [thomas-krenn.com]
There is not a cat in hells chance of recovering any data. If that is too complicated then for 9 USD just buy a copy of Parted Magic that has as GUI to do it all easily for you.
If you are extra paranoid then write some zero's all over the drive first. If you are majorly paranoid write zero's all over the drive, issue a secure erase then smash the drive up into pieces and do a fresh ins
Re: (Score:1)
If we could only get smarter people to turn to crime!
Re: (Score:2)
Or if really smart you don't even know about it,
And in the case of criminal genius, they get public endorsement of their crimes every four years...
Re: Not exactly 'wiping' the hard drive (Score:3)
Wiping his computer, like with a cloth?
Bloke got greedy. (Score:2, Funny)
Bill Gates once said: $640K ought to be enough for anybody.
But this guy took $645K.
Re: (Score:2)
This wasn't theft, it's copyright infringeme....
Oh, wait.
Re: (Score:2)
Too right mate. It's why we voted for Brexit!
Re: (Score:2)
Too right mate. It's why we voted for Brexit!
I thought it was about not having straight bananas?
Sigh. (Score:5, Insightful)
And no system, human or technical, realised that new bank details were being entered for multiple accounts that all then requested refunds? I would hazard that some of those accounts might even have been the same.
But your system didn't detect a pattern of "change bank details", "request refund", etc.
That said, I would question why screenshots were possible - if indeed we are talking about proper screenshots rather than just taking a photo with his phone (which would presumably attract a bit more attention).
If he did this from the work PC, you have serious failings - he's sending emails from work (presumably on an unblocked personal account) with screenshots of personal data.
If he's holding his phone up to the screen and clicking on a regular basis? That's just as bad.
The next question I have is why is the agent allowed to see the details, rather than just get prompted for security details? Why is there a page where they just see everything, rather than go through the same set of questions on the system that they would need to ask the customer? And if the answers aren't on display in front of him, but he has to type them in and let the system authorise whatever it is he's doing (e.g. I imagine changing bank details requires at least customer, account numbers, etc.), then a screenshot is basically useless.
Least privilege principle. The agent doesn't need the other information on the customer unless he's specifically asked for it - in which case the request is recorded and you'd be able to see "Oh, Employee A requested Customer X, Customer Y and Customer Z's account numbers on all three occasions that those bank details were changed and then the customer complained."
If I ran a call-centre, I would literally have PC's with encrypted data over serial consoles (no general purpose operating system access at all). There's no need for even a GUI. And every phone call would go through a list of options for the operative. They would see no information, but be prompted for the user details that they have to prompt for anyway. The system would prompt, the operative would relay the prompt and answer, the system would decide whether to grant access to the next FUNCTION (not just a screen full of customer data). Every keypress recorded in tandem with the call they're dealing with (storage is dirt cheap for such things, hell most schools record every phone call nowadays, let alone a call centre dealing with millions of pounds of product/service sales)
If you need to check, say, the customer's email to let them know what one they used to sign up, you request it. The system returns a masked copy. If in doubt, you just request a change of email for the customer to ensure the one they want to use is the one that's entered in the system. If there's no change (i.e. you entered the same email as the system already has), the system can know that what you were asking is much less suspicious.
If a function is risky (changing bank details), there's still no way for the operative to screenshot, and it might even need the mythical, never-present "supervisor" to press a button on his computer to authorise a change too. If your boss has to know you're doing it, authorise it and/or be in cahoots with it, then you're much less likely to even try.
Anything really complex that does require the full customer record (like what? I can't imagine)? Done in a recorded full-access session available only on the superviser's authorisation and kept rare deliberately.
This also automatically fulfills your data protection requirements as none of the people or computers have access to any information that's not required for their job. Literally, their job requires no more information than the system ever gives them.
You then have the need (which is present anyway) to ban pen, paper, smartphones, etc. while working.
And no minimum-wage prat can steal your customer database, spam every customer email, pull off stuff like this anywhere near as easily, disrupt the syste
Re: (Score:1)
Their "job" is to generate traffic and ad impressions. By trolling people who care, they accomplish the mission of their job quite well.
Re: (Score:1)
In short, editors, get off your ass and do your fucking jobs or get the fuck out.
The words from and idiot. [slashdot.org]
Re: Didn't 'wipe' the drive. (Score:1)
You should take your intelligent and insightful comments to Reddit. Oh, we will manage on our own without you. However, you'll be much more appreciated at Reddit. You should go there.
So.... (Score:2)
valuable lesson learned (Score:5, Insightful)
don't use windows and expect to get away with it.
Refund for What? (Score:1)
Re: (Score:2)
Likely these customers are paying the same amount every bill, precalculated based on past usage and payments. If the estimates were wrong, typically the company will adjust the monthly payments downwards for the next year. If that is the case, the customer's account would be in credit due to overpayment, and they should be able to request this money back again.
Certainly electricity companies here (in Ireland, just next door to UK) do that. And if you switch supplier, the old supplier will refund any over
Re: (Score:2)
So you change the password and change the bank account, got it. What I can't understand is why would a water company give you a refund? Are they pre-paying for water? Usually you pay for the water that was used. Maybe a difference in the UK?
Most people in the UK don't have metered water supplies. We may not own half the World any more, but one thing we're rich in is water. It's a bit different from living in Australia or California.
Energy/water companies here love to over-charge you by taking a ridiculously large monthly direct debit, then generously reducing it after a year or so once you've built up a hefty credit balance. I'm actually impressed this company has a refund facility at all.
"his cousin in the UK" (Score:1)
Hmm... let me guess. Indians? Pakistanis? Say it ain't so!
Isn't 'diversity' wonderful. We can't have white people simply having their own countries, can we.
Re: (Score:2)
White? Pigment-deficient pinkies more like it. And I wonder what you refer to as "white people" given that racists tend to exclude all others than themselves when using that "term".
Very very sloppy (Score:1)
The people running the call center are equally if not more at fault than the person who was stealing the account information.
I worked at a large hosting company that has in house support. Cell phones are NOT allowed in the call center. In fact you can't even have a pen or pencil there. They use 8 x 10 white boards for immediate notes and those never leave the area. Access to external email is blocked. I don't know the rest of the security procedures but I have no doubt their internal email was screened as w
Re: (Score:1)
The people running the call center provided exactly what was requested, the bare minimum at the lowest cost.