Saturday, July 08, 2006

BPO Fraud - Future of security in financial institutions

It was the morning of 27th June,2006. I was poring over the morning newspapers. All newspapers carried the same headlines that spoke of the HSBC fraud involving a BPO employee who reportedly had leaked out customer bank account details to third party. Not to mention the siphoning of money from HSBC customer accounts that eventually had to happen when the anti-social elements got their hands on privy information. As I was picking up the bits and pieces of story several points registered in my brain


This was the second security related fraud that saw the light of the day in the BPO industry in India. The first had been the MPhasis related scam that had struck the then fledgling BPO industry in the early years of the new millennium. Though doubts had arisen about the continued viability of the BPO industry in India then, other factors that had initially driven outsourcing to India were all too compelling for companies to even think of searching for immediate alternatives in terms of new centers, lower costs, higher security, English speaking resources, etc. However, this time around the fallout of incidents like these could turn out more disastrous for 2 reasons.
  • One, companies are already on the lookout for new BPO incubation centers to fend off rising employees costs in India, which is past incubation stage and has become a voracious resource consumer too. They are readily discovering such centers in Latin America, South East Asia, South Africa, etc.
  • Two, the very concept of maintaining data privy to the customer at offshore locations has been dealt a death blow. As highlighted in both cases, BPO employees who had access to such data at offshore centers were the ones who played the devil. Housing of data in the customer's home country would mean that BPO operations would shrivel up in terms of the host of services that they are currently in a position to offer the customer. The end result would be that of the customer being tossed back and forth between call centers in his country and offshore centers located elsewhere depending on his service requirements.
It really is a non-enviable position that the BPO centers are in currently. They are really caught between the devil and the deep sea. At one end you have the customers who have got used to low service charges and high quality services. Shifting back offshore operations would mean incurring all the high costs back at home that the financial institutions can ill-afford. Not doing so would raise the big question mark in the customer's mind about security concerns of his/her data. Treading the middle path would be walking the razor edge.

Two days later, when my mind was still receptive to any new developments in relation to the BPO fraud that had been unearthed, I received a thick packet via courier from HSBC. The packet contained a small plastic tab with a LCD screen and a single button. The accompanying letter said that HSBC was issuing this device as an additional security fence to be crossed while accessing our HSBC accounts online. The device at random generated a 6 digit code based on a internal algorithm every time I press the button. This code was to be submitted along with my account details and password every time I access my online HSBC account. I was perplexed as to how the six digit code could be authenticated when the plastic device in my hand never communicated with the HSBC systems. My only close guess was that the six digit code was being generated with a strong tie-up to the current date and time and the HSBC systems used the same algorithm to validate the code so generated. Quite ingenuous, I would say, because what HSBC has done is remove part of the customer account access details completely from their system and place it in the next safest place : the customer himself. This would render any of the information passed on to outsiders by dishonest BPO employees almost useless unless they also have my code generating device with them. A perfect example of how technology can be harass you or be harnessed to work for you. A perfect example of also how each scandal drives the paranoid being within us to erect one more security barrier around our data. Either way you take it, there is no denying that the technology vortex is dragging use deeper and deeper with every passing day.



Technorati Tags: , , , , , , ,

9 comments:

Concerned Citizen said...

How safe is online trading you reckon? Would like your comments.

Vijay said...

Online Trading is just as safe as trading at your local neighbourhood. In other words online trading is just as safe as you would let it be. I say this because just as you take certain precautions while shopping at your favorite mall, you need to take similar precautions while trading online. I list some of the key ones here though Googling for this might help you in detail

1. Always use your credit card. Never your debit card.
2. Do not go on punching away your credit card number at all websites. Be selective and restrict your activity to a few trusted ones where your experience has been good. Just like you stick to a few good shops in real life.
3. Use the latest browser version if you are using Internet Explorer along with the latest patches. If you are the adventurous kind, try out Firefox or Opera. They are less susceptible to hacker attacks.
4. Before you go in for a financial transaction on the web, verify that the page is secured. In all browsers you can verify this by noticing that the "http" prefix for the site address has changed to "https" ( 's' meaning 'secure' ). Alternatively, look out for a pad lock symbol that appears at the bottom right hand corner of IE and in the address bar in case you use Firefox.
5. Be aware of the Phishing. Phishing is the concept where in you are redirected to a website similar in appearance to your intended website and induces you to share your card details. One way is to keep an eye on the website name in the address bar before you divulge your card information. The other way is to install Google toolbar in your browser which warns you in case you are being redirected to a different website. IE version 7 has an inbuilt phishing detector.
6. In case you are still nervous, get in touch with people who have shopped at a website and seek their advice.
7. Never store your card details on the computer you use for surfing the Internet. If that is inevitable, install a goog quality firewall. WIN XP comes with a default one. Good alternatives are offered by Symantec, ZoneAlarm, etc.
8. Avoid financial transactions on public computers like cyber cafes, offices, etc.

I think I have covered the essential ones. Do remember again that online transactions are just as safe as handing over your credit card to the local merchant down the street as long as you stick to the golden rules of security. Your security rests with you. Technology can only help.

Happy shopping !!!

Broke said...

Hi!

Nice detailed answer :)

Buddy i am working in IT industry from past 7 yrs, I did all possible checks I could, however when hard luck has to hit you, it hits hard, and i was down by 25K, someone hacked by online share trading account and sold of my shares, funny, but it happened.

1. I transact only using my laptop
2. Laptop is used 99% only by me, 1%is my family or at time my tech guy which I ensure it happens in front of me and even that guy is trust worthy.

The only person i could think of was portal owner/employee/data manager/etc

Ecommerce Motto - life is uncertain and ecommerce will add spice to it :)

Cheers
Broke

Vijay said...

That's tough luck...but I still stand by my point that 99% of the time it happens because of some compromise in security somewhere..sometime. After all security is only to enhance the chances of not falling prey to fraudssters and cannot be expected to offer 100% foolproof protection.

curious said...

Broke,
i didn't understand how somebody can get money by selling your shares online...The money will go to the linked bank account right?? did the person hack your bank a/c too?

Anonymous said...

Could i find out more about the regulatory changes in india or abroad that have come about in response to the frauds committed in BPO sector?

Vijay said...

I have not observed govermnment induced regulatory changes in India yet, though we might be driving towards them in case the Western countries start applying pressure on the government.

Verne said...

Definitely the recent events are a cause of concern to us who have been using internet banking. These stray incidents should not be a cause of great worry. Because these hackers can in no ways escape as they would have leave a digital signature everywhere they meddled around. Though it’s a sure threat to security, the customers like me have no choice. Can I retreat back from internet bank? Or can I stop investing through internet banking from a foreign nation? What I feel is that these security lapse issues should ring a warning bell to the banks to step up security measures

Verne said...

Definitely the recent events are a cause of concern to us who have been using internet banking. These stray incidents should not be a cause of great worry. Because these hackers can in no ways escape as they would have leave a digital signature everywhere they meddled around. Though it’s a sure threat to security, the customers like me have no choice. Can I retreat back from internet bank? Or can I stop investing through internet banking from a foreign nation? What I feel is that these security lapse issues should ring a warning bell to the banks to step up security measures

Popular Posts - Do not miss these...