Schneier on Security
A blog covering security and security technology.
« Talking to Strangers |
| SHA Cryptanalysis Paper Online »
June 24, 2005
Indian Call Center Sells Personal Information
There was yet another incident where call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India.
I predict a spate of essays warning us of the security risks of offshore outsourcing. That's stupid; this has almost nothing to do with offshoring. It's no different than the Lembo case, and that happened in the safe and secure United States.
There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders, and that is mostly independent of outsourcing. Lousy wages, lack of ownership, a poor work environment, and so on can all increase the risk of malicious insiders, but that's true regardless of who owns the call center or in what currency the salary is paid in. Yes, it's harder to prosecute across national boundaries, but the deterrence here is more contractual than criminal.
The problem here is people, not corporate or national boundaries.
Posted on June 24, 2005 at 9:35 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There is one difference. Its to do with the legal system. If there are differences in legal systems, you may not be able to get redress in the other country - and vice versa.
Be a bit carefull with articals from the Sun Newspaper, they tend to be a bit on the sensational side and light in facts (It's what sells to the "Chav" market in the UK).
Apart from that, I am not overly surprised, that an Indian Call Center worker is happy to sell the details, I am surprised that it is for 5 USD a name though (I suspect you could get it for a lot lot less if you shopped around).
The average income in large parts of India is 1USD a day rising to 600USD a month at the profesional levels so the price is quite high.
If you are wondering about the Pasport Details, in the UK you pretty much have to allow the bank to photocopy your pasport if you want to open an account. Also several other things like photo drivers licence, utility bills and council tax bills all of which they photo copy. Basically everything you would need to commit identity theft.
It is also an interesting case, in that has the individual involved actually broken any criminal law in India, they are not necesaraly a British citizen, and the incident did not occure within the UK boarders so British law probably does not cover it and extradition is unlikley.
For that matter I suspect that the Data Protection Act and the European Safe Harbour rules do not apply either. At the end of the day I guess no prosecution will result, nor any other (meaningfull) action be taken.
I would like to be wrong (as I could be one of those whose details have been sold).
What was not mentioned was that several Unions involved with banking in the UK have been warning about "off Shoring" jobs for just this reason and where told that they where scare mongering.
On another not unrelated note I have had problems with several UK banks trying to force me to have Chip and Pin and Debit cards which I have refused.
All I want is a cheque book and an ATM card and nothing else, which I have had for many years without problem. In one case (the Halifax) they have cancelled my ATM card and refused to issue a new cheque book so they have effectivly stoped me getting at my money as they will not replace the existing ATM card, and will not let me draw the money out without it.
If you belive the masive advertising campaing then you would think Chip and Pin is really safe. Unfortunatly the reality is that Chip and Pin has seen an increase in card fraud not a decrese, so why would anybody in their right mind want one.
I suspect that the banks love it because it effectivly removes all the consumer protection (SET again). So the banks problem resolution boils down to "Wev'e got your money sue us to get it back".
There is more incentive for an Indian to do this because their politicians are more corrupt and their need is greater.
"I predict a spate of essays warning us of the security risks of offshore outsourcing. That's stupid; this has almost nothing to do with offshoring."
I agree but I still feel safer "onshore", its just a question of how much safer and what benefits will be given up
Nick, good point.
Here's another difference: in the U.S., there are accepted standards for employment. A typical call-center worker will be vetted through a standardized background-check process, a drug-screen, and so forth.
Can a firm that offshores consumer data describe the vetting processes of their offshore firm? And the reliability of those doing the vetting?
IMO, it is far riskier to pipe sensitive and valuable data offshore than it is to keep it onshore, all other factors being equal.
"Lousy wages, lack of ownership, a poor work environment, and so on can all increase the risk of malicious insiders"
Where are the wages lousier, ownership more questionable, and work environment worse than in offshore outsourcing? There's no American or European labor laws and no reasonable minimum wage. To top it off, people leave their homes to live near the outsourced jobs. This would tend to make the living conditions and work environment less than ideal.
That combined with the legal issues of prosecuting the perp causes a greater concern with offshore outsourcing. I don't think it's just FUD.
Because there is an inherent suspicion of "the other", Indian call centers have to go to greater lengths than US call centers to demonstrate the security of their processes. For example, some of them search employees to make sure they have no pencil or paper; and the workstations have no floppy drive or USB ports.
I think the key to offshore call centers is vetting the company.
What we have here is a lot of people commenting about conditions in India with no first hand knowledge. Conditions in India- especially for people working in call centres- are actually quite good. People do not live as well as they do in the US; but they live quite well by Indian standards. The $1 a day to $500 a month range is about right; but it isn't a problem when the cost of living is as low as it is. Yes, if someone earning a $100 a month (which is a good estimate for a low level call centre worker) wanted to live in Manhattan, they could definitely not afford it. In most parts of India, however, they're doing better than most.
The problem with discussing outsourcing in the U.S. (and I live in the US too) is that people take it personally; it is their jobs that are going abroad. This is normal. But you don't want to fall in to the trap of comparing wages and quality of living in India to that in the US. There is no easy way to equate them. People with outsourced jobs in India do pretty well in Indian terms.
As to the question law and order, this will not be an issue in this particular case. The people responsible have been identified and will be made an example of. India has spent too much effort on its image as the best place for outsourcing to have it ruined by one misbehaving employee.
P.S. I've lived in India for 15 years of my life; in case you're wondering why you should listen to me :)
I'm sorry if in my above post I came across as saying that Indians live well in general. This is not the case- I was trying to make the point that people working in call centres actually do quite well by Indian standards.
And another thing to notice here most importantly is the scare tactic by the media. Initially it was reported by sun (which from what I understand is considered in UK as a tabloid). They reported it as this "one random guy" who "could potentially" sell about 2000 identities a month.
Then it was reported by The Register as this "IT guy" who "could potentially" sell upto 200,000 identities a month. After that it was turned by BBC into the "IT Expert" who could sell about 200,000 identities.
The error is 9,900%. We dont trust election polls that have an +/-10% error, what kind of a faith can I have in these people.
Intrestingly that same day when Sun reported it, legislators in the UK were having problems with another offshoring deal with some of their family tree data.
I'll agree the problem here is indeed people, not national or corporate boundaries. If you look at the issue in that light, you'll progress towards a real long term solution. Regardless of who's doing your call center support (in-house, outsourced, or internationally outsourced), if you're responsible for making sure the process is working securely, you should be looking at the human part of the process.
In that light, it's true that in some ways it's easier to control the people while they're in-house (well, usually, depending upon whether or not their unionized, if you're operating in an at-will employment state, etc.) That is, if you have the ability to control the negative consequences for people who violate your procedures, you can tailor the negative consequences to modify the behavior of a larger quantity of the workers.
However, you may actually have more control over the people in an outsourced environment than in an in-house one. If your outsourcing to a dictatorship and you give the dictator a regular supply of large quantities of money, it's conceivable that you could have the power of life and death over your workforce -> that's a pretty strong negative consequence!
I don't advocate the above as a buisness practice, there are other (hopefully obvious) drawbacks to such an arrangment.
If your in-house call center employees are unionized and it is difficult to fire one of them on mere suspicion of corporate misdeeds, you have less control over the negative consequences for them than you do if you can dismiss one immediately.
Of course, there's a tradeoff here too -> a workforce with better job security is probably going to be a more content workforce and therefore a more stable and secure workforce. You need carrots and sticks, not necessarily the tastiest carrot or the biggest stick!
I could be (often am) wrong, but this sort of situation cries out for the same kinds of insurance solutions that have served the private sector for decades. Individual Fidelity Bonds can be purchased by workers to provide employers with an assurance that valuable items (or data) that they work with (or around) are protected against theft. Likewise, employers can purchase blanket bonds to insure against dishonesty by their employees. Such arrangements would seem to be ideal, so long as insurers, employers and workers are in agreement as to the value of raw and filtered data. If you can quantify the economic value of a passport number, a postal address, or an ATM PIN, you have a mechanism by which risk can be bought, sold and managed in an efficient fashion. Unfortunately, there are perverse incentives for all three parties to discount these estimates.
It would therefore seem that until statutory penalties or (more likely) damages in the tort system materialize, these bad actors will continue to behave as if the problem is restricted to embarrassment and tarnished corporate image. There are very real costs to the corporations in terms of fraud and eroding confidence in the integrity of financial services firms, but these numbers continue to be concealed from the public and -- more importantly -- from investors. Thus I don't hold out much hope of meaningful inside-out reform, at least not here in the U.S.
The only problem I really see with outsourcing itself is that in a lot of places we can not do background checks.
I used to work as a security analyst for a large financial institution, basically if you have a bank account your money goes touches their systems at some point. They have around 5 bases of operation in India and one of the big things I could not figure out is how we were in compliance with our own policies because we could not do background checks on anyone in India-- and these people were not just desktop support, they also had superuser/admin access on a lot of our core systems.
However, agreed overall that the problem itself is not outsourcing, but that is one major problem with it.
The EU has laws saying that a lot of financial and personal data cannot be databased outside EU countries precisely so any criminal will face European law if caught. It's a damn good idea, IMHO.
@ JollyRoger: Seems to me that that's only "a damn good idea" if it's the case that the justice system in any EU country, atleast when it comes to persecuting data thieves, is better than the justice systems in all non-EU countries; is that the case?
The standard of living for those working in call centers in India may be higher than most, but it's still not as high as that of the Westerners whose data they're charged with protecting, right? And aren't most of the call center employees family and friends still earning much lower wages? And the response is to "make an example" of the individuals involved?
Do you really think this is an environment that is going to make the employees feel a sense of responsibility for the data they're protecting? Personally, I'm not comfortable.
If a call center worker in India makes a good living compared to the other employment options, i would think that most are inclined not to do anything to jeopardize their job. Contrast that with call center workers in the US, or Europe; are their wages enough to afford them a good life when measured against cost of living? If anything, call center workers in the US or Europe might be more tempted to make a quick buck.
I can see how, from an information security point-of-view, you can say that outsourcing does not increase the risk of information disclosure. I think this is totally wrong from a systems POV, however.
All systems boil down to people and motives. If an information has a monetary value (which is does), people will be more likely to abuse it in direct relation to the price of the information versus their current income. Which means that one invisible value a higher-paid employee has is that they are less likely to sell information, simply because their price would be too high, raising the cost of acquiring the information. Also, congress might fight information theft with more laws, but as congress has no way to criminalize activities in foreign countries, it will be unable to affect this phenomena effectively.
I would think the free market could handle this, however, if the true cost of information disclosure will be paid by the offending parties, and not the third parties. For example, if companies losing personal data would have to pay the person potentially impacted a reasonable compensation (say, $10K per person) and would have to carry liability insurance for that purpose, market processes would ensure that information disclosure costs will be correctly assesses by the relevant companies. Instead of me (or you) trying to geenralize over whether call centers in India are safer or less safe than call centers in Alabama, corporate executives with relevant information about the specifics of the options will make reasonable decision - because tey would have to pay the consequences for unreasonable decisions.
@Kevin Davidson & Devan
How do you search somebodies mind ?
Ever heard of a photographic memory. You can train yourself (fairly easily) to be able to remeber half a page of data.
A lot of Indian call center workers are selected for their ability to remember information. The reason for this is that they can sound more convincing on the phone if they can make comments about the weather, football, politics etc. Often they are expected into work an hour before they start in order that they can read faxed across news stories.
So on the assumption they can also remember 3 peoples details a day, or 15 USD/day thats 315USD a month which is as Devan pointed out a lot of disposable income in India.
Ask yourself how willing you would be to quadruple your income (after tax) for what is effectivly a low risk venture ?
It is also much easier in India for them to hide unacounted for income in the extended family banking systems that are very common in that part of the world. Even in the unlikley event that things do get rough they can also fairly easily disapear, again through the use of the extended family, so actually getting a legal scalp via civil or criminal action is not going to be an effective deterant.
As for vetting a company and it's procedures it's not much good. How much vetting is involved with the CIA and FBI and their employees?
You still had (amongst many others) Aldridge Aimes and Robert Hansson, making money on confidential information.
No matter what the prospective punishment there will always be people who will trade information for money. They are even more likley to do it where the prospective gain is significant and the potential risks are low.
India is an almost ideal place based on peoples expectations, lack of Governmental control and low cost of living etc for this sort of thing to happen.
You have to ask yourself what kind of risk analysis did the UK Companies do before they outsourced peoples data?
The point a lot of you are missing is the price differential.
5000USD is almost a years income and it's tax free. With their cost of living (in India), just how many of these little transactions do you need to retire in comfort? In the west 5000USD is relatively speaking, an inexpensive investment especially considering the commodity involved. I think it would cost you significantly more to do it here in the US or UK.
The threat is greater for exactly the same reason that the work was sent there in the first place; it's cheaper!
I am surprized to know we have sooo many experts about everything in india, i just have one question to ask how many of you ever saw india, do you know something writing all this BS about india just because one person does somthing wrong ..do you think this is fair ?
you people are offending the entire tech population in india, by all this .. do one thing please go to any damn search engine and type US +fraud and see how many results you find i got 31,800,000 and if you do the same thing for India +fraud you will get 1,900,000 results difference of 30,000,000.
Doesn't that mean something ???
and belive me there has to be some reason because of which india is getting so much of oursourcing, jobs are getting banglored ?
When crimes do happen with indians in US we never say US is bad we blame on situations..!!
Plz.. grow up..!!!!
No country is is doing a charity work by providing BP work to India. People here have proven it times and again that we are the best in IT and BPO sector.
This is not the first time when questions have been asked about our honesty; all I want to say is... Market is open; come, compete with us instead of backbiting.
At the end there's always one winner.
Where ever there is a chance of making easy money, it will be made. Be it any part of the world. No reason what so ever to blame a country for a fraud. I wonder if countries where people are making a lot of money do not commit frauds ! Infact there are more frauds than ever. So is it because of the morale of the people in countries like US who live comfortably make enuf money and still commit fraud. Now compare that with some one who might have faced economical problems and commits fraud. I think the later is more pardonable.
All said and done, if you really are concerned about the safety of data, you cant do anything about it, live with it, you cant beat india in the war for skilled workers and talented workforce!! Forget about beating, people from US and Uk cant even come close!
So instead of making a hue and cry of this one-of-a-case incident, lets find what best can be done.
PS: Did anyone speak about the party who bought the said data, i am sure it must have been someone from UK, what happened of him is no where to be seen.
Please don't waste your useful time in blaming Indians; If you think that they are fraud then prove it.
It doesn't makes any sense sitting there doing nothing and just blaming others (Specially Indians).
Now, Instead of wasting your time posting the comments GET BACK TO YOUR WORK!!!!
(Learn something from hard working Indians)
It never fails. A comedian mentions a city, and people cheer; Bruce mentions a country, and sooner or later a game of "my geopolitical entity can beat up your geopolitical entity" breaks out. As we say here in the U.S., don't make me stop this car.
Total 26 posts and no moderator was there when everybody was talking about POOR INDIANS..
you know something ??
Ok leave it...(i mean its censored)
how do you go from clearly and accurately identifying the problems: " Lousy wages, lack of ownership, a poor work environment, and so on..." to conclude that "the problem is the people, not the company."
From my point of view, it *is* the company and it's practices that create the situation that the people feel they need to and want to steal.
I read some of these comments with interest. I can't help but give my two cents as they say here in the US. Where there is greed there will be problems like this no matter what country, financial situation of a person or things like that. Look at Enron, Tyco, Worldcom and many others. These companies and lives of thousands of people working for these companies were ruined by those very well paid executives (more than they deserved). It was sheer GREED and opportunity to take advantage of the one's position and situation.
I don't think there is a clear answer or a solution to this kind of problem here or anywhere else. The thing companies can do is to have processes in place that minimizes such incidents and have clear and definite consequences.
I am an American training call center employees in India. I live here and love it!
Our employees are not allowed cell phones, notepaper or cameras on the floor to ensure that private data is not removed from the center. I cannot fight photographic memory. I am most impressed by our Indian call center employees. I have been in collections for 25 years and I have never worked with people as dedicated, ambitious, hard working and caring about their jobs. The American personell I have worked with and trained suffer by comparison. I agree with Bruce, that it does not matter where you are located as far as data loss is concerned, it is the person who does it, not their nationality. There are 350,000 call center employees in India, doing jobs that most people in the US do not want to do. If you compare the incidence of fraud, you will find that the prevalence of these incidents is higher in the US than here. Our employees treasure their jobs, the prestige, family support and earnings which put them in the top 5% of the economy and they are loathe to jeopardize them. The hysteria associated with these reports has more to do with prejudice and less to do with factual reporting. I am proud to work with my employees and I appreciate their work ethic and honesty.
I hate to disagree with the usually on-the-mark Bruce, but there is a difference: one major reason for offshoring is that it's a lot less expensive for corporations to hire intelligent employees. This also means that it's a lot less expensive for criminals to bribe intelligent employees.
This doesn't mean that offshoring/outsourcing shouldn't be done. It just underscores the need for strict call center security.
I personally find it hard to understand why we Indians bother about the west. I mean, I am writing (typing rather) this from a country where people attach the utmost importance to thier own culture and language skills (Japan). Can't the Indians start doing that? That is, try and display its economic/human resources/tech ability might via its own language? They would never face such humiliation from the western people. Cuz the western people are simply too arrogant and dumb to be able to learn an Asian language.
The fact is, that if 1 Indian does something wrong, the whole of India and the 'bloody Indians' become (or maybe are?) uncivilized, incompetent, scums and not worthy of your trust, whereas if the west or the westerners commit something seriously wrong, it is never mentioned at all. Our part of the world is referred to as 'third world' in the west, but tell me something how is the west any different from a third world country, the west amassed its wealth over centuries by plunder, conquest, loot of Africa, India, South America, the Americas. It was responsible for 'slave trade' and 'white supremacy'. the west is responsible for waging wars at will in the name of humanity, justice and peace, people who have been and are regularly harassed by westerners in the west are rarely given coverage. And they have the guts to call Indians/south asia as incompetent, useless, filthy?
Huh, who cares about such people? Also, who cares about Indians who tolerate this shit just for money? come on guys where's your pride?
I know all this is digressing from the main topic, but sorry guys I just can't tolerate this racist shit anymore. But then what to do with 'White' people, they are experts at racism, brashness, rudeness, foul language (amongst a few good things as well... like Heavy metal and some innovative pornos)
I remember an american calling me 'dirty' and not wanting to shake hands. I recently saw this 'watersports' clip on the net where a 'white' guy was pissing and coming on another 'white' girls face, now you guys decide, would you like to shake hands with such a person? HAHA
I hereby agree all the terms & condition and wanna continue.
I'm an American who has spent a lot of time in India over the past few years. As I cannot find employment in the USA anymore, I am wondering if it is possible for an American to "follow the jobs" and come to India to work in a call center?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.