Some employees of Indian CRM outsourcer Mphasis tricked Citibank customers into revealing their PINs and passwords, and then stole their money.
Obviously, this could happen to any firm – indeed, it’s far more common in the UK or US where any dodgy geezer off the street can walk into a call centre job starting tomorrow, rather than in India where it’s a sought-after (albeit still hated by the people who do it) graduate position.
However, the reason for Mphasis’s Company of the Day status is that instead of following Western-style business PR bullshit and lying that people who fall for phishing scams aren’t morons, it described the victims as "gullible and careless". Rock on!
Oooh I dunno. This wasn’t your ordinary phishing scam; these were call-centre employees with proper accreditation. I think that realising that the bank employee shouldn’t be asking for your full PIN expects more of a knowledge of challenge-response security protocols than it’s reasonable to expect from the plain man.
(I’d also disagree that working in a CC is all that sought-after a position for Indian graduates. It doesn’t pay all that well by local standards. It’s more of a fallback for graduates between proper jobs, plus an urban magnet for people with qualifications from more rural areas. It’s "sought after" in the same way that a job flipping burgers is sought after in an economy with 9.5% unemployment and lousy benefits. I love people like this guy from Norwich Union who say things like "Let’s take a scenario where there was no call centre industry in India. What would these people be doing?", as if ten years ago Mumbai was full of English-speaking graduates sitting around on their arses saying "I hope someone builds a call centre soon or we’ll starve".
Looking at the quoted salary of $2100 and assuming 250 working days per year and a rupee/$ of 43.6 , call centre work pays 366 rupees a day. That’s 4.5x as much as "well digging", 9x as much as "Herds-keeping", 7.1x as much as "sweeping" and 3.2x as much as "masonry". The average urban wage is likely to be at least twice the average rural wage, so it doesn’t look to me as if CC workers are all that high up on the food chain. There was a TV programme about a CC worker on the box a couple of weeks ago, and he lived in a shared room in a dodgy apartment block, which seems about right; they’re doing better than shack-dwellers, but certainly aren’t living what you or I would call a middle class lifestyle. Hence, my guess is that the Indian call centre industry gets roughly the level of professionalism and honesty it is prepared to pay for.
…exactly like every other call centre industry. However, British call centre workers are among the worst-paid workers, while Indian call centre workers are among the best-paid (even though they’re still badly-paid). I’d contend this is likely to have an impact on their relative propensity to steal and scam.
I’d agree to some extent re the scam; I was more impressed by the Indians’ chutzpah than anything else. Although given the sheer repetition by banks of the message "do not reveal your PIN to anyone, even if they say they work for us", I think the plain man *should* have worked this one out by now.
I’m not sure that Indian CC workers are all that well-off relative to urban Indians. All these multiples are compared to agricultural workers ‘cos that’s all the Indian govt. publishes on the web. You would have thought that something like the efficiency wage argument goes through, but I wish I could find some numbers.
For what it’s worth, the income tax bands for India are:
zero: 0-50K rupees
10%: 50-60K rupees
20%: 60-150k rupees
30%: >150k rupees
Assuming yer call centre employees are on c100k rupees, they look to me to be more or less in the middle of the tax system; it’s a bit better than I’d expected but I wouldn’t say that they were among the best paid given that we’re talking about college graduates here. I dunno. Maybe this scam is a sign that the relative desirability of a CC job is eroding?
They don’t (as usual) say what sorts of PINs these were. It’s not obvious to me that call-center employees ought to be able to manufacture ATM cards from users’ account details, but perhaps they mean PINs for a CitiBank website?
(If it were cashcards, there are lots of technical ways the fraud could be prevented, for instance — assuming CitiBank’s stuff uses DES + offset like old ATM cards here — randomising PIN offsets so that you need to copy the card itself rather than just generate a new one with the right account details on it is an obvious choice.)
Having just been playing phone ping-pong with my bank (over a returned item of mail no less) I have to agree that it’s actually rather hard to know what sort of details banks *aren’t* meant to ask for. After all, if they can ask for date of birth, mother’s maiden name etc. etc. then why not ask for a PIN: the rest is by definition enough to get through the security screening. I’m not sure I would have recalled, if asked for my PIN, whether I was meant to give it or not.
Furthermore, I then set-up telephone banking (so that when I next called back, as they’d told me I had to, due to a computer glitch, I could be spared the interrogation) I gave a password and "PIN" number to a human. Presumably she could have copied down this information and then impersonated me at a later date. Perhaps I should change my PIN using the electronic system…?
–Matt