/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsWhile the anti-outsourcing lobby and stronger H1 B regime has already put a dampener on Indian outsourcing, the latest revelation show that the $45 mn cyber heist that happened in December 2012 and February 2013 has an Indian connection as well. Two companies that have Indian presence-ElectraCard and EnStage-their systems were hacked in this heist and made the siphoning possible.
When 8 suspects were charged in New York recently, for the daring $45 mn cyber heist in which the gang of 9 (the leader allegedly murdered by the rest of gang) hacked on to computer systems and withdrew large sums of money, $5 mn in December 2012 and $45 mn in February 2013, it sent shock waves across the world.
According to a report in Wired, it said, "The gang first struck in December 22 when hackers targeted a credit card processor in India that handled transactions for prepaid MasterCard debit cards issued to customers of the National Bank of Ras Al-Khaimah PSC, or RAKBANK, in the United Arab Emirates. They handed off the stolen data for five accounts to cashers in 20 countries who withdrew $5 mn in cash in more than 4,500 ATM withdrawals."
The same gang, in February 2013 again struck, but this time it was huge, they stole $40 mn, but the card processor this time was based out of US-EnStage, with operations in India and handled transactions for Bank of Muscat in Oman. The Wired report on the second attack says, "They (gang) handed off data for just 12 prepaid card accounts to cashers in 24 countries who, within 10 hours, made off with about $40 mn in a coordinated operation involving 36,000 ATM withdrawals."
These 2 coordinated attacks the gangs made were made possible after they hacked into the Indian Card Processor-Pune based ElectraCard Services and EnStage Inc (Cupertino based with operation in India). The gang withdrew large sums out of ATMs by increasing the balances and withdrawal limits for MasterCard prepaid debit cards. While one is yet to hear from EnStage, but in a statement ElectraCard Services said that the hacking seems to have happened outside its premises. But that is not being taken as convincing reply as going by a recent report in Economic Times which says; ElectraCard has lost the Payment card Industry's security certification. Without this standard its security credibility is compromised.
This clearly shows that regulators will push for tighter controls for card processors and it will be extremely difficult for both the banks and their third party processors to comply.
Will it impact Indian BPO?
At this moment, the details are slowly emerging out. As we look at the fallout of this whole event, probably the most worrying trend right now is the likely impact it will have on Indian outsourcing industry-mainly the BPO.
Since these attacks have an Indian connection and that there is a strong likely-hood outsourcers getting into security due diligence of their service providers security controls and processes.
So clearly its a wakeup call for the Indian financial back end transaction processing, and since this heist is so big and the Modus Operandi very novel- using pre-paid cards.
The incidence casts a shadow on some of the key elements-trust, credibility, and data integrity. All these 3 elements have been compromised in this instance. Moreover, one is yet to hear specifically from both the card processors on how this attack happened and if there are any internal help (from employees) rendered for the hackers to get on to confidential card details.
Â
Experts say that this sophisticated attack might not have happened without inside sources and once those details become evident, then it will expose lots of process and trust flaws in the card processors set ups. Equally the bank management will also come under the scrutiny and some analysts point out that investigators might also be looking at angles like connivance between bank employees and card processors-a well managed planned scam in that case.
Prima facie, it's a blot on India's financial BPOs, and more banks will revisit their back office outsourcing contracts and might put newer stringent clauses aiming at insulating them from such attacks. And over cautious ones might well move back some of the very sensitive information processing to onsite captive centers and that means loss of business for the BPO. But that's an unlikely scenario because this event cannot be used as a milestone-rather an aberration and must not be used for anti-outsourcing rhetoric. But at the same time the Indian BPO industry must voluntarily come forward and fix up any data breach loop holes, and must indulge in huge confidence building measures.