The easiest cybersecurity flaw: trust your call center contractors as if they were your own

In the narrow alleys of Bellandur I was awakened by the steps of people outside and the chit chat and hustle of the start of the day in India. Before sunrise, it’s usually real quiet and you can hear the cars going fast at the closest highway and the occasional noise of cars nearby. But as the sun rises the noise increases as it does the amount of people on the streets.

My buddy Srinavasan and I ate some of his moms food and off we went to work that sunny day in Bengaluru. The dust and the heat mix together in such a way that we were already sweating bullets right after leaving his house. When we got to the company, the air conditioning was a great relief.

Entering that day wasn’t hard and though we had planned and practiced for it, we didn’t have to do much. With the high turnover of workers at India’s call centers it wasn’t hard to pretend I was a new client/customer looking to supervise operations that day in a few minutes of introductions and some hand shaking I was going around the isles listening on calls with the help desk workers.

The call center at the Bellandur slum. Calm at sunrise.
The call center at the Bellandur slum. Calm at sunrise.

Indian call centers were at the epicenter of the “outsourcing”  movement of the late 90’s, early 2000s. Moving call center jobs out of the United States and into India was the most prominent example of the “outsourcing / downsizing” movement.  If Trump was running in those years, he would be pretending to want to protect those jobs and I can imagine him saying/tweeting: “Call center jobs, I will tell you, are the heart and soul of the American working class economy.”

Our call goal that day was to collect as many credit cards as we could and that same night, we would have someone back in the US using those cards numbers for purchases across the country. Being in an official data center that is hired by US companies to support and take orders from americans across the globe would be the perfect setting. Each credit card number would be a juicy and valid source of purchases and happiness created overall. And our plan was pulled with mastery.

Customer service for tech companies Is such a perfect business model for them that some corporate parks at this region of Bengaluru have buildings with floors and floors of people in cubicles wearing headsets attached to computer screens. The only business model possible it seems. The business seemed to be going so well that this one at the Bellandur slum was at a smaller setting and apparently, an extension of the fancier ones just across the Outer Ring. The main office was fancier and located on the corporate park and seemed like the place to receive the customers, supervisors of the companies that hired them. Cameras video streamed the well dressed workers on the clean office of this help desk company hired by the biggest cybersecurity company of the US. The real magic happened across the road.

The two call centers: the expansion one on the slum, and the original one on the corporate business parks of the Outer Ring Road.
The two call centers: the expansion one on the slum, and the original one on the corporate business parks of the Outer Ring Road.

This expansion plan was thought of by the CEO himself. A savvy business men with some experience as a support director in America. He had returned to India to open his own business and make himself rich by hiring and training his fellow people who accepted median wages in order to get trained, get experience and certifications on the most prominent softwares on the market. Go ahead, you name it, we have certified personel: SAP, Salesforce, Oracle JD Edwards, any other business software used in the all size companies of the western world.

Now, back to the expansion plan. Business was going so well that every quarter he needed more people. That would not be a problem as there is no shortage of skilled tech workers in India. This recent cyber sec skills shortage is probably just a myth. If it wasn’t for the irony of this article, hiring cyber warriors from a foreign to fight for yours is probably the best definition of globalization in 2017: cyber shortage in the US creates army of info sec workers in India, fighting for America.

Ok, back again to the expansion plan. That corporate park was way expensive and contracting extra office space in that building wasn’t in the plans for that year. The hiring company would never know where the extra workers were. On the plan shown during the business meeting, an empty floor of that building was presented as the spot for the expansion, but the CEO’s plan was way better. Across the Outer Ring Road, in the slum where he grew up he knew a lot of people. They looked at him as a good person, an example of Indian entrepreneurship and fortune that technology could bring to not so well off Indians. And renting the extra office space on top of his cousins construction material shop in Bellandur was a great idea. Cheap, affordable, simple but comfortable accomodations for about 50 extra workers. No RFID access cards, just an open see through glass door with the companys logo at your eye level.

Having oversaw the adaptation himself, the place was ready to bring in workers after 15 days of painting the walls, installing the cubicles, buying and installing the computers and the phone lines. Ding, ding, ding, sounded the sound of money in his head. Brilliant. Customer service at it’s finest. We should always solve the customers problem.

His only oversight was the security, and he trusted the workers that were in that office to comply with that. See, workers in the main office in the business park had badges and had to clock in like that, just by swiping it. Not at this one. And his turnover was so big that it was hard to keep track of who worked there and who didn’t and it was like that I worked that day for free, for the contractor of the largest cybersecurity company in the US, taking orders of antivirus license purchases and managed to steal 50 valid credit card numbers ready to be used. To the cyber security company, I gotta say, it’s not your software, it’s not the weakest link, it’s not the newest virus that is the most dangerous. It’s your greed and your share holders interests that keep you from being secure. Cyber security pioneer my ass!

Ps.: This is a fictional tale.

Just a regular computer user. I write for regular users like me. When we grow up we are taught basic security tips like how to cross the street. But we are not taught how to take care of ourselves online.