ATM heist: India's IT sector in unwelcome spotlight

MUMBAI/BANGALORE Sat May 18, 2013 4:37pm IST

The EnStage Inc. Office is seen in Bangalore May 12, 2013. REUTERS/Stringer

The EnStage Inc. Office is seen in Bangalore May 12, 2013.

Credit: Reuters/Stringer

Related Topics

Stocks

   
Priyanka Gandhi Vadra, daughter of Congress party chief Sonia Gandhi, adjusts her flower garlands as she campaigns for her mother during an election meeting at Rae Bareli in Uttar Pradesh April 22, 2014. REUTERS/Pawan Kumar

Election 2014

More than 814 million people — a number larger than the population of Europe — are eligible to vote in the world’s biggest democratic exercise.  Full Coverage 

MUMBAI/BANGALORE (Reuters) - A breach of security at two payment card processing companies in India that led to heists at cash machines around the world has reopened questions on the risks of outsourcing sensitive financial services to the Asian nation.

Global banks that ship work to be processed in India, either in-house or to big IT services vendors, were already under pressure to step up oversight of back-office functions after a series of scandals last year.

Last week, U.S. prosecutors said a global criminal gang stole $45 million from two Middle Eastern banks by breaking into the two card processing companies based in India and raising the balances and withdrawal limits.

"India is exposed in two ways: The threat that the same theft could happen in India and the fact that the outsourcing industry will also get affected," said Arpinder Singh, partner and national director for fraud investigation and dispute services at consultancy Ernst & Young.

The episode is reopening debate on banks sending work requiring a high degree of confidentiality to offshore locations.

"It is the weakest link," said Shane Shook, an expert with U.S. cyber-security firm Cylance Inc who has helped financial firms conduct investigations into some major cyber crimes.

"I think the lesson is they need to pull back on what they've outsourced. When you're giving a third party, the outsourced entity, the ability to access credit limits or cash limits of the consumers you're managing the finances for, you're giving up control that is your fundamental responsibility."

India's $108 billion IT services industry is the world's favoured destination for outsourcing. Over 40 percent of exports by the industry are support services for the global financial sector, ranging from investment bank back-office functions to research, risk-management and processing of insurance claims.

Lured by a tech-savvy English-speaking population and wages that can be one-fifth those in the West, more than three-quarters of global banks have a direct or third-party offshore presence in India.

Indian IT firms, led by outsourcers such as Tata Consultancy Services (TCS.NS) and Infosys (INFY.NS), argue that security breaches are rare.

"I think if you look at the nature of the work we do and how much we do, we've actually had very very few incidents," said Som Mittal, president of the National Association of Software and Services Companies, the industry lobby.

UNDERCURRENT OF HOSTILITY

Still, any perception that data may be less safe in India is unwelcome for an industry that faces an undercurrent of hostility for taking away jobs in the West, home to most of its clients.

"The threat (to security) is for real, that's for sure," said Parag Deodhar, chief risk officer at Bharti AXA General Insurance, the local joint venture of France's AXA (AXAF.PA).

"When people don't take it seriously, it doesn't help. People still take information security quite lightly, and they don't address the weakest link, which is the people aspect."

There has been no suggestion that anyone employed at the two card processing firms, ElectraCard Services and EnStage, is involved.

EnStage, incorporated in California but with operations based in Bangalore, handled card payments for Bank of Muscat of Oman, sources have said. Bank of Muscat lost $40 million in a coordinated heist on February 19.

ElectraCard Services, based in Pune, processed prepaid travel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), according to sources. RAKBANK suffered a $5 million coordinated heist at ATMs around the world on December 21 last year, the U.S. indictment said.

Several industry watchers have said payment card fraud is a global problem and is not unique to India.

Two previous cases of hacking into processors of pre-paid debit cards occurred at RBS WorldPay and Fidelity National Information Services Inc (FIS.N), both in the United States. The amounts involved however were less than the losses suffered by the Middle East banks.

The U.S. Federal Bureau of Investigation has said many cases of cyber-crime involving credit cards and bank fraud never get publicised.

"The notion that this will affect outsourcing to India is wrong. There is no relation. There have been bigger frauds at BPOs in the United States," Ravi Sundaram, ElectraCard's head of strategy and corporate services, told Reuters on Monday.

Nevertheless the breach comes after a series of other events that have tarnished the IT industry in India.

Last year, the New York state banking regulator accused London-based Standard Chartered (STAN.L) of hiding $250 billion in transactions with Iran and not giving proper oversight to its back office operation in Chennai, India.

That had followed a backlash in Britain after customers of Royal Bank of Scotland (RBS.L) and its Natwest unit were left locked out of their accounts for a week due to an inexperienced IT operator in Hyderabad, media reports said.

A U.S. Senate probe last year criticising anti-money laundering controls at HSBC (HSBA.L) identified deficiencies in work done by its "offshore reviewers" in India, according to media reports.

While plenty of global companies are moving more functions to India, either to outsourcers or wholly-owned "captive" operations, some are moving work back home.

Costs, however, remain an over-riding factor.

"Most banks in U.S. are trying to cut costs because of recession. So they will try to outsource, not just to India but to any other country or any other company," said Nishanth Chandran, co-founder and CEO of E-Billing Solutions, a Chennai-based company that helps merchants process payments.

"For banks, it is completely a balance between security and costs."

(Additional reporting by Aradhana Aravindan in Bangalore, Kaustubh Kulkarni in Pune and Jim Finkle in Boston; Writing by Tony Munroe; Editing by Raju Gopalakrishnan)

FILED UNDER:
Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

REUTERS SHOWCASE

Election 2014

Election 2014

Kashmiris wary as Modi challenges for power.  Full Article 

Facebook's Performance

Facebook's Performance

Facebook Q1 revenue grows 72 percent on rising mobile ads.  Full Article 

Earnings Season

Earnings Season

Bharti Infratel Q4 net profit jumps 64 percent.  Full Article 

Monsoon Forecast

Monsoon Forecast

South Asia monsoon seen below-average to average in 2014 - WMO.  Full Article 

Solar Dispute

Solar Dispute

Green groups urge U.S. to drop solar trade case against India.  Full Article 

Oil Imports

Oil Imports

India to make May-July oil payments to Iran - sources.  Full Article 

Rice Exports

Rice Exports

India may cede top rice exporter spot under Southeast Asian price onslaught.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage