5/6/2010 Hacking at WIPRO

Let's Build a Responsible Cyber Society

Check Identity Theft Risk

Ready-to-use metrics to measure risks of identity theft
Visit www.stra te gy2a ct.com Visit
www.ceac.in www.arbitration.in

WIPRO Embezzlement.. An IS Perspective

The Rs 20 crore embezzlement incident at WIPRO reflects how a CMM 5

level Company with ISO 27001 audit certification and other accolades can go
wrong in implementing an effective Information Security practice. This is not the
time to gloat over the failure of a fellow IS manager but time to introspect why
the security breach occurred and where did the controls fail.

What has happened today at WIPRO may very well happen in any other
organization as well. In Banking, we say that "Where there is money, there will
be fraud". Now that some of the IT companies hold cash on hand and in Bank
worth thousands of crores, they are as vulnerable to financial frauds as any
Bank. This incident should first of all make IT companies to understand that
"Money Management Skills" is part of a large IT company.

The incident marks not only a failure of the WIPRO IS system but also the
failure of its Statutory Auditors, HR Department, the Bankers, Whistle Blowing
policy etc.

As a part of the exercise to derive some lessons out of the incident, let's
explore the incident further based on the published information about the
occurence of the fraud.

Some of the facts that have come to the fore are that

1. A total of US $ 4 million was transferred from the WIPRO

Bank account to the personal accounts of one of the employees
and his relatives.

2.The transfers occurred over a period of 3 years in amounts

ranging from Ra 1 lakh to Rs 1.2 crore!

3.The employee was a chartered accountant who worked in a

department called "Controllership" responsible for authorizing
payments and maintaining the accounts of the Company.

4.According to the CFO of the Company, only one person was

involved in the fraud and he had stolen a password of another
person to commit the fraud.

4. A sum of US $ 2 million has since been recovered, Employee

suspended. The Controllership division has been disbanded.
Company says it will introduce job rotation in finance department.
Internal investigation is over. Some external assistance from
auditors is also being sought.

While the Company maintains that they have suspended the erring employee

naavi.org/…/edit_feb_19_2010_wipro_e… 1/4
5/6/2010 Hacking at WIPRO
but not filed a Police complaint, there is a rumour that the employee has
committed suicide. His body was reportedly found near the railway track at K
R Puram. He was supposed to be a CA topper and was being groomed for
more responsibilities. Is it only a suicide? or were anybody else involved in the
crime made it appear to be so? ..only an investigation by Police would reveal.
The fact that no Police complaint was filed opens up some questions in this
regard.

From the IS perspective one can clearly see the failures on the following front

1. Use of Passwords for authorization instead of the legally

mandated digital signatures and using the same password for a
long time.

2. Not assessing the Cyber Offendo mania risk of the employees

3. Not implementing the IS from the Techno Legal and

Behavioural Science perspective.

4.Not filing a formal complaint with the Police.

Let me elaborate on these aspects.

!on use of Digital Signatures:

Apparently Wipro's Bankers were making transfer of funds from the

Company's Bank account to individual accounts based on the password based
instructions. It is strange that individual transactions of upto Rs 1.2 crore has
been permitted based on the password based authentication. It is not clear if
the same password had been used all through the three years or if the
password was changed but stolen each time. If the same password was being
used, it would appear that the IS Policy was not being implemented and
auditors of all kinds had ignored the same.

We are all aware that ITA 2000 prescribed Digital Signatures as a means of
authentication of electronic documents and despite RBI repeatedly advising
Banks to use digital signatures or assume legal risk for non usage, Banks
continue to use passwords as means of authentication which is not supported
by Indian law.

More over Bank seem to have not noticed that money of large value was being
transferred by a single individual to other personal accounts. The possibility of
these being viewed as suspicious transactions either because of usual Banking
prudence or because of AML regulations was very high.

It would not be surprising if WIPRO may invoke the "Legal Risk for Banks"
under RBI's Internet Banking policy and contend that the loss should be
boarne by the Bank.

WIPRO being a supplier of many e-Governance products such as e-Tendering

systems which are PKI enabled, it is strange that it has not been using PKI
based system for financial transactions of the magnitude of even 1.2 cores.
There are no words to describe the callous attitude of the Company in this
regard. It seriously undermines the expertise of the Company in financial and
information security domain.

Refer article "When Banks in India don't use Digital Signatures, ..It would be a
Clause 49 Non Compliance" for more on the compliance requirements of
Banks regarding use of digital signatures.

Assessing Cyber Offendo Mania Risk

naavi.org/…/edit_feb_19_2010_wipro_e… 2/4
5/6/2010 Hacking at WIPRO
I refer to my earlier article Compulsive Cyber Offence Syndrome, I had
discussed a special kind of Information Security Risk which I termed as
Compulsive Cyber Offence Syndrome (Cyber Offendo Mania) which was a
psychological disorder in IT workers to commit technology crimes under the
notion of either anonymity or technology intoxication. When powers were
entrusted with an employee to withdraw upto Rs 1.2 crores on the technology
platform, the risk had to be recognized. Remember that even if the subject
employee was not a fraudulent person, some body else could have hijacked his
sessions or accessed the password like what this person himself did and
transfer the money to a Nigerian Account!.

Every organization is therefore recommended to have in place suitable

Behavioural Science assesments of their key employees to identify their
propensity to cross the proverbial yellow line. I agree that this is a developing
idea and the author may be one of the first to suggest such an assessment test.
But WIPRO being a market leader and a company which had earlier seen a
terrorist message emanate from one of its employees could have been
reasonably expected to take such innovative security measures when such
thoughts emerge.

!on Implementation of the Information Security from the perspective

of Techno Legal and Behavioural Science Approach:

I refer to another of my earlier article Three Dimensional IT Security Model

backed by the Theory of IS Motivation Based on a Behavioural Science
Approach (Also see Theory of IS Motivation Clarified ) where I had explained
a concept that Information Security implementation is motivated by certain
Behavioural Science aspects such as Awareness, Acceptance and Inspiration
besides the technical and legal aspects. Under this approach it was
recommended that all employees are put through a programme for creating a
Cyber Ethics culture through training, ethical declaration and creation of
champions to promote the idea internally. WIPRO may review its HR systems
to understand if there were shortcomings in this respect.

!on Filing of Police Complaint

When a major fraud of this nature has occurred and it has all the potential of
snowballing into a major scam, the Company's decision not to bring the
commission of the Cognizable offence to the knowledge of the law
enforcement is strange and gives room to many speculative doubts. Add to this
the rumour that the accused employee is no longer alive and found dead under
mysterious circumstances, as per some comments found at
http://economictimes.indiatimes.com/opinions/5582173.cms#top0

it appears that things may be more than what meets the eye.

It also raises doubts as to whether this was part of a larger scam of

misappropriation of company’s money, whether the internal audit committee
was negligent, whether the Statutory Auditors were negligent? etc.

After the way Satyam Scam surfaced, there is no way one can discount a
similar scam in any other company including WIPRO.

naavi.org/…/edit_feb_19_2010_wipro_e… 3/4
5/6/2010 Hacking at WIPRO
It was therefore necessary for the Company to have reported the issue to the
Police and if necessary facilitate a large scale investigation to examine all the
ramifications. Now that the fraud has come to the public domain, Bangalore
Police will be forced to call on WIPRO and start an investigation of their own
whether the Company likes it or not. Similarly, NASSCOM also may need to
take up its own enquires and also develop an advisory for its other members.

Naavi

February 19, 2010

Related Article: Hacking for US $4 Million at WIPRO

Comments are Welcome at naavi@vsnl.com

Visit Visit
www.!aavi.net www.lookalikes.in

naavi.org/…/edit_feb_19_2010_wipro_e… 4/4