Voucher Fraud

There has been only one incidence in my 24 years career when someone lost his job and I was partly responsible for that. It happened at Reliance where the Pre-Paid customers were handled by our SmartPay system. Among other things, SmartPay used to handle the complete Voucher life cycle. Pre-Paid mobile users need recharging their account when they run out of balance or validity or both using Vouchers. Before getting to the story, let me tell you how Vouchers are managed in the system.

Voucher or Scratch Card

Voucher or Scratch Card

In SmartPay, we generated the Vouchers. As SmartPay used to handle 10 Circles (each Circle – Kolkata, West Bengal, Assam, North East, Bihar, Jharkhand, Himachal Pradesh, Madhya Pradesh, Chhattisgarh and Orissa – is a PLMN), we had defined 10 different series of Vouchers – one each for each Circle. When the Vouchers are generated, they are just numbers which are stored in the database along with another number called the Secret Code. The Secret Code is stored in the database in an encrypted form so that nobody in the organization can read it. Once the Vouchers were generated in SmartPay, Reliance would extract the Voucher information and send it Printers who would print the Vouchers. Once printed, the users of the Voucher could see the Voucher Numbers. However, the Secret Codes were hidden and could be revealed only when the user scratched the surface of the Voucher. To recharge the account, the pre-paid mobile user had to send both the Voucher Number and the Secret Code using the IVRS or USSD or SMS or walk into a Reliance Store to the Customer Care.

Pan-Gutka Shop in India who also sell Vouchers

Pan-Gutka Shop in India who also sell Vouchers

After the Vouchers are printed, Reliance would distribute them through their Dealer network so that the Voucher could be reached to the Retailers that could be a small time cigarette shop also. As the Voucher had to cover so much ground to reach the Retailers and would change hands so many times, there were many cases where the Voucher would get defaced and the pre-paid mobile user could not accurately read the Secret Code. To handle this, we had programmed a feature in SmartPay where Reliance Customer Care Officers having special privilege could extract the Secret Code by providing the Voucher Number.

Another feature of SmartPay was that we could track every Voucher through its complete life cycle. The system would record which Voucher was in which Batch and the Batch was sold to which Dealer. Further, the system would record which Vouchers reached which Retailer. From that point, the system could track which Pre-paid Mobile User purchased which Voucher and recharged using the same. All of this Voucher Management was handled by a web application (part of SmartPay developed using ASP.Net), which was available to the Reliance Customer Care through their Intranet.

The SmartPay web application had many features and not all features were available to all the users. SmartPay had feature that it would show only the features, which a user had access to, to the user. This was our programming of WYSIWYG (What You See Is What You Get). The strategy was that if a user does not see a feature, he/she does not know anything like that exists in the system. For this to be possible, SmartPay required the users to log into the system before they could use the system.


Everything was working fine with SmartPay. One evening, Sovan got 2 tickets for watching Guru in Swabhumi. We both finished office and were on our way to Swabhumi, when I got a call from Reliance stating that there were lots of complaints from Retailers that the Pre-paid Mobile Users were unable to recharge with the Vouchers that they were selling. So, I dropped Sovan at Swabhumi and returned to the Reliance Office. By this time, Mr. Raju Saha, who was a Deputy General Manager, had figured out that security system of the web application could be broken by a very simple technique. What was possible was that when a user logged into SmartPay, he/she would get the features available to him/her. However, if the user changed the URL to one of the webpages not meant to be accessible to him/her, the system would open that webpage for him/her. This was a very silly programming error with severe consequences.

What was happening at that time in Reliance was that someone in the organization was accessing the webpage, which could show the Secret Code for a Voucher Number, and was stealing all the Vouchers. After obtaining the Secret Codes, they were selling it illegally. So, when an actual Pre-Paid Mobile User purchased the Voucher from a Retailer, he/she would find that the Voucher is already used and thus could not recharge his/her account with that Voucher, having already paid the money to the Retailer. Mr. Raju Saha was also an adroit programmer and had a small development team in Reliance though their main purpose of job was to run the operations. He suggested that this could issue could be resolved if a reauthentication code could be placed in the webpages which would check for the user credential before opening the webpage. He told us the class available in ASP.Net, which could meet this.

With all this information I came to our office. Anuj, who partnered me in programming this part of the system, was in the office. We figured that we had to program this piece of code across all the 150-odd webpages of SmartPay. Anuj was perplexed as this meant programming through the night. However, I was very cool because I knew that I had designed the web application so that all the webpages were inherited from a single class, which I had named BaseWebPage. I inserted the code in the BaseWebPage in about 10 minutes and asked Anuj to test the system. His initial tests were successful as no more unauthorized access was possible. However, he wanted to be sure and carried on testing for the next 3 hours.

While Anuj was testing the system, I sent the car to fetch Subrata, our DBA, from his home. When Subrata arrived, I told him to go to Reliance and figure out all the Vouchers, which were fraudulently recharged. Subrata was great with the database and in the next 2 hours he had the complete list of Vouchers fraudulently used and the user accounts where the amounts of the fraudulent recharge had been credited. When Anuj was satisfied that everything was working fine, we built the software and took it to Reliance. While Anuj deployed the new build, I conducted some basic verification of the data Subrata had produced. Once I was satisfied, I told Subrata to run the script to restore the Vouchers and reset the user accounts. So, in about 5 hours of the complaint from Reliance, we had restored the system to normalcy and had removed the bug. Subrata gathered the needed statistics.

In the meanwhile, Reliance conducted their probe and by studying the system audit logs figured out that a young guy in the Customer Care unit was the one who was conducting this fraud. Nirmal da, the Executive Vice President, called this person to his office and there he confessed that he had indulged in this act. So, immediately, Nirmal da fired him. That night, before Reliance could act, I wrote an incidence report and provided proof that there was zero revenue loss to Reliance through this incidence. I circulated the incidence report to the Reliance Top Management and to our Management. There was no reply from Reliance and I had a very narrow escape as Reliance could have asked for compensation for any revenue loss that they would have incurred in the process. My record remained till the last day with Reliance that we did not give a single Rupee as a penalty to Reliance (We did not pay any penalty to any of our customers in any of the projects I was involved in till date by the grace of the Almighty).

However, Nirmal da called me the next day. He said that since this guy, who had conducted the fraud, was smart enough to find out the flaw in the system, he could be tried in a suitable role in Siemens. I sympathized with this guy, as I felt partly responsible, and so proposed to hire him in the testing team. However, our HR policy did not allow for this to happen.

%d bloggers like this: