ERPNext - A Detective Story

Disclaimer: All characters appearing in this work are fictitious. Any resemblance to real person, living or dead, or any resemblance to situ

By Umair Sayyed March 1, 2016 General No comments yet

Disclaimer: All characters appearing in this work are fictitious. Any resemblance to real person, living or dead, or any resemblance to situation in this work, is purely coincidental. No animals were harmed in writing this article.

It was an effortless sale of a Moto G - 3rd Generation. Looking at the customer, I could judge what this handset would be used for, mostly for games and movies. I went to the mini-warehouse within our store to grab a factory packed phone. Meanwhile, Jinx, my colleague, started capturing customer details and created a POS Invoice.

To my surprise, I couldn’t locate a factory packed box for that model. I returned to the counter. I came back to the sales counter and informed Jinx about the same. Stock levels in ERPNext also indicated that there was only one quantity for that item, which was in the display. Jinx didn’t panic in front of the customer. He asked him if phone in the display will do. The customer was not okay with it. He left the store immediately. We lost the sale!

I am Amber, a sales representative at Rio Electronics. I have been around for last one year and I am the best salesperson in the store. Once a client confirms the deal, I hand them over them to Jinx, who makes the bills.

Search

We searched through the store, but couldn’t locate the boxed phone. When back at the counter, we looked into ERPNext, checked the Material Transfer entry from our main warehosue. As per the last transfer made, there should have been two quantities available of the Moto G. Since a Sales Invoice was drafted, this issue was also exposed to our bosses.

Expecting discrepancy in ERPNext, Jinx raised an issue at support@erpnext.com. Nabin replied within an hour, confirming that reduction in the stock was due to Material Issue entry. It was posted on 29th January, from Jinx’s account. A Stock Ledger entry attached mentioned that entry was posted at 1:30 p.m., which is a lunchtime at the store. Someone had stolen the phone!

Investigation

This incident had put Jinx’s credibility in question. It was difficult to rule out that it was not him involved. From the store, he was the only one having access to ERPNext. Also, it was not possible that someone else could make an entry from his account from another location because Jinx’s access to ERPNext was also restricted based on internet IP address.

Jinx only had “I am not behind this” to prove himself as innocent. I served as a witness of his innocence. Because time at which the Material Issue was posted, we both were having lunch together. We would generally sit behind the counter, have our lunch, a bit of chit-chat, and then back to work. Best to my memory, Jinx would not use a computer at lunchtime, unless there is something urgent.

Sinu, see the trainee salesman, was least likely to post any entry in the system, given that he would be out of the store in break. He had the perfect alibi of being at the restaurant in that hour.

Chacky, the watchman, was in suspicion on charges of supporting theft because keeping a check on the employees is also his job responsibility.

CCTV footage established that Jinx, sitting with me then, wasn’t using a computer at the time Material Issue was posted. Sinu was out for lunch. Chacky stepped into store to have lunch. He sat just under that CCTV camera. He was facing a demo desktop computer who’s display was not covered in the CCTV camera.

In good faith, Jinx was given the benefit of doubt. Management allowed him to continue his job. However this incident affected the appraisal of everyone at the store. These facts had brought everyone in the store under the ambit of suspicion.

To prevent re-occurrence in future, we also checked with ERPNext. They suggested some changes in the user permission and alerts which were implemented.

Second Incident

It had been good three months since there was an incident. As usual, I and Jinx were having lunch behind the counter. Chacky was in the store as well for lunch, sitting in his usual spot. Sinu, as per the routine was out at the restaurant.

An email notification on Jinx’s mobile caught his attention. He was on his toes in a fraction of a second. He glanced around the office, and found only three of us in the store. He stepped into the main store checking all the computers. Then he observed something happening in the demo computer, right in front of Chacky. He hesitantly ran over to that computer and found that his ERPNext account was being operated on that machine. Someone was creating Material Issue entry, using remote screen sharing tool. With shivering hands, Jinx managed to take some screenshots and then stopped screen sharing, before Material Issue could be submitted.

As soon as caught, Chacky raised his hands and pleaded for his innocence. He claimed that he didn't even have secondary education, and using a computer is next to impossible for him. Jinx snatched his mobile phone and checked latest calls and SMSes sent. To our surprise, his last SMS was sent to Sinu, which contained the password of screen sharing tool!

Modus Operandi

Sinu had the password of Jinx’s ERPNext account. While observing Jinx creating entries, he noted his password. The biggest mistake of Jinx was to set a password as simple as “12345678”. It would not be hard for anyone to read and remember this password.

Moving phone out of the store was only a matter of good timing. It was probably in the beginning of a day, or in the evening, when CCTV cameras would not function, Chacky would physically implement theft.

Given that access to Jinx’s ERPNext account was restricted based on internet IP address, the Material Issue entry had to be made using one of the computer in the store. Instead of a restaurant, Sinu would go to nearby cyber cafe. When ready, he would ping Chacky. And then Chacky would reply back with access credentials for screen sharing tool.

How Were They Caught?

The email notification which was sent to Jinx about Material Issue creation was actually triggered from ERPNext. They suggested us to create an Email Alert based on Material Issue creation. As soon as Sinu remotely created Material Issue entry, an Email Alert was sent to Jinx and employers in the HQ.

It was also the Role Permissions feature which played the vital role. Permission for submission of Material Issue was reserved for the employer's user. Though Sinu created an entry, but he didn’t find the Submit button. His search for Submit button is what allowed Jinx to search and reach computer which was remotely accessed, take screen shots, and most importantly catch him red handed.

Moral of the Story

If you have don’t have enough trouble in life, and want to invite some, set your password as “12345678”

Note: Got an interesting ERPNext story? We would love to publish it as a blog here. Please email it on hello@erpnext.com

Umair Sayyed
Umair Sayyed
"Umair is the Chief Customer Officer at ERPNext. He has done more than 50 ERP implementations remotely and replies to most incoming inquiries."
No comments yet

No comments yet. Start a new discussion.

Add Comment