credit card details stolen from Indian call centres, sold to undercover
Card fraud totalled £609m during 2008, according to
payments group Apacs.
MarchOverseas card fraud scam exposed
BBC News, mARCH 20, 2009
By Allan Little
A criminal gang selling UK credit card details stolen
from Indian call centres has been exposed by an undercover
BBC News investigation.
Reporters posing as fraudsters bought UK names, addresses and valid
credit card details from a Delhi-based man.
The seller denied any wrongdoing and Symantec corporation, from
whom three victims bought a product via a call centre, called the
Undercover met the broker, Saurabh Sachar in a Delhi coffee shop
Card fraud totalled Â£609m during 2008, according to
payments group Apacs.
Symantec said it requires rigorous security measures of any third-party
call centre agents and it believed the breach had been limited to
a single agent.
The BBC team went to India on a tip off after being put in touch
with a man offering to sell stolen credit and debit card details.
Two undercover reporters met the broker in a Delhi coffee shop
for an encounter that was filmed secretly.
He told the pair he could supply them with hundreds of credit
and debit card details each week at a cost of $10 dollars a card.
After the reporters agreed to initially buy the details of 50 cards,
the man handed over a list of 14. He said the remainder would be
sent later by e-mail.
The man claimed some of the numbers had been obtained from call
centres handling mobile phone sales, or payments for phone bills.
Nearly all of the names, addresses and post codes sold to the undercover
team were valid. But most of the numbers attached to them were invalid
- often out by a single digit.
However, about one in seven of the numbers purchased were valid
- active cards still in use by UK customers. Their owners could
have been subjected to fraud if these cards had fallen into the
hands of criminals.
The BBC team contacted the owners of these cards and warned them
that their details were now being bought and sold in India.
Three of those customers had, within hours of each other, bought
a computer software package by giving their credit card details
to a call centre over the phone.
Within hours of making the purchase, their details were fraudulently
sent on to the reporters.
One of the victims said he was "disturbed" at what had
The software was made by Norton, which is part of the Symantec
Symantec, which launched an investigation after being informed
of the the undercover probe, said the leak had come from a single
source which has now been removed.
In a statement it said: "We are investigating how this incident
happened and will take any appropriate steps to address any opportunities
for improvement in our processes.
"We have engaged with the local law enforcement officials
in India and will cooperate fully with that investigation. We are
in the process of reviewing all possible options to manage this
third party call centre, including moving away from it."
A spokeswoman stressed that "rigorous security measures"
are put in place at call centres. For example, staff are not allowed
to take electronic devices, memory sticks, pens or pencils to their
desks. Internet and email access is also banned.
Saurabh Sachar, the seller, denied any wrongdoing or illegal activity.
When told that he had been filmed taking money from undercover
reporters, he said they had borrowed that money from him and were
paying it back.
He said the piece of paper handed over to undercover reporters
contained "some directions" and a " kind of balance
And, when accused of providing credit card details he said they
were "not correct". Mr Sachar also denied sending more
details by e-mail.
Credit and debit card fraud cost the UK banking industry Â£609
million in 2008 - a rise of 14% on 2007.
Much of that fraud comes from transactions where the card is not
physically present, such as telephone or internet sales.
The UK and the EU have stringent Data Protection laws. India has
recently tightened up its ruled government the use of Information
technology, but it has no data protection legislation.
"India is only paying lip service to data protection,"
the Data Protection lawyer Pavan Duggal told BBC News.
"We don't yet have a dedicated legislation on data protection.
Until such times as India comes across with strong stringent provisions
on data security we will have instances like this keep on happening."
The huge expansion in credit card use in recent years has produced
a new kind of fraudster - one that will try to exploit any opportunity
to reach into almost any credit or debit account that is used to
make telephone purchases.