BBC sting exposes sale of credit card details in India

Prasun Sonwalkar

London, Mar 20 (PTI) In another case of data theft being
traced to India, a BBC investigation has exposed activities of
a criminal gang that sells credit card details of UK customers
reportedly stolen from call centres in the country.

In a sting operation, BBC reporters posing as fraudsters
from London bought names, addresses and valid credit card
details of UK customers from New Delhi-based Saurabh Sachar,
who acted as a broker to arrange the sale.

The BBC team went to India on a tip off after being put
in touch with a man offering to sell stolen credit and debit
card details. Two undercover reporters met the broker in a
Delhi coffee shop for an encounter that was filmed secretly.

He said he could supply them with hundreds of credit and
debit card details each week at a cost of USD 10 a card. After
the reporters agreed to initially buy the details of 50 cards,
the man handed over a list of 14.

Sachar, who said the remainder would be sent later by
e-mail, claimed some of the numbers had been obtained from
call centres handling mobile phone sales or payments for phone
bills.

The investigation was broadcast on BBC's prime time news
Thursday. Similar cases of money being illegally withdrawn in
India using details of UK customers, who use their cards while
making purchases physically here or through the phone and
online have come to light earlier.

After the BBC team returned to UK, Sachar continued to
supply card details to one of the reporters by email.

The BBC said nearly all of the names, addresses and post
codes sold were valid but most of the numbers attached to them
were invalid -- often out by a single digit.

However, about one in seven of the numbers purchased were
active cards still in use by UK customers and their owners
could have been subjected to fraud if these cards had fallen
into the hands of criminals.

The BBC team contacted the owners of these cards and
warned them that their details were now being bought and sold
in India. Three of the customers had, within hours of each
other, bought a computer software package by giving their
credit card details to a call centre over the phone.

Within hours of making the purchase, their details were
fraudulently sent on to the reporters. Sachar denied any
wrongdoing or illegal activity.

The software was made by Norton, which is part of the
Symantec corporation.

Symantec, which launched an investigation after being
informed of the the undercover probe, said the leak had come
from a single source which has now been removed.

In a statement it said: "We are investigating how this
incident happened and will take appropriate steps to address
any opportunities for improvement in our processes. We have
engaged with the local law enforcement officials in India and
will cooperate fully with that investigation".

"We are in the process of reviewing all possible options
to manage this third party call centre, including moving away
from it," Symantec said.

Data protection lawyer Pavan Duggal told the BBC: "India
is only paying lip service to data protection. We don't yet
have a dedicated legislation on data protection. Until such
times as India comes across with strong stringent provisions
on data security we will have instances like this keep on
happening." PTI PS
RAI
NNNN