A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man.

The seller denied any wrongdoing and Symantec corporation, from whom three victims bought a product via a call centre, called the incident "isolated".

Card fraud totalled £609m during 2008, according to payments group Apacs.

Symantec said it requires rigorous security measures of any third-party call centre agents and it believed the breach had been limited to a single agent.

The BBC team went to India on a tip off after being put in touch with a man offering to sell stolen credit and debit card details.

Two undercover reporters met the broker in a Delhi coffee shop for an encounter that was filmed secretly.

Secret filming exposes frauster selling stolen credit card details
http://news.bbc.co.uk/1/hi/uk/7952419.stm

He told the pair he could supply them with hundreds of credit and debit card details each week at a cost of $10 dollars a card.

After the reporters agreed to initially buy the details of 50 cards, the man handed over a list of 14. He said the remainder would be sent later by e-mail.

The man claimed some of the numbers had been obtained from call centres handling mobile phone sales, or payments for phone bills.

Back in the UK, the broker continued to supply card details to one of the undercover reporters by email.

Nearly all of the names, addresses and post codes sold to the BBC team were valid. But most of the numbers attached to them were invalid - often out by a single digit.

However, about one in seven of the numbers purchased were valid - active cards still in use by UK customers. Their owners could have been subjected to fraud if these cards had fallen into the hands of criminals.


The BBC team contacted the owners of these cards and warned them that their details were now being bought and sold in India.

Three of those customers had, within hours of each other, bought a computer software package by giving their credit card details to a call centre over the phone.

Within hours of making the purchase, their details were fraudulently sent on to the reporters.

One of the victims said he was "disturbed" at what had happened.

Allan Little telephones the fraudster to confront him about what we found
http://news.bbc.co.uk/1/hi/uk/7952423.stm

The software was made by Norton, which is part of the Symantec corporation.

Symantec, which launched an investigation after being informed of the the undercover probe, said the leak had come from a single source which has now been removed.

In a statement it said: "We are investigating how this incident happened and will take any appropriate steps to address any opportunities for improvement in our processes.

"We have engaged with the local law enforcement officials in India and will cooperate fully with that investigation. We are in the process of reviewing all possible options to manage this third party call centre, including moving away from it."

A spokeswoman stressed that "rigorous security measures" are put in place at call centres. For example, staff are not allowed to take electronic devices, memory sticks, pens or pencils to their desks. Internet and email access is also banned.

Wrongdoing denied

Saurabh Sachar, the seller, denied any wrongdoing or illegal activity.

When told that he had been filmed taking money from undercover reporters, he said they had borrowed that money from him and were paying it back.

He said the piece of paper handed over to undercover reporters contained "some directions" and a "kind of balance sheet".

And, when accused of providing credit card details he said they were "not correct". Mr Sachar also denied sending more details by e-mail.

Credit and debit card fraud cost the UK banking industry £609 million in 2008 - a rise of 14% on 2007.

Much of that fraud comes from transactions where the card is not physically present, such as telephone or internet sales.

The UK and the EU have stringent Data Protection laws. India has recently tightened up its rules governing the use of Information technology, but it has no data protection legislation.

"India is only paying lip service to data protection," the Data Protection lawyer Pavan Duggal told BBC News.


"We don't yet have a dedicated legislation on data protection. Until such times as India comes across with strong stringent provisions on data security we will have instances like this keep on happening."

The huge expansion in credit card use in recent years has produced a new kind of fraudster - one that will try to exploit any opportunity to reach into almost any credit or debit account that is used to make telephone purchases.