A story of an undercover investigation by the BBC shows how dishonest employees at call centers — who collect plastic payment card details on clients — might be making a little extra pocket change by selling them.
The focus of the BBC story is centered on an Indian call center employee for Symantec Security Corporation stealing payment card information. It is also centered on UK customers, which is understandable given it is the BBC, but the reality is that information is stolen then sold from countries all over the world.
Payment card details are handled by telephone at call centers in a lot of places and the calls come from all over, too. A lot of companies have different tiers (levels of personnel) handling calls, depending on the difficulty or nature of the call. At a lot of major companies, these tiers are located in different centers, which are in different countries. Any call might start in one country and, given the nature of the call, it could be transferred to another center located in another country. Given this, payment card information can be sent and then illicitly recorded over a fairly wide geographical area.
Besides that, dishonest employees are caught on a regular basis in a lot of different places. They don't all necessarily reside in India and call centers there are not the only place payment card information can be compromised. In fact, payment card information can be compromised anywhere (not just call centers) where they are used at a point of sale.
Information crooks are recruited and some think even planted anywhere financial information can be stolen. Even if they are not, payment card details are being bartered in forums on the Internet. It probably wouldn't be very hard to find a place to sell credit/debit card information when all it takes to do it is a click of a mouse.
The BBC story, which aired on video, chronicles an investigative effort by their reporters on the streets of Delhi. In the segment, it shows reporters making contact with the underground broker, who offers them payment card details from "all over the world" for $10-$12, each. It then shows a buy being made and money changing hands.
When the information was checked, it revealed that only one in seven card numbers were actually usable. They were able to trace some of the good numbers to a call center handling Symantec (Norton) products. The story stated that there has only been one successful prosecution in India for this type of crime and that it netted a non-custodial sentence. It also stated that the laws regarding the protection of data are not as stringent as they are in some places. The story mentions that Symantec's official comment was that it was an isolated incident and that the employee was removed.
Article comments
1 - Techtalk
We cannot expect much in the absence of legislative framework in this regard. The government of India and DSCI has to pro actively do something in this regard.
India's cyber law, with further confusion about its status, is also detrimental for BPO growth. Cyber Security in India is missing and the same requires rejuvenation. When even PMO's cyber security is compromised for many months we must at least now wake up.
If DSCI is really serious about data protection in India first it must acquire expertise to do so. The best option is to scrap the IT Act Amendment Bill, 2008 and come up with good cyber law as well as data protection law in India.
2 - bliffle
Unless customers are provided truly secure means to pay with CCs, and anti-fraud laws are internationally uniform and enforced, no person should state their CC number on the phone, or even an online order form.
It'll never happen. Too clumsy and expensive. Merchants will continue to export all risk to their customers.
If some one on the phone demands your CC number, ask them if they are bonded. Personally bonded.
Never surrender the 3 digit visual verification code on the back of your CC. That code was specifically intended for visual-only verification.
If necessary, cancel the purchase. When enough people cancel purchases merchants will be forced to find better methods of payment.
3 - Ruvy
I don't have a credit card. I realize that other forms of information theft are available. I dislike using Paypal, and prefer to pay in cash via direct deposit into an account. And lately, I prefer using shekels over dollars, that's for sure.
Expecting people to act responsibly - especially in India where 400 to 500 rupees ($10 to $12) is a lot of money and 4,000 rupees can be a monthly salary - is a little foolish. You can't legislate good behavior, any more than you can legislate sobriety. Since a lot of the outsourcing does go to India, it pays to calculate the number of rupees you are dealing with as opposed to dollars. A rupee is about 2½ cents.
Enjoy the electronic world out there!