NDTV — Case regarding sunny nehra (online fraud with gyftr )
Its sunny nehra here
let me clear some facts about the case :
1) regarding the fact that payu lacks security yes it does ... in case of websites like srs grocery, komperify, indian gift portal, datawind, yepmee and many other websites payu can be solely held resposible for the data tempering that occured on these websites (all the parameters that need to be changed are of payu on the payment page of payu) though if these websites had a good reverse hash lookup they could prevent themselves from such data tempering frauds. In some cases things are so simple that even i[censored] cancil the on-going transaction just by changing few parameters of payu instead of leading it to failure page the processors of gateway will take it to success page( even some 8th class students did that on some websites). But in case of gyftr the main bug was in gyftr ... before sending the data to payu gateway it did not check if the cart value actually matches with pay_id value that's being sent for processing... if the gateway itself is getting 1rs as pay amount its suppose to take a payment of 1rs itself. i don't wanna complicate the things just trying to be as simple as i can in my words.
2) regarding the bugs : data tempering is a very old field ... everyone knows in data tempering website doesn't get paid and if it does in some cases that's when gateway bears the loss. i had done many experiments regarding it mainly recharge of 10 rs or 100rs from many different websites. from my payumoney wallet cops should be well clear of the fact except gyftr on all other sites that came accross i have made only 1 or 2 or 3 successful small trancations (mostly all by different methods). data tempering can't be even considered as a part of hacking as per me. One of my friend (junior to me, navjot, just a student of 16 or 17) told me the fact that payu suffers from data tempering and they he along with his friends has been trying to report the bug to payu but there was no response from the other side. u can edit cashback amount (yepmee), use a used vouhcer again and again( a bug that just got spread like wild ... shoplcues suffered it and even i found some village persons enjoying that bug unless on 21dec or any day around when shopclues removed egift card payment option ... may be temporarily ) it was around 10th 2016 when navjot gave me this confidential info after which several websites with payumoney with examined for small amounts say of 10 rs or 20 rs transations ... (nearly 25% websites of the total examined suffered from the bug) Though i always doubted that regarding payu bcz in some groups i used to see some huge orders placed successfully on fnp ( a website for cake choco etc) ... i have been seeing such posts since last 2 months being posted by some dehradun guys but i never thought even such huge websites could suffer from things like data tempering.
3) regarding gyftr : let me clear some facts that data tempering is something that's considered very [censored] thing .. people hardly care about it.. i[censored] will analyse the resources recovered from me i never changed my ip or phone no. or email address on any website affected with it. many recharge websites after discussion with the admins of websites have been made secure. it was birthday party of a friend of mine in hissar on 18th dec.. so on 18th .. 19th .. 20th ... we were in a small hotel of hissar. drunk persons everywhere ... (except me) . Govind a friend of kolkata was teaching something to many persons on team his team viewer... navjot later came to my teamviewer and started some tests on website named gyft (he has been told by govind that its one of most dumb site they came accross and it's to easy to place successfull orders on it) . he tested via so many different methods each time gift cards of worth 5k ( facebook id of navjot: [protected] ... exact messages between us can be tracked from his fb id ) . My lapi has vip 72 (to get better anonimity), tor browser to access onion links, pia, hma premium etc. gyftr did not require otp for creating account so u could enter any phone no. (even if it does't exist it won't matter ) and u could use any random mail say any disposable mail or temp mail (voucher come on mail and phone no. both) so if people were indeed serious about it it was impossible for things to get tracked. i had asked navjot to use my primary phone no. and my primary email and all orders done via gyftr has my phone no. and email which is mentioned on my fb .. and everywhere else. no ip address was changed though laptop had softwares to lead it to anonimity. people sitting near to me all were looking what's going on the team viewer . total of nearly 30 students from india ( most of them are friends of govind ... i have a small cirlce involving me, ajad, tej, sonu) were placing orders blindly on the website. persons sitting besides me did not use started to follow the method .. i told clearly everyone in case of tempering website never gets payment so the way things are being done by so many will lead to problem. all info used by my group was real and there could be many many reasons for it... one of them being it could create a complete mess on the website... if they need payment it was too easy for them they could mail me or text or call me on my no. as data tempering is bascially a case of payment not being recieved and it could create huge pressure on payu gateway that could have led to a nice disscussion with them. i have earlier also returned money to websites which my advocate asked me to attach along with the bailing documents but my laptop was not provided to me (i know that's for law sake but still all i wanted was a snapshot of some transcations)
4) regarding the loss of gyftr : the website mentioned at some places that the total loss it suffered is 92 laks ... but the loss from we 4 persons (thats my group) was found to be around 1.7 laks ... and total loss of around 10 laks from entire country (out of which only 6.5 laks has been verified so far) .
5) regarding the complaint : if akshat khanna a freind of ours ( earlier a freind ) who was himself indulged in this case would not have called gyftr and manipulated things so much things won't have been like that. my compiteter in bitcoin trading business ... i thought sometimes he isn't a relaible friend which mainly led our friendship to break.
6) regarding the arrest : i had mentioned all my real infos on the orders placed on gyftr. i keep posting on my fb timeline wherever i go and my fb profile can be searched via both my no. and email provided on gyftr orders. i posted that i m in leela on my timeline ( i did not post any pic of leela controversial to what some new papers say) . when i got arrested after one day custody i asked for my cell phone called my friends and took help of some friends and my 3 persons ( ajad, tej, sonu) came one by one to join me. i coperated as far as i could do to provide all the info to the cops regarding the case... govind and many other's addresses was found by using social engineering.. akshat and prakhar was held from dehradun from their respective colleges.. Only i was arrested, rest all though admitted that they had done same thing as me were given only notice ( may be it was my bad luck .. they took the matter to be too much exaggerated unless they met me) they have all the data now of all the persons indulged and its on them what they will do now (what i think is the feeling that even kids are involved in the matter is stopping them to some extent to move further though all things have been verified well). hauz khas police is nice .. they did not behave with me as a crimial is supposed to be. it was nice experience in custody helping them out in everything.
7) regarding my bail : after police custody of 8 days my advocate well assured me that i will get bailed. when the oppostion mentioned 92 laks in court ... my advocate made it well clear that the actuall loss is too less and of that too less the loss done by me was too low . and only i was arrested though all others have done the same thing. the IO (respected anand swarup sir) told the magistrate that i coperated well with them and helped them everywhere i could . I was bailed by the magistrate with a warning of not doing such acts in future.
8) regarding the new channels : please publish something only when u know the complete matter. u have posted pics of persons like ajad ( who just ate of pizza from a gift card he got from gyftr doing loss of 700 rs to gyftr) while group of persons who ordered products worth several laks in kolkata ( 60% of the total is their contribution). posting bull [censored]s like i have many girl friends this or that [censored] please be informed i had a gf in june, 2016 after that i never had a gf. regarding itc welcome stays plz be informed that even when i stayed there for 3 days my total food bill when i checked out was 19k and usually when i go there i give them advance of 30k or 40k security deposit bcz i know my friends well. most of my bookings in that hotel will be from goibibo which ensures best rates.i have no idea how much cash i have paid there. and regarding bitcoins plz be informed during my birthday time the bitcoin bought in 13 laks last month got sold for 22 laks that time. i know i don't save i spoil a lot but still the breakup o[censored]K that time, the week of decreaing potential of bitcoin mining servers and many other things led one to clear conclusions when to trade, when to store and when to sell.
9) regarding the earning : well even when i just used to upload simple videos on youtube .. i used to earn... being admin of so many huge groups publicity has been always earlier for me.. even i[censored] check my paypal transcation most of earning will be paid by persons who got their facebook page named changed (i charged 5$ to 50$ per fb page name change if it had like above 200 which wasn't allowed directly by fb at that time but a simple bug led me to change it) . https://www.youtube.com/watch?v=TGZYlIDd3mU (even from page name change my total earning was nearly 3 Laks ) leave other tricks of automated likes or followers or group members or whatever... some videos even got deleted bcz of guidance to wifi hacking etc (though i was a little kiddish that time).
10) regarding data tempering and api hacking : most of api that were hacked for recharge were of neighbouring nations ... (even one of my junior showed me an api of bagldesh with 7 cr balance and the site got hacked so easily by a using sql injection ) if any found to be indian would have been secured by me or any other person in my contact... data tempering is nothing but piece of [censored] and making such huge drama of a case of data tempering doesn't make a sense. students like navjot and govind who are too young and have huge potential can be used to make our security systems better . I would really appriciate if payumoney calls gyftr and some other websites ( all websites are slightly different in functioning than others) and look up at the matter.
11) regarding the online business in india : the worst part of situation is that the customer support of websites is too week. it was nearly 2 years back ... orders worth 1.25 laks 1.18 laks 1.09 laks etc (all being above 1L) were ordered from foodpanda in murthal and inspite it broke all records of foodpanda still it took them 2 days to notice the case. i had mailed them ... whatsapped them... called their customer care did all. tried to make them things clear but they could not get it. atleast after the incident that happened in iiit hyderabad they should have learnt from it. it was too hard to contact them but finally one day i went to their office and met them.. i went for 3 days and after a discussion with their staff finnaly cleared out some things that how exactly things were leading to their and loss and students can make fun of these things if bugs get leaked. they patched the system ( though i can't discuss the exact things there for sake of their privacy and security concerns). the good thing about fp was they mentioned an article on newspaper mentioned delhi and murthal but did not write exact names and all. the thing is if we are running an online business integration with gateway, deep study of terms like chargeback, awareness of basic hacking methods like sql and others, a touch of the things going in the online markets and a good coperative staff and responsive customer care support it must. people may affect your systems for money, people may affect it for sake of learning, people may affect it bcz they are habitual to things, people may affect it even for sake of timepass . the worst part of situation is when your website suffers from a bug that even kids can learn easily and follow . a serious group of hackers could easily anoimise themselves and steal gyft cards from webites like gyftr of websites like mmt, ctr etc which are international and could sell them abroad.
well the article has been written by taking the case of gyftr in concern and i have tried my best to provide all info as far as possible . instead of exaggerating the things it would be better for news channels to look into the matter carefully and post only those things which are verified.