Royal Dutch Shell Plc  .com Rotating Header Image

Silicon.com: Shell's £1m chip and PIN fraud 'an inside job'

Shell's £1m chip and PIN fraud 'an inside job'

“Without any doubt,” says payments body Apacs…

Add Comment  Printer Friendly  Email Story

By Will Sturgeon

Published: Monday 8 May 2006

A £1m chip and PIN fraud at a Shell petrol station was “an inside job”, according to UK payments body Apacs.

Shell suspended the use of chip and PIN payments at 600 UK petrol stations over the weekend as a precautionary measure following the theft of more than £1m from customer accounts.

A spokeswoman for Shell confirmed to silicon.com that “a small number of customers have been affected” and added that the company is now co-operating with a police investigation that has already resulted in nine arrests in connection with the crime.

Shell said the company is working with the manufacturers of the chip and PIN terminals but does not know when its petrol stations will be able to start taking chip and PIN payments again.

The spokeswoman said it is not known whether all affected customers have been informed yet but banks have issued advice to customers to check their bank accounts and statements carefully for discrepancies.

Due to the ongoing nature of the investigation, Shell declined to comment further on the specifics of the case.

But a spokeswoman from Apacs told silicon.com criminals must have had easy access to PIN pads in order to modify them to enable the theft of PIN numbers and the copying of magnetic strip information – a task which will have taken time.

She said that “without any doubt” it must have been an inside job involving a “conspiring” or “coerced” member of staff.

At the heart of the problem are PIN pads which are designed to shut down if they tampered with. In the case of those supplied to Shell this didn't happen and it appears it is that vulnerability which was exploited, said Apacs.

It's likely the news will throw into question the reliability of chip and PIN payments which became a requirement for most point of sale card payments in the UK in February.

However, the Apacs spokeswoman told silicon.com: “In the past, one of the fraud hotspots has been petrol stations. As such it's no surprise we've got a situation like this on the forecourt.

“We've never said the fraudsters will disappear. They are organised criminals and they are very sophisticated. But cards are a lot safer now than they were two years ago.”

She claimed the speed at which police have been able to make arrests owes a lot to the fact chip and PIN payments can quickly be traced back to the PIN pad which was used.

royaldutchshellplc.com and its sister websites royaldutchshellgroup.com, shellenergy.website, shellnazihistory.com, royaldutchshell.website, johndonovan.website, shellnews.net and shell2004.com are all owned by John Donovan. There is also a Wikipedia article.

1 Comment on “Silicon.com: Shell's £1m chip and PIN fraud 'an inside job'”

  1. #1 Owain
    on May 8th, 2006 at 19:37

    C&P is cutting fraud actually committed at the retailer point of sale, but fraudsters are simply moving to card not present fraud which they can effect by skimming the magnetic stripe of any card, whether it has a chip or not (which is what appears to have happened in this case ie the retailer point of sale was the site of the skimming not the subsequent fraud)
    APACS (press release and website) “Reduction in all card fraud types except card-not-present (internet, phone and mail order) fraud which rose by £32.4m – up 21%” [2005 data]
    A simple, cheap, and rapdily installable system which has been in use in Hungary for over five years (and has now been adopted in Spain, Italy, South Africa, etc.) could have significantly reduced this.
    Indeed OTP Bank in Hungary using this one system now have card fraud which is less than one twentieth (1/20th) of that in the UK – the system is effective against all forms of fraud, particularly card not present
    The system simply sends the card holder a text message on their mobile phone whenever the card is used. If it was them they can ignore it. If it was not them, ie it is fraud, they reply 'blk' and the bank can block the card shutting the fraud down immediately.
    C&P was major cost and effort to banks and retailers and has had a significant impact, but only on one form of fraud. Implementing a simple system such as MoneyGUARD as well as C&P can have a real impact across all forms of fraud.
    This simple transaction notification sytem, has been available in the UK for a while now, but, unlike other countries, no bank has adopted it yet … maybe now they will !

Leave a Comment

%d bloggers like this: