Shell suffers £1m Chip and PIN fraud

Experts fear consumer confidence will be hit

The security of chip and PIN systems was thrown into doubt this week when Shell revealed that it has suspended the use of chip readers across its petrol stations.

The move came after fraudsters stole more than £1m from customers’ bank accounts by implanting skimming devices into the chip and PIN readers at three Shell stations. The fraudsters used the data gathered to clone hundreds of customers’ cards for use in transactions where PINs are not required. Police said eight people have been arrested in connection with the fraud, and there is a suspicion of insider involvement.

Shell confirmed that in light of the fraud, it has temporarily suspended the use of chip and PIN in around 600 Shell outlets across Britain. In the meantime, customers will need to sign for purchases. The 400 franchised operations are unaffected.

The oil giant said has yet to confirm a date for the reinstatement of chip and PIN. “We will reintroduce chip and PIN as soon as it is possible, following consultation with the terminal manufacturer, card companies and the relevant authorities,” said a company spokeswoman.

The incident is a blow to advocates of chip and PIN technology, which was established to reduce opportunities for signature-based fraud.

Andrew Moloney, senior product manager at RSA Security's consumer solutions division, warned that consumer and business confidence in chip and PIN systems would be shaken by this case.

“The fact that the first breach has occurred so soon after the full implementation in February, shows just how determined and sophisticated today's fraudsters are,” Moloney said. “Research report after research report confirms a growing lack of consumer confidence in banking online, and the impact of further breaches affecting a mainstream payment system like chip and PIN could be devastating.”

However, Sandra Quinn of the Association of Payment Clearing Services (Apacs) argued that the incident should not knock confidence the payments system. “This isn’t a chip and PIN fraud. It’s not broken chip and PIN technology in any shape or form,” she said.

Quinn added that there is an issue with the manufacturer of the PIN pad, which Apacs is following up. “These devices are supposed to be tamper-proof, so it should have shut down [once the skimmer device was installed],” she said. “We need to find out why that didn’t happen.”