Despite claims that the chip and PIN system made fraud considerably more difficult, hundreds of customers at three Shell petrol stations had their credit and debit card details copied and money withdrawn from private accounts because the cards still have magnetic strips that are vulnerable to cloning.
Eight people have been arrested following the fraud, which involved the implanting of ‘skimming’ devices into PIN (personal identification number) handsets. The chain has since suspended chip and PIN payment at 600 UK stations.
Dr Mike Bond, security director at banking security expert Cryptomatic, said drivers using fuel cards were much less at risk, because their personal details, such as bank account numbers, are not on the card, which makes them less attractive to criminals.
Mike Waters, head of market analysis at fuel card operator Arval UK, said: ‘The good news for fleet drivers equipped with a fuel card is that personal banking details are not held on them, and cannot be taken from their cards.
‘Furthermore, fuel cards cannot be used at any cashpoint machine or to obtain cash in any way.
‘Fuel cards operate on a restricted network of retailers and can only be used in their specific network to buy fuel.’
Dr Bond added: ‘Also, fuel cards are on a more obscure network and therefore are more secure because they are not such a target.
‘However, if more people migrate to fuel cards, it could become more of a target.’ Sandra Quinn, spokeswoman for the Association of Payment Clearing Services (APACs), said: ‘These PIN pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed.’ She added that APACS was confident the problem was specific to Shell.
A spokeswoman for Shell said: ‘Shell is aware that a small number of customers have been affected by the misuse of their bank cards after visiting a limited number of service stations in the UK.
‘In the interests of our customers, we have temporarily suspended chip and PIN availability in our UK company owned service stations. This is a precautionary measure to protect the security of our customers’ transactions.
‘Customers are unaffected by this action – you can still pay for your fuel, goods or services with your card by swipe and signature.
‘We will reintroduce chip and PIN as soon as it is possible, following consultation with the terminal manufacturer, card companies and the relevant authorities, to ensure that customers can be confident that their transactions are fully secure.
‘We have been working closely with the police, card companies and APACS. As the police investigation is ongoing, it would be inappropriate for Shell to comment further. We apologise to our customers if there has been any inconvenience caused.’