The UK banking industry's massive investment in Chip & PIN payment cards has been brought into question after fraudsters stole more than £1 million from customers by implanting skimming devices in retailer PIN pads.
UK police have arrested eight people in connection with the fraud which affected hundreds of customers paying for goods and services at Shell petrol stations. Tampered card readers have been discovered at three Shell forecourts and the oil company has temporarily suspended all Chip and PIN payments at its network of outlets across the UK.
The fraudsters are understood to have used old-school skimming devices to capture magnetic stripe details and PIN numbers. The cloned cards were then used to withdraw cash and pay for goods at locations overseas and at machines where the chip is not scanned.
The Cheque and Plastic Crime Unit of the Metropolitan Police says that more than £1 million has been siphoned from customer accounts by the fraudsters.
The crime is a huge embarassment to the banking industry, which enforced a national migration to the new scheme on the assurance that it would prevent counterfeit card fraud by making it impossible for fraudsters to copy confidential card details stored on the microchip. However, the continued use of mag-stripe data for card withdrawals, both in the UK and at cash machines abroad, represents a loophole in the system which can be exploited by criminal gangs.
The compromised PIN pads used to perpetrate the fraud at Shell were all supplied by Irish manufacturer Trintech. Sandra Quinn of Apacs says that Chip & PIN readers are supposed to be tamper-resistant and designed to shut down if they are interfered with.
"This is a specific issue for Shell and their supplier to sort out," she adds. "We are confident that this is not a systemic issue."