Shell card fraud an inside job says APACS

It now looks as though the Shell chip-and-pin scam I reported on earlier this week was caused by a combination of technology failure and human weakness.

APACS now says that the fraud was almost certainly an inside job, as well as revealing that the PINpads - which should have fail-safed and shut down when tampered with - er, didn't.

I find this explanation hard to believe. Without revealing too many trade secrets, the PINpads in use in the UK are built to a tight specification that is protected by many layers of security.

I strongly suspect that the fraudsters - apparently the eight people arrested in connection with the million pound scam were scattered across the UK - loaded special software on to the EFTPOS tills at the Shell stations concerned.

This suggests a fairly sophisticated attack and one that could probably be replicated elsewhere, as there are only a handful of EFTPOS till designs of this type in use in the retail industry.

As I've said before, I doubt very much whether we'll find out what really happened, as it's in no-one's interests for the technical details to be made public.

On a linked topic, whilst trundling through Kings Cross station last night, en-route for home, I noticed that the FastTicket machines - which allow you to buy rail tickets without human intervention - now have PINpads on them.

I spent an enjoyable 10 minutes examining the PINpads on the Kings Cross FastTicket machines before having to hoof it to catch my train.

Security? What security? I suppose I'm on CCTV somewhere (fx: laughs hysterically), but I've seen more security at our open-all-hours Spar shop than at Kings Cross...