Steven Murdoch

Join the Community

21,976

Expert opinions

44,115

Total members

453

New members (last 30 days)

169

New opinions (last 30 days)

28,669

Total comments

Join Sign in

Royal Society University Research Fellow

University College London

Member since

01 Jul 2009

Location

London

Bio

Dr Steven J. Murdoch is a Royal Society University Research Fellow in the Information Security Research Group of University College London, working on developing metrics for security and privacy.

Experience

Summary

Consultant on computer security, researcher, expert witness.

Latest opinions

Chip and Skim: cloning EMV cards with the pre-play attack

The EMV (Chip & PIN) protocol requires ATMs and point-of-sale terminals to generate a random number. If this number (known in EMV terminology as the "unpredictable number") isn't random, Chip & PIN is left vulnerable to the "pre-play" attack, which is indistinguishable from card cloning to the bank which issued the card...

11 September 2012 Information Security

UK Cards Association attempt to supress Cambridge research

The UK Cards Association (previously known as APACS) has written to the University of Cambridge asking them to remove a paper, claiming that it contains information that might be of use to criminals. The thesis, from a master's project by Omar Choudary, showed how to build a device that protects cardholders from tampered Chip & PIN terminals. ...

25 December 2010 Information Security

Reliability of Chip and PIN evidence in banking disputes

It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere. One of the topics which has...

26 February 2010 Information Security

See all 9 opinions by Steven

Latest comments

Visa slams European plans for stronger online transaction authentication rules

Visa also request that they have the option to not perform strong authentication, and instead accept liability for fraud. However this doesn't take into account that there are wider costs of fraud, that just refunding the customer will not deal with. Furthermore the draft regulations allow providers to keep the security audit of authentication systems secret, and so leave victims of fraud in a difficult position to argue that they were not negligent. I pointed both of these issues out in my own response to the EBA consultation.

23 Nov 2016 13:17 Read comment

Researchers reveal chip and PIN hack

@Peter When I've used my UK credit card in Belgian PoS terminals, I'm confident offline PIN and online authorisation was used because the PIN verification response was instantaneous but the transaction authorisation took a few seconds. I don't know the relative proportions of different transaction types, but offline PIN is almost certainly possible and is listed as the prefered option on the CVM list of UK cards I looked at. Even if only some terminals support offline PIN, criminals would have targeted them (they already would have had to identify terminals with a non-zero floor limit).

22 Oct 2015 17:37 Read comment

Researchers reveal chip and PIN hack

Yes, it was exploiting the same vulnerability as the original no-PIN attack. However there was an interesting twist: they also modified the application transaction counter (ATC) to make it seem as if the card had done fewer transactions than it really had. This, along with the fact that the cards were stolen in France and used in Belgium, made it more likely for the transaction to be offline and so keep the fraud working even after the genuine card had been reported stolen. I posted more details here: https://www.benthamsgaze.org/2015/10/14/just-how-sophisticated-will-card-fraud-techniques-become/

22 Oct 2015 17:02 Read comment

See all 35 comments by Steven

Community