Latest opinions that Steven Murdoch has shared on Finextra

Join the Community

23,320

Expert opinions

42,503

Total members

339

New members (last 30 days)

180

New opinions (last 30 days)

29,094

Total comments

Join Sign in

Steven Murdoch

Royal Society University Research Fellow

University College London

Member since

01 Jul 2009

Location

London

View Steven Murdoch's full profile

Steven's opinions

Chip and Skim: cloning EMV cards with the pre-play attack

The EMV (Chip & PIN) protocol requires ATMs and point-of-sale terminals to generate a random number. If this number (known in EMV terminology as the "unpredictable number") isn't random, Chip & PIN is left vulnerable to the "pre-play" attack, which is indistinguishable from card cloning to the bank which issued the card...

11 September 2012 /security /payments Information Security

UK Cards Association attempt to supress Cambridge research

The UK Cards Association (previously known as APACS) has written to the University of Cambridge asking them to remove a paper, claiming that it contains information that might be of use to criminals. The thesis, from a master's project by Omar Choudary, showed how to build a device that protects cardholders from tampered Chip & PIN terminals. ...

25 December 2010 /security Information Security

Reliability of Chip and PIN evidence in banking disputes

It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere. One of the topics which has...

26 February 2010 /security /regulation Information Security

Chip and PIN is broken

There was a 9-minute film on Newsnight yesterday evening (available online) showing some research by Saar Drimer, Ross Anderson, Mike Bond and me. We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN. Our technical paper “Chip and PIN is Broken” explains how. It has been causing qui...

12 February 2010 /security Information Security

Verified by Visa and MasterCard SecureCode

This week, the 2010 Financial Cryptography conference is being held in Tenerife. The papers to be presented are likely of interest to the Finextra audience. Unfortunately, most are not available online, but searching for the title might show up a copy on the authors' home page. My paper at FC'10 is on the security of Verified by Visa and MasterCard...

27 January 2010 /security /payments Information Security

Encoding integers in the EMV protocol

On the 1st of January 2010, many German bank customers found that their banking smart cards had stopped working. Details of why are still unclear, but indications are that the cards believed that the date was 2016, rather than 2010, and so refused to process a transaction supposedly after their expiry dates. This problem could turn out to be quite...

19 January 2010 /security Information Security

Finextra video interview on CAP vulnerabilities

Today, Finextra published a video interview with me, discussing my research on banks using card readers for online banking, which was recently featured on TV. In this interview, I discuss some of the more technical aspects of the attacks on card readers, including the one demonstrated on TV (which requires compromising a Chip & PIN terminal),...

11 November 2009 /security Information Security

Demonstration of CAP vulnerability on BBC One today

This evening (Monday 26th October 2009, at 19:30 UTC), BBC Inside Out will show Saar Drimer and I demonstrating how the use of smart card readers, being issued in the UK to authenticate online banking transactions, can be circumvented. The programme will be broadcast on BBC One, but only in the East of England and Cambridgeshire, however it shoul...

26 October 2009 /security Information Security

Which? survey of online banking security

Today Which? released their survey of online banking security. The results are summarized in their press release and the full article is in the September edition of “Which? Computing”. The article found that there was substantial variation in what authentication measures UK banks used. Some used normal password fields, some used drop-down boxes, ...

09 September 2009 /security

Community