Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Profile
Location
London
Member since
2009
Writes about
Security Payments Regulation & Compliance

Steven's blog archive

2012 (1) 2010 (5) 2009 (3)
Steven Murdoch

Steven Murdoch

Royal Society University Research Fellow at University College London
Message Message me Posts: 9 Comments: 35
Bio Dr Steven J. Murdoch is a Royal Society University Research Fellow in the Information Security Research Group of University College London, working on developing metrics for security and privacy. Career History Consultant on computer security, researcher, expert witness.

Blogs

Information Security

Chip and Skim: cloning EMV cards with the pre-play attack

11 Sep 2012

The EMV (Chip & PIN) protocol requires ATMs and point-of-sale terminals to generate a random number. If this number (known in EMV terminology as the "unpredictable number") isn't random, Chip & PIN is left vulnerable to the "pre-play" attack, which is indistinguishable from card cloning to the bank which issued the card...

3

Information Security

UK Cards Association attempt to supress Cambridge research

25 Dec 2010

The UK Cards Association (previously known as APACS) has written to the University of Cambridge asking them to remove a paper, claiming that it contains information that might be of use to criminals. The thesis, from a master's project by Omar Choudary, showed how to build a device that protects cardholders from tampered Chip & PIN terminals. ...

4

Information Security

Reliability of Chip and PIN evidence in banking disputes

26 Feb 2010

It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere. One of the topics which has...

Information Security

Chip and PIN is broken

12 Feb 2010

There was a 9-minute film on Newsnight yesterday evening (available online) showing some research by Saar Drimer, Ross Anderson, Mike Bond and me. We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN. Our technical paper “Chip and PIN is Broken” explains how. It has been causing qui...

13

See all Steven's blogs

Steven is Commenting on

Visa slams European plans for stronger online transaction authentication rules

  Visa also request that they have the option to not perform strong authentication, and instead accept liability for fraud. However this doesn't take into account that there are wider costs of fraud, that just refunding the customer will not deal with. Furthermore the draft regulations allow providers to keep the security audit of authentication systems secret, and so leave victims of fraud in a difficult position to argue that they were not negligent. I pointed both of these issues out in my own response to the EBA consultation.

23 Nov 2016 Reply Read article

Researchers reveal chip and PIN hack

  @Peter When I've used my UK credit card in Belgian PoS terminals, I'm confident offline PIN and online authorisation was used because the PIN verification response was instantaneous but the transaction authorisation took a few seconds. I don't know the relative proportions of different transaction types, but offline PIN is almost certainly possible and is listed as the prefered option on the CVM list of UK cards I looked at. Even if only some terminals support offline PIN, criminals would have targeted them (they already would have had to identify terminals with a non-zero floor limit).

22 Oct 2015 Reply Read article

Researchers reveal chip and PIN hack

  Yes, it was exploiting the same vulnerability as the original no-PIN attack. However there was an interesting twist: they also modified the application transaction counter (ATC) to make it seem as if the card had done fewer transactions than it really had. This, along with the fact that the cards were stolen in France and used in Belgium, made it more likely for the transaction to be offline and so keep the fraud working even after the genuine card had been reported stolen. I posted more details here: https://www.benthamsgaze.org/2015/10/14/just-how-sophisticated-will-card-fraud-techniques-become/

22 Oct 2015 Reply Read article

Consumer trust in banks wavers as card fraud rates rise

  Thanks for sharing this report. I found it very interesting. In the next survey, I'd really like to see which proportion of card fraud victims took a financial loss, how much this was, and whether it was a result of the bank refusing to refund them or due to other reasons. There are no good recent statistics here and it would address an important public policy question. The current report gives customer satisfaction, which goes some way to addressing this issue (it's unlikely a customer will be very satisfied if they took a large financial loss), but it's hard to break down where dissatisfaction is coming from.

25 Jun 2014 Reply Read article