Dr Steven J. Murdoch

I am a Principal Research Fellow in the Information Security Research Group of the Department of Computer Science at University College London. I am also a bye-fellow of Christ's College, Security Architect at the VASCO Innovation Center, Cambridge, and a member of the Tor Project.

Tweets for @sjmurdoch

Dr Steven J. Murdoch

Recent publications

For more details see my full list of publications or my Google Scholar page

  • International Comparison of Bank Fraud Reimbursement: Customer Perceptions and Contractual Terms
    Ingolf Becker, Alice Hutchings, Ruba Abu-Salma, Ross Anderson, Nicholas Bohm, Steven J. Murdoch, M. Angela Sasse, Gianluca Stringhini
    We set out to investigate how customers comprehend bank terms and conditions (T&Cs). If T&Cs are incomprehensible, then it is unreasonable to expect customers to comply with them. An expert analysis of 30 bank contracts across 25 countries found that in most cases the contract terms were too vague to be understood; in some cases they differ by product type, and advice can even be contradictory. While many banks allow customers to write PINs down as long as they are disguised and not kept with the card, 20% of banks do not allow PINs to be written down at all, and a handful do not allow PINs to be shared between accounts. We test our findings on 151 participants in Germany, the US and UK. They mostly agree: only 35% fully understand the T&Cs, and 28% find that sections are unclear. There are strong regional variations: Germans find their T&Cs particularly hard to understand, but Americans assume harsher T&Cs than they actually are, and tend to be reassured when they actually read them.
    Workshop on the Economics of Information Security, Berkeley, CA, USA, 13–14 June 2016. [ paper ]
  • Insecure by design: protocols for encrypted phone calls
    Steven J. Murdoch
    The MIKEY-SAKKE protocol is being promoted by the UK government as a better way to secure phone calls. The reality is that MIKEY-SAKKE is designed to offer minimal security while allowing undetectable mass surveillance, through the introduction a backdoor based around mandatory key-escrow. This weakness has implications which go further than just the security of phone calls.
    IEEE Computer, Volume 49, Number 3, March 2016. [ article | blog post | DOI 10.1109/MC.2016.70 ]
  • Are Payment Card Contracts Unfair?
    Steven J. Murdoch, Ingolf Becker, Ruba Abu-Salma, Ross Anderson, Nicholas Bohm, Alice Hutchings, M. Angela Sasse, Gianluca Stringhini
    Fraud victims are often refused a refund by their bank on the grounds that they failed to comply with their bank’s terms and conditions about PIN safety. We, therefore, conducted a survey of how many PINs people have, and how they manage them. We found that while only a third of PINs are ever changed, almost half of bank customers write at least one PIN down. We also found bank conditions that are too vague to test, or even contradictory on whether PINs could be shared across cards. Yet, some hazardous practices are not forbidden by many banks: of the 22.9% who re-use PINs across devices, half also use their bank PINs on their mobile phones. We conclude that many bank contracts fail a simple test of reasonableness, and ‘strong authentication’, as required by the Payment Services Directive II, should include usability testing.
    Financial Cryptography and Data Security, Barbados, 22–26 February 2016. [ paper | data ]

Recent talks

For more detail see my full list of talks

  • Banking Security: Attacks & Defences
    Steven J. Murdoch
    This lecture provides an introduction to payment card and online banking security mechanisms and the fraud techniques which are designed to break or bypass these measures. An overview of the EMV protocol is given, along with an illustration of how skimming attacks and the no-PIN attack exploit protocol weaknesses. The man-in-the-browser attack is outlined, and how transaction authentication is intended to defend against this.
    Invited lecture as part of 3F6: Software Engineering, Department of Engineering, University of Cambridge, 03 February 2015. [ slides ]
  • Anonymous Communications and Tor
    Steven J. Murdoch
    The history of anonymous communications on the Internet dates back to the early 80's but since then there have been dramatic changes in how anonymous communication systems have been built and how they have been used. In this lecture I will describe some of these key changes, and what has motivated them. These include the web taking over from email as the major means of communications, and users of anonymous communication systems prioritising censorship-resistance over privacy. The growing popularity of anonymous communication systems has also led to commercial and political realities effecting how projects are run and software is designed. In particular, I will discuss how the Tor software has changed, and the Tor project evolved in this environment. I will conclude by summarising what might be the future for anonymous communication systems and how they may have to adapt themselves to changing circumstances.
    Invited lecture as part of Part II Security, Cambridge, UK, 30 January 2015. [ slides ]
  • Banking Security: Attacks & Defences
    Steven J. Murdoch
    This lecture provides an introduction to payment card and online banking security mechanisms and the fraud techniques which are designed to break or bypass these measures. An overview of the EMV protocol is given, along with an illustration of how skimming attacks and the no-PIN attack exploit protocol weaknesses. The man-in-the-browser attack is outlined, and how transaction authentication is intended to defend against this.
    Guest lecture as part of COMPGA03 - Introduction to Cryptography, University College London, 02 December 2014. [ slides ]

Current projects

Graph anonymisation and de-anonymisation

Steven J. Murdoch (PI), Kumar Sharad (PhD student)

Graph data sets provide a valuable source of data, with examples including communication patterns, relationships on social networks, and genetic data. However sharing such data must be done with care because of its sensitivity and consequent legal and ethical implications for improper use. This project focuses on techniques to measure and quantify the effectiveness of graph anonymisation schemes, in terms of the level of protection they offer and the impact on data accuracy.

Publications

This work was supported by the Engineering and Physical Sciences Research Council [grant number EP/J500665/1]; and Microsoft Research through its PhD Scholarship Programme.

Censorship resistance and anonymity

Steven J. Murdoch (PI), Sheharbano Khattak (Research Assistant & PhD student)

A growing number of countries are using Internet censorship to control the flow of information available to their population. The technologies being used are also increasing in sophistication, as are tools for circumvention censorship. This project studies tools and techniques used to perform censorship, as well as censorship circumvention technologies, in terms of their effectiveness, security and performance.

Publications

This work was supported by the Engineering and Physical Sciences Research Council [grant number EP/L003406/1].

Professional activities

Research supervision

Kumar Sharad (PhD student): security in social networks – anonymisation and fraud prevention.

Sheharbano Khattak (Research Assistant & PhD student): measurement of censorship and censorship resistance systems.

Program chair

14th Privacy Enhancing Technologies Symposium, 16–18 July, 2014, Amsterdam, Netherlands.

15th Privacy Enhancing Technologies Symposium, 30 June–2 July 2015, Philadelphia, PA, USA.

General chair

Financial Cryptography and Data Security '11, 15th International Conference, 28 February–4 March 2011, St. Lucia.

Programme committee membership

Privacy Enhancing Technologies Symposium (PETS): 2007, 2008, 2009, 2011, 2017.

ACM Conference on Computer and Communications Security (CCS): 2007, 2008, 2010, 2011, 2016.

IFIP Summer School 2016.

Financial Cryptography and Data Security (FC): 2010, 2016.

Annual Privacy Forum 2014.

Free and Open Communications on the Internet (FOCI) 2013.

USENIX Security 2012.

European Symposium on Research in Computer Security (ESORICS) 2011.

Workshop on Foundations of Security and Privacy (FCS-PrivMod): 2010.

Workshop on Privacy in the Electronic Society (WPES): 2006, 2007, 2009.

FIDIS/IFIP Internet Security & Privacy Summer School: 2008.

ACM Symposium on Applied Computing (Computer Security track): 2007.

Journal reviewing

Includes IEEE Transactions on Dependable and Secure Computing (2009), ACM Transactions on Information and System Security (2008), IEEE Transactions on Software Engineering (2008), IEEE/ACM Transactions on Networking (2007), IEEE Security & Privacy (2007), The Triple Helix (2008), Identity in the Information Society (2008).

Contact Details

email (preferred):

s.murdoch at ucl.ac.uk
OpenPGP public key 0x5E2A64A6 (more details)

post:

Dr Steven J. Murdoch
Computer Science Department
University College London
Gower Street
London
WC1E 6BT
United Kingdom

phone:

+44 20 7679 0431

mobile:

+44 7866 807 628