Dr Steven J. Murdoch

I am a Royal Society University Research Fellow in the Information Security Research Group of the Department of Computer Science at University College London. I am also a bye-fellow of Christ’s College, Security Architect at the VASCO Innovation Center, Cambridge, a member of the Tor Project, and a Fellow of the IET and BCS.

Open positions

I currently have a fully-funded scholarship (stipend and fees) for a PhD student to work with me on the topic of understanding, measuring and improving the security of collaboration tools. For further details and instructions on how to apply, see the advertisement. Applications must be submitted by 27th April 2018.

Tweets for @sjmurdoch

Dr Steven J. Murdoch

Recent publications

For more details see my full list of publications or my Google Scholar page. I also write articles on information security for the UCL Information Security Group blog – Bentham’s Gaze, and my occasional non-security articles are published on my personal blog.

  • International comparison of bank fraud reimbursement: customer perceptions and contractual terms
    Ingolf Becker, Alice Hutchings, Ruba Abu-Salma, Ross Anderson, Nicholas Bohm, Steven J. Murdoch, M. Angela Sasse, Gianluca Stringhini
    The study presented in this article investigated to what extent bank customers understand the terms and conditions (T&Cs) they have signed up to. If many customers are not able to understand T&Cs and the behaviours they are expected to comply with, they risk not being compensated when their accounts are breached. An expert analysis of 30 bank contracts across 25 countries found that most contract terms were too vague for customers to infer required behaviour. In some cases the rules vary for different products, meaning the advice can be contradictory at worst. While many banks allow customers to write Personal identification numbers (PINs) down (as long as they are disguised and not kept with the card), 20% of banks categorically forbid writing PINs down, and a handful stipulate that the customer have a unique PIN for each account. We tested our findings in a survey with 151 participants in Germany, the USA and UK. They mostly agree: only 35% fully understand the T&Cs, and 28% find important sections are unclear. There are strong regional variations: Germans found their T&Cs particularly hard to understand, and USA bank customers assumed some of their behaviours contravened the T&Cs, but were reassured when they actually read them.
    Journal of Cybersecurity, Volume 3, Issue 2, Pages 109–125, Oxford University Press, 01 June 2017. [ paper | DOI 10.1093/cybsec/tyx011 ]
  • Fast Protection-Domain Crossing in the CHERI Capability-System Architecture
    Robert N.M. Watson, Robert Norton, Jonathan Woodruff, Simon W. Moore, Peter G. Neumann, Jonathan Anderson, David Chisnall, Brooks Davis, Michael Roe, Nirav Dave, Khilan Gudka, Alexandre Joannou, A. Theodore Markettos, Ed Maste, Steven J. Murdoch, Colin Rothwell, Stacey Son, Munraj Vadera
    Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.
    IEEE Micro, Volume 36, Issue 5, pages 38–49. IEEE, September–October 2016. [ paper | DOI 10.1109/MM.2016.84 ]
  • Adblocking and Counter-Blocking: A Slice of the Arms Race
    Rishab Nithyanand, Sheharbano Khattak, Narseo Vallina-Rodriguez, Mobin Javed, Marjan Falahrastegar, Julia E. Powles, Emiliano De Cristofaro, Hamed Haddadi, Steven J. Murdoch
    Adblocking tools like Adblock Plus continue to rise in popularity, potentially threatening the dynamics of advertising revenue streams. In response, a number of publishers have ramped up efforts to develop and deploy mechanisms for detecting and/or counter-blocking adblockers (which we refer to as anti-adblockers), effectively escalating the online advertising arms race. In this paper, we develop a scalable approach for identifying third-party services shared across multiple websites and use it to provide a first characterization of anti-adblocking across the Alexa Top-5K websites. We map websites that perform anti-adblocking as well as the entities that provide anti-adblocking scripts. We study the modus operandi of these scripts and their impact on popular adblockers. We find that at least 6.7% of websites in the Alexa Top-5K use anti-adblocking scripts, acquired from 12 distinct entities – some of which have a direct interest in nourishing the online advertising industry.
    6th USENIX Workshop on Free and Open Communications on the Internet (FOCI '16), Austin, TX, US, 08 August 2016. [ paper | slides | data ]

Recent talks

For more detail see my full list of talks

  • Payment Security: Attacks & Defences
    Steven J. Murdoch
    This lecture provides an introduction to payment card and online banking security mechanisms and the fraud techniques which are designed to break or bypass these measures. An overview of the EMV protocol is given, along with an illustration of how skimming attacks and the no-PIN attack exploit protocol weaknesses. The man-in-the-browser attack is outlined, and how transaction authentication is intended to defend against this.
    Guest lecture as part of COMPGA03 - Introduction to Cryptography, University College London, 13 December 2016. [ slides ]
  • Decentralising Data Collection and Anonymisation
    Steven J. Murdoch
    A frequent approach for anonymising datasets is for individuals to submit sensitive data records to a central authority. The central authority then is responsible for safely storing and sharing the data, for example by aggregating or perturbing records. However, this approach introduces the risk that the central authority may be compromised, whether this from an externally originated hacking attempt or as a result of an insider attack. As a result, central authorities responsible for handling sensitive data records must be well protected, often at great expense, and even then the risk of compromise will not be eliminated. In this talk I will discuss an alternative anonymisation approach, where sensitive data records have identifiable information removed before being submitted to the central authority. In order for this approach to work, not only must this first-stage anonymisation prevent the data from disclosing the identity of the submitter, but also the data records must be submitted in such a way as to prevent the central authority from being able to establish the identity of the submitter from submission metadata. I will show how advances in network metadata anonymisation can be applied to facilitate this approach, including techniques to preserve validity of data despite not knowing the identity of contributors.
    New Developments in Data Privacy, Isaac Newton Institute, 09 December 2016. [ slides | video ]
  • Anonymity & Censorship-Free Communication
    Steven J. Murdoch
    This talk discusses the history of anonymous communication systems, their applications (including censorship resistance), how they are designed, and what cryptographic mechanisms they use. Techniques to measure and quantify the security levels provided by anonymous communication systems are also covered. Finally, challenges faced by such systems are discussed, along with future directions for research.
    Invited talk at IFIP Summer School 2016, Karlstad, Sweden, 21–26 August 2016. [ slides | slides (PDF) ]

Professional activities

Research supervision

Alexander Hicks (PhD student, 2017–): privacy preserving continuous authentication.

Andreas Gutmann (PhD student, 2016–): privacy-preserving transaction authentication for mobile devices.

Shehar Bano (Research Assistant & PhD student, 2013–2016): measurement of censorship and censorship resistance systems.

Kumar Sharad (PhD student, 2012–2016): security in social networks – anonymisation and fraud prevention.

Program chair

14th Privacy Enhancing Technologies Symposium, 16–18 July, 2014, Amsterdam, Netherlands.

15th Privacy Enhancing Technologies Symposium, 30 June–2 July 2015, Philadelphia, PA, USA.

General chair

Financial Cryptography and Data Security 2011, 15th International Conference, 28 February–4 March 2011, St. Lucia.

Programme committee membership

  • Financial Cryptography and Data Security (FC): 2010, 2016, 2018
  • Privacy Enhancing Technologies Symposium (PETS): 2007, 2008, 2009, 2011, 2017, 2018
  • IFIP Summer School 2016, 2017
  • Network and Distributed System Security Symposium (NDSS): 2017
  • ACM Conference on Computer and Communications Security (CCS): 2007, 2008, 2010, 2011, 2016
  • Annual Privacy Forum 2014
  • Free and Open Communications on the Internet (FOCI) 2013
  • USENIX Security 2012
  • European Symposium on Research in Computer Security (ESORICS) 2011
  • Workshop on Foundations of Security and Privacy (FCS-PrivMod): 2010
  • Workshop on Privacy in the Electronic Society (WPES): 2006, 2007, 2009
  • FIDIS/IFIP Internet Security & Privacy Summer School: 2008
  • ACM Symposium on Applied Computing (Computer Security track): 2007

Journal reviewing

Includes Proceedings on Privacy Enhancing Technologies (2017, 2018), ACM Transactions on Internet Technology (TOIT) (2017), International Journal of Computer Security (2016), IEEE Transactions on Dependable and Secure Computing (2009), ACM Transactions on Information and System Security (2008), IEEE Transactions on Software Engineering (2008), IEEE/ACM Transactions on Networking (2007), IEEE Security & Privacy (2007), The Triple Helix (2008), Identity in the Information Society (2008).

Contact Details

email (preferred):

s.murdoch at ucl.ac.uk
OpenPGP public key 0x5E2A64A6 (more details)


Dr Steven J. Murdoch
Computer Science Department
University College London
Gower Street
United Kingdom


+44 20 3108 1629 (internal x51629)


+44 7866 807 628