Professor Steven J. Murdoch

I am Professor of Security Engineering and a Royal Society University Research Fellow in the Information Security Research Group of the Department of Computer Science at University College London. I am also a bye-fellow of Christ’s College, Innovation Security Architect at the OneSpan Innovation Center, Cambridge, a member of the Tor Project, and a Fellow of the IET and BCS.

Open positions

I am always interested in recruiting talented researchers to join my team at UCL, both as PhD students and for post-doctoral positions. Interested candidates should email me their curriculum vitae and a short research proposal.

Tweets for @sjmurdoch

Professor Steven J. Murdoch
Photo by James Tye (other photos)

Recent publications

For more details see my full list of publications or my Google Scholar page. I also write articles on information security for the UCL Information Security Group blog – Bentham’s Gaze.

  • Transparency Enhancing Technologies to Make Security Protocols Work for Humans
    Alexander Hicks, Steven J. Murdoch
    As computer systems are increasingly relied on to make decisions that will have significant consequences, it has also become important to provide not only standard security guarantees for the computer system but also ways of explaining the output of the system in case of possible errors and disputes. This translates to new security requirements in terms of human needs rather than technical properties. For some context, we look at prior disputes regarding banking security and the ongoing litigation concerning the Post Office's Horizon system, discussing the difficulty in achieving meaningful transparency and how to better evaluate available evidence.
    International Workshop on Security Protocols, Cambridge, UK, 10–12 April 2019. Published in LNCS, Springer-Verlag. [ paper | slides ]
  • Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS
    Andreas Gutmann, Steven J. Murdoch
    Security Code AutoFill is a new convenience feature integrated into iOS 12 and macOS 10.14, which aims to ease the use of security codes sent via SMS. We report on the first security evaluation of this feature, inspecting its interaction with different types of service and security technologies that send security codes via SMS for authentication and authorisation purposes. We found security risks resulting from the feature hiding salient context information about the SMS message while still relying on users to make security-cautious decisions. Our findings show that adversaries could exploit this decontextualisation. We describe three attack scenarios in which an adversary could leverage this feature to gain unauthorised access to users’ online accounts, impersonating them through their instant messengers, and defraud them during online card payments. We discuss the results and suggest possible measures for affected online services to reduce the attack surface by altering the phrasing of their SMS or using alphanumeric security codes. In addition, we explore the design space of Security Code AutoFill and sketch two alternative prototype designs which aim at retaining the improved convenience while empowering users and online services to safeguard their interactions.
    Who Are You?! Adventures in Authentication Workshop (WAY), Santa Clara, California, USA, 11 August 2019. [ paper ]
  • Waves of Malice: A Longitudinal Measurement of the Malicious File Delivery Ecosystem on the Web
    Colin C. Ife, Yun Shen, Steven J. Murdoch, Gianluca Stringhini
    We present a longitudinal measurement of malicious file distribution on the Web. Following a data-driven approach, we identify network infrastructures and the files that they download. We then study their characteristics over a short period (one day), over a medium period (daily, over one month) as well as in the long term (weekly, over one year). This analysis offers us an unprecedented view of the malicious file delivery ecosystem and its dynamics. We find that the malicious file delivery landscape can be divided into two distinct ecosystems: a much larger, tightly connected set of networks that is mostly responsible for the delivery of potentially unwanted programs (PUP), and a number of disjoint network infrastructures that are responsible for delivering malware on victim computers. We find that these two ecosystems are mostly disjoint, but it is not uncommon to see malware downloaded from the PUP Ecosystem, and vice versa. We estimate the proportions of PUP-to-malware in the wild to be heavily skewed towards PUP (17:2) and compare their distribution patterns. We observe periodicity in the activity of malicious network infrastructures, and we find that although malicious file operations present a high degree of volatility, 75% of the observed malicious networks remain active for more than six weeks, with 26% surviving for an entire year. We then reason on how our findings can help the research and law enforcement communities in developing better takedown techniques.
    ACM ASIA Conference on Computer and Communications Security (ASIACCS), Auckland, New Zealand, 09–12 July 2019. [ paper ]

Recent talks

For more detail see my full list of talks

  • Making sense of EMV card data – decoding the TLV format
    Steven J. Murdoch
    EMV (sometimes known as Chip and PIN) is the worldwide standard for smart card payments. It was designed to allow credit and debit cards issued by any bank work to make a payment through any terminal, even across international borders and despite chip cards being extremely limited in the computation they can perform. In this talk I’ll discuss how EMV achieves this difficult task, through the use of the TLV (Tag-Length-Value) data format. I will demonstrate how to decode TLV data found on real EMV chip cards, and what significance this data has in the wider payment ecosystem. Finally I’ll discuss how the use of TLV, despite its advantages, has contributed to the creation of security vulnerabilities in Chip and PIN.
    DEF CON 28 Safe Mode, Payment Village, 07–09 August 2020. [ video | video (alternate) | slides (interactive) | slides (static) | code | code (alternate) | notes (interactive) | notes (alternate) ]
  • Evidence-critical systems: what they are and why we need them
    Steven J. Murdoch
    It may be impossible (or undesirable) to programmatically enforce all relevant security policies. In which case we can replace enforcement with transparency (to detect violation), provision of redress to the victim (to ameliorate the harm of the violation), and punishment for the violator (to deter future violations). Achieving the latter two properties requires evidence of a violation and a system for turning evidence into justice. In this talk, I discuss that we need to create evidence-critical systems that provide assurance that justice can be obtained. The design of evidence-critical systems can draw from the well-established field of safety-critical systems but has several significant differences.
    Workshop on Security and Human Behaviour (SHB 2020), 18–19 June 2020. [ slides ]
  • Phish for Thought: Combatting Modern Email Threats
    Steven J. Murdoch
    The email inbox is an invaluable, and in many cases irreplaceable, cog in the functioning of any modern business. However, as recent years have proven, the email inbox is also the favorite attack target for cyber-criminals. Phishing emails may be nothing new, but they remain the first phase in over 95% of cyber-threat campaigns – something that too many businesses still find out the hard way. In this session, a panel of security experts will explore the phishing threat landscape in 2020, assess recent advancements in attack methods and outline what businesses need to do to defend themselves against the dangers of email-based phishing attacks.
    Infosecurity Magazine EMEA Online Summit, 25 March 2020. [ slides ]

Professional activities

Research supervision

Killian Davitt (PhD student, 2018–): understanding, measuring and improving the security of collaboration tools.

Alexander Hicks (PhD student, 2017–): privacy preserving continuous authentication.

Andreas Gutmann (PhD student, 2016–): privacy-preserving transaction authentication for mobile devices.

Shehar Bano (Research Assistant & PhD student, 2013–2016): measurement of censorship and censorship resistance systems.

Kumar Sharad (PhD student, 2012–2016): security in social networks – anonymisation and fraud prevention.

Program chair

14th Privacy Enhancing Technologies Symposium, 16–18 July, 2014, Amsterdam, Netherlands.

15th Privacy Enhancing Technologies Symposium, 30 June–2 July 2015, Philadelphia, PA, USA.

General chair

Financial Cryptography and Data Security 2011, 15th International Conference, 28 February–4 March 2011, St. Lucia.

Programme committee membership

  • IEEE European Symposium on Security and Privacy 2019
  • IFIP Summer School 2016, 2017, 2018
  • Financial Cryptography and Data Security (FC): 2010, 2016, 2018
  • Privacy Enhancing Technologies Symposium (PETS): 2007, 2008, 2009, 2011, 2017, 2018
  • Network and Distributed System Security Symposium (NDSS): 2017
  • ACM Conference on Computer and Communications Security (CCS): 2007, 2008, 2010, 2011, 2016
  • Annual Privacy Forum 2014
  • Free and Open Communications on the Internet (FOCI) 2013
  • USENIX Security 2012
  • European Symposium on Research in Computer Security (ESORICS) 2011
  • Workshop on Foundations of Security and Privacy (FCS-PrivMod): 2010
  • Workshop on Privacy in the Electronic Society (WPES): 2006, 2007, 2009
  • FIDIS/IFIP Internet Security & Privacy Summer School: 2008
  • ACM Symposium on Applied Computing (Computer Security track): 2007

Journal reviewing

Includes Proceedings on Privacy Enhancing Technologies (2017, 2018, 2019), ACM Transactions on Internet Technology (TOIT) (2017), International Journal of Computer Security (2016), IEEE Transactions on Dependable and Secure Computing (2009), ACM Transactions on Information and System Security (2008), IEEE Transactions on Software Engineering (2008), IEEE/ACM Transactions on Networking (2007), IEEE Security & Privacy (2007), The Triple Helix (2008), Identity in the Information Society (2008).

Contact Details

email (preferred):

s.murdoch at


Professor Steven J. Murdoch
Computer Science Department
University College London
Gower Street
United Kingdom


+44 20 3108 1629 (internal x51629)

mobile and Signal:

+44 7866 807 628