ABSTRACT: This talk provides a summary of research in payment system security mechanisms and the fraud techniques which are designed to break or bypass these measures. This includes the EMV protocol, along with an illustration of how skimming attacks and the no-PIN attack exploit protocol weaknesses. I will also cover the man-in-the-browser attack against online banking, and how transaction authentication is intended to defend against this. Finally I will describe how security usability is lacking in many current payment systems, and how this results in liability for fraudulent payments being unfairly shifted to the victims.
SHORT BIO: Dr Steven J. Murdoch is a Royal Society University Research Fellow in the Information Security Research Group of University College London, working on developing metrics for security and privacy. His research interests include authentication/passwords, banking security, anonymous communications, censorship resistance and covert channels. He has worked with the OpenNet Initiative, investigating Internet censorship, and for the Tor Project, on improving the security and usability of the Tor anonymity system. His current research on developing methods to understand complex system security is supported by the Royal Society. He is also working on analysing the security of banking systems, especially Chip & PIN/EMV, and is Innovation Security Architect at VASCO. He is a Fellow of the IET and BCS.
6 Nov - Steven Murdoch - Payment Security: Attacks & Defences