Profile picture
Security Engineer

This website is mostly about my academic career, hence I no longer update it regularly since I went into industry in January 2023.

I’m a Senior Security Engineer at SIX Digital Exchange. Formerly, I was a Postdoctoral Researcher in Prof. David Basin’s Information Security Group at ETH Zurich. Prior to that, I completed my PhD in Computer Science at the University of Luxembourg, developed under the supervision of Prof. Sjouke Mauw and Dr. Rolando Trujillo.

During my academic tenure, I focused on the design and verification of security protocols. In particular, I applied and developed techniques and tools to produce computer-verifiable security proofs, or otherwise identify attacks, for real-world cryptographic protocols. I have a particular interest in electronic payment, wireless communication, and cyber trust.

My work has contributed to improving the security of electronic payments. We have identified and helped mitigate various security flaws in the global payment standard EMV. These flaws lead to practical attacks, such as PIN bypass attacks for Visa and Mastercard cards. Our findings have drawn significant media attention, with articles in ZDNet, The Hacker News (Sep’20, Feb’21), Schweizer Radio und Fernsehen (SRF), ACM TechNews (Sep’20, Feb’21), heise, and VG TV. Following our disclosure, Mastercard has rolled out countermeasures that now prevent some of the attacks we have found. Moreover, the next-gen EMV will incorporate security mechanisms that result from our discoveries.

News

Dec 2022 I’ll be starting a new job at SIX Digital Exchange (SDX) in January 2023
Sep 2022 Our paper on a novel attack for Mastercard cards has been accepted for USENIX Security’23
May 2021 Our Oakland’21 paper has won the Best Practical Paper Award!!!

Selected publications

  1. Inducing Authentication Failures to Bypass Credit Card PINs.
    David A. Basin, Patrick Schaller, and Jorge Toro-Pozo.
    32nd USENIX Security Symposium, 2023.
  2. The EMV Standard: Break, Fix, Verify.
    David A. Basin, Ralf Sasse, and Jorge Toro-Pozo.
    42nd IEEE Symposium on Security and Privacy (S&P), pp. 1766–1781, 2021.
  3. Distance-Bounding Protocols: Verification without Time and Location.
    Sjouke Mauw, Zach Smith, Jorge Toro-Pozo, and Rolando Trujillo-Rasua.
    39th IEEE Symposium on Security and Privacy (S&P), pp. 549–566, 2018.