Jorge Toro

Information Security Researcher

Profile picture

I’m a postdoctoral researcher in information security at ETH Zurich, working with Prof. David Basin. I obtained a PhD in Computer Science from the University of Luxembourg in 2019, developed under the supervision of Prof. Sjouke Mauw and Dr. Rolando Trujillo.

My research focuses on formal verification of security protocols. I apply and develop techniques and tools to produce computer-verifiable security proofs, or otherwise identify attacks, for real-world cryptographic protocols. I have particular interest in electronic payment, wireless communication, and cyber trust.

Our work has contributed to improve the security of electronic payment. We have identified a number of security flaws in the EMV payment standard. These flaws lead to practical attacks, including a PIN bypass for modern VISA and Mastercard contactless cards. Our findings have drawn significant media attention, with articles in ZDNet, The Hacker News (Sep’20, Feb’21), SRF - Schweizer Radio und Fernsehen, ACM TechNews (Sep’20, Feb’21), heise, and VG TV. Following our disclosure, Mastercard has rolled out countermeasures that now protect millions of cardholders worldwide. Visit emvrace.github.io for further details.

news

May 2021 Our Oakland’21 paper has won the Best Practical Paper Award!!!
Feb 2021 Our brand mixup attack paper has been accepted for USENIX Security’21

selected publications

  1. Card Brand Mixup Attack: Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions David A. Basin, Ralf Sasse, and Jorge Toro-Pozo In 30th USENIX Security Symposium, pp. 179–194, 2021.
  1. The EMV Standard: Break, Fix, Verify David A. Basin, Ralf Sasse, and Jorge Toro-Pozo In 42nd IEEE Symposium on Security and Privacy (S&P), pp. 1766–1781, 2021.
  1. Distance-Bounding Protocols: Verification without Time and Location Sjouke Mauw, Zach Smith, Jorge Toro-Pozo, and Rolando Trujillo-Rasua In 39th IEEE Symposium on Security and Privacy (S&P), pp. 549–566, 2018.