About me
This website is mostly about my academic career. I no longer update it regularly since Jan 2023 when I went into industry.
I'm a Senior Security Engineer at SIX. Formerly, I was a Postdoctoral Researcher in Prof. David Basin's Information Security Group at ETH Zurich. Prior to that, I completed my PhD in Computer Science at the University of Luxembourg, developed under the supervision of Prof. Sjouke Mauw and Dr. Rolando Trujillo.
During my academic tenure, I focused on the design and verification of security protocols. In particular, I applied and developed techniques and tools to produce computer-verifiable security proofs, or otherwise identify attacks, for real-world cryptographic protocols. I have a particular interest in electronic payment, wireless communication, and cyber trust.
My work has contributed to improving the security of electronic payments. We have identified and helped mitigate various security flaws in the global payment standard EMV. These flaws lead to practical attacks, such as PIN bypass attacks for Visa and Mastercard cards. Our findings have drawn significant media attention, with articles in ZDNet, The Hacker News (Sep'20, Feb'21), Schweizer Radio und Fernsehen (SRF), ACM TechNews (Sep'20, Feb'21), heise, and VG TV. Following our disclosure, Mastercard has rolled out countermeasures that now prevent some of the attacks we have found. Moreover, the next-gen EMV will incorporate security mechanisms that result from our discoveries.
News
| Dec 2022 | I'll be starting a new job at SIX Digital Exchange (SDX) in January 2023 |
| Sep 2022 | Our paper on a novel attack for Mastercard cards has been accepted for USENIX Security'23 |
| May 2021 | Our Oakland'21 paper has won the Best Practical Paper Award!!! |
Selected publications
These are some of my selected publications. For a complete list, go to the Publications tab.
Publications
These are some of my publications. For a complete list, please see my Google Scholar profile.
| Year | Title | Authors | Venue | Links |
|---|---|---|---|---|
| 2023 | SealClub: Computer-aided Paper Document Authentication | M. Ochoa, H. Vanegas, J. Toro-Pozo, and D. Basin | 39th Annual Computer Security Applications Conference (ACSAC) | PDF, DOI |
| 2023 | Inducing Authentication Failures to Bypass Credit Card PINs | D. Basin, P. Schaller, and J. Toro-Pozo | 32nd USENIX Security Symposium | WEB, PDF |
| 2021 | Card Brand Mixup Attack: Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions | D. Basin, R. Sasse, and J. Toro-Pozo | 30th USENIX Security Symposium | WEB, PDF |
| 2021 | The EMV Standard: Break, Fix, Verify | D. Basin, R. Sasse, and J. Toro-Pozo | 42nd IEEE Symposium on Security and Privacy (S&P) | WEB, PDF, AWARD |
| 2019 | Post-Collusion Security and Distance Bounding | S. Mauw, Z. Smith, J. Toro-Pozo, and R. Trujillo-Rasua | 26th ACM SIGSAC Conference on Computer and Communications Security (CCS) | PDF, DOI |
| 2019 | Computational and symbolic analysis of distance-bounding protocols | J. L. Toro Pozo | PhD thesis, University of Luxembourg | PDF, URL |
| 2018 | Automated Identification of Desynchronisation Attacks on Shared Secrets | S. Mauw, Z. Smith, J. Toro-Pozo, and R. Trujillo-Rasua | 23rd European Symposium on Research in Computer Security (ESORICS) | DOI |
| 2018 | Distance-Bounding Protocols: Verification without Time and Location | S. Mauw, Z. Smith, J. Toro-Pozo, and R. Trujillo-Rasua | 39th IEEE Symposium on Security and Privacy (S&P) | PDF, DOI |
| 2017 | Multiobjective variable mesh optimization | Y. Salgueiro, J. L. Toro, R. Bello, and R. Falcon | Annals of Operations Research, 258(2): 869-893 | PDF, DOI |
| 2016 | Optimality Results on the Security of Lookup-Based Protocols | S. Mauw, J. Toro-Pozo, and R. Trujillo-Rasua | 12th Radio Frequency Identification and IoT Security Workshop (RFIDSec) | DOI |
| 2016 | A Class of Precomputation-Based Distance-Bounding Protocols | S. Mauw, J. Toro-Pozo, and R. Trujillo-Rasua | 1st IEEE European Symposium on Security and Privacy (EuroS&P) | DOI |
| 2014 | Noise Detection and Learning Based on Current Information | D. Pascual González; F. D. Vázquez Mesa; and J. L. Toro Pozo | Computación y Sistemas, 18(1) | URL |
Honors & Awards
These are some of my selected honors and awards.
| Year | Award | Organization / Context |
|---|---|---|
| 2021 | Best Practical Paper Award | 42nd IEEE Symposium on Security and Privacy (S&P) |
| 2020 | Best PhD Thesis on Security and Trust Management | European Research Consortium for Informatics and Mathematics (ERCIM) |
| 2019 | Best Thesis in Computer Science | University of Luxembourg |
| 2015 | AFR-PhD Grant (~170K euros) | Luxembourg National Research Fund (FNR) |
Teaching
I have been part of the teaching team for the following courses (2016 to date).
| Term | Course | Institution | Description |
|---|---|---|---|
| Spring 2022 | Information Security | ETH Zurich | This course provides an introduction to Information Security. The focus is on fundamental concepts and models, basic cryptography, protocols and system security, and privacy and data protection. While the emphasis is on foundations, case studies are given that examine different realizations of these ideas in practice. |
| Autumn 2021 | Applied Security Laboratory | ETH Zurich | This is a hands-on course on applied aspects of Information Security. It covers topics such as applied information security, operating system security, OS hardening, computer forensics, web application security, design, implementation, and configuration of security mechanisms, risk analysis, and system review. |
| Spring 2021 | Big Data for Engineers | ETH Zurich | This database course introduces the most recent advances for scaling storage and querying to Petabytes of data with trillions of records. The course covers techniques to work with heterogeneous data sets and data shapes like trees and graphs. |
| Autumn 2020 | Information Security Lab | ETH Zurich | This InterFocus course provides a broad, hands-on introduction to Information Security. It introduces adversarial thinking and security by design as key approaches to building secure systems. |
| Spring 2020 | Information Systems for Engineers | ETH Zurich | This course provides the basics of relational databases from the perspective of the user. We discover why tables are so incredibly powerful to express relations, learn the SQL query language, and how to make the most of it. The course also covers support for data cubes (analytics). |
| Autumn 2019 | Algorithms, Probability, and Computing | ETH Zurich | This course focuses on advanced design and analysis methods for algorithms and data structures, such as Random(ized) Search Trees, Point Location, Minimum Cut, Linear Programming, Randomized Algebraic Algorithms (matchings), Probabilistically Checkable Proofs (introduction). |
| 2016–2018 | Security Protocols | University of Luxembourg | The course helps students develop their skills in manual and computer-aided verification of security protocols. |
| 2017 | Information Security Basics | University of Luxembourg | The course covers the basic concepts of Information Security from a formal methods perspective. These concepts include protocol execution, threat model, security properties, and (manual) verification. |
Talks
These are some of the talks that I've given.
| Date | Talk | Event | Location |
|---|---|---|---|
| Aug 2021 | Card Brand Mixup Attack: Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions | 30th USENIX Security Symposium | Virtual |
| May 2021 | The EMV Standard: Break, Fix, Verify | 42nd IEEE Symposium on Security and Privacy (S&P) | Virtual |
| May 2021 | Trustworthy Components by Example of Security Protocols | Swiss Support Center for Cybersecurity (SSCC) Workshop on Dependencies | Virtual |
| Sep 2021 | Computational and Symbolic Analysis of Distance-Bounding Protocols | Security and Trust Management (STM) Workshop 2020 | Virtual |
| Nov 2018 | Collusion in Security Protocols: Terrorist Fraud as a Use Case | Infsec Group seminar at ETHZ | Zurich, Switzerland |
| Oct 2018 | Distance Bounding Protocols: Verification without Time and Location | CISPA | Saarbrucken, Germany |
| Apr 2018 | Distance Bounding Protocols: Computational vs. Symbolic Models | FutureDB Workshop | Azores, Portugal |
| Dec 2017 | Distance-Bounding Protocols: Verification without Time and Location | Infsec Group seminar at ETHZ | Zurich, Switzerland |
| Nov 2017 | On Symbolic Verification of Distance-Bounding Protocols | CRYPTACUS'17 | Nijmegen, The Netherlands |
| Mar 2017 | On the Optimality of Secure Distance Bounding | Grande Region Security and Reliability Day 2017 | Luxembourg |
| Dec 2016 | Optimality Results on the Security of Lookup-Based Protocols | 12th Radio Frequency Identification and IoT Security Workshop (RFIDSec) | Hong Kong, China |
| Mar 2016 | A class of precomputation-based distance-bounding protocols | Grande Region Security and Reliability Day 2016 | Nancy, France |