Conference Program

Financial Cryptography and Data Security '11

International Financial Cryptography Association logo

Fifteenth International Conference
February 28–March 4, 2011
Bay Gardens Beach Resort
St. Lucia

Please note, this program is provisional and subject to change

Sunday, February 27, 2011

4:00pm–6:30pm Registration Reception
Monday, February 28, 2011

8:30am–9:00am Registration

9:00am–9:15am Conference Opening

Keynote Address
Jolyon Clulow, Tesco Bank

What I Learnt When Trying to Build a Bank

Tesco Bank was launched in 1997 as a joint venture between Tesco and The Royal Bank of Scotland (RBS). RBS provided the IT and operations while Tesco provided the brand and route to market in a partnership which built a customer base of around 6 million accounts. In 2008, Tesco acquired the remaining 50% RBS shareholding and set about building a standalone bank and migrating customers off RBS infrastructure.

Tesco Bank is a unique case study in security architecture and delivery – an opportunity to start with a blank sheet of paper and to design a bank with security 'baked in' from the start. This talk details how we approached the task, the lessons learnt and some of the security architecture decisions which had the biggest impacts on the organisation ... and those which were the most challenging.

Dr Jolyon Clulow leads the IT security architecture and delivery for Tesco Bank in their efforts to build a secure IT capability for a full retail bank and insurance company. His previous positions include roles in engineering, academia and consulting. Jolyon read his Ph.D. at the University of Cambridge.

10:30am–11:00am Break

Technical Paper Session
Security Economics

Rainer Boehme and Stefanie Poetzsch
Collective Exposure: Peer Effects in Voluntary Disclosure of Personal Data

Nicolas Christin, Serge Egelman, Timothy Vidas and Jens Grossklags
It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice

12:00pm–1:00pm Lunch

Technical Paper Session
Privacy & Voting

Julien Freudiger, Reza Shokri and Hubaux Jean-Pierre
Evaluating the Privacy Risk of Location-Based Services

Jeremy Clark and Urs Hengartner
Selections: An Internet Voting System with Over-the-Shoulder Coercion-Resistance

Benedikt Westermann and Dogan Kesdogan
Malice versus AN.ON: Possible Risks of Missing Replay and Integrity Protection

2:30pm–3:00pm Break

Short Paper Session
Security & Privacy

Jay Novak, Jonathan Stribley, Kenneth Meagher, Scott Wolchok and Alex Halderman
Absolute Pwnage: Security Risks of Remote Administration Tools

Ben Palmer, kris bubendorfer and Ian Welch
A Protocol for Anonymously Establishing Digital Provenance in Reseller Chains

Philip Marquardt, David Dagon and Patrick Traynor
Impeding Individual User Profiling in Shopper Loyalty Programs

Debin Liu, Ninghui Li, XiaoFeng Wang and L. Jean Camp
Beyond Risk-Based Access Control: Towards Incentive-Based Access Control

4:20pm Adjourn

6:30pm–8:30pm Rum Punch Reception
Tuesday, March 1, 2011

Technical Paper Session
Cryptography I

Guomin Yang, Shanshan Duan, Duncan Wong, Chik-How Tan and Huaxiong Wang
Authenticated Key Exchange under Bad Randomness

Martin Franz, Bogdan Carbunar, Radu Sion, Stefan Katzenbeisser, Miroslava Sotakova, Peter Williams and Andreas Peter
Oblivious Outsourced Storage with Delegation

10:00am–10:30am Break

Technical Paper Session
Cryptography II

Rob Johnson, Leif Walsh and Michael Lamb
Homomorphic Signatures for Digital Photographs

Femi Olumofin and Ian Goldberg
Revisiting the Computational Practicality of Private Information Retrieval

Short Papers: Cryptography II

Mohammed Tuhin and Reihaneh Safavi-Naini
Optimal One Round Almost Perfectly Secure Message Transmission

Oliver Spycher, Reto König, Rolf Haenni and Michael Schläpfer
A New Approach Towards Coercion-Resistant Remote E-Voting in Linear Time

12:10pm Adjourn

Afternoon Excursion (Pirates Extravaganza)

8:00pm–12:00am IFCA General Meeting and Rump Session
Wednesday, March 2, 2011

Technical Paper Session
Hardware Security

Ulrich Rührmair, Christian Jaeger and Michael Algasinger
An Attack on PUF-based Session Key Exchange and a Hardware-based Countermeasure: Erasable PUFs

Henryk Plötz and Karsten Nohl
Peeling Away Layers of an RFID Security System

10:30am–11:00am Break

Technical Paper Session
Banking Security

Ross Anderson, Mike Bond, Omar Choudary, Steven J. Murdoch and Frank Stajano
Might Financial Cryptography Kill Financial Innovation? – The Curious Case of EMV

Shujun Li, Ahmad-Reza Sadeghi, Soeren Heisrath, Roland Schmitz and Junaid Jameel Ahmad
hPIN/hTAN: A Lightweight and Low-Cost e-Banking Solution against Untrusted Computers

12:00pm–1:00pm Lunch

The Future of Banking Security and Financial Transactions for the 21st Century
  • Ross Anderson, University of Cambridge
  • Steven M. Bellovin, Columbia University
  • Ahmad-Reza Sadeghi, Ruhr-Universität Bochum
  • Lenore Zuck, University of Illinois at Chicago

Short Paper Session

Christopher Soghoian and Sid Stamm
Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

Kirill Levchenko and Damon McCoy
Proximax: Fighting Censorship With an Adaptive System for Distribution of Open Proxies

Peter Lofgren and Nicholas Hopper
BNymble: More anonymous blacklisting at almost no cost

Martin Franz, Stefan Katzenbeisser, Bjoern Deiseroth, Kay Hamacher, Somesh Jha and Heike Schroeder
Towards Secure Bioinformatics Services

3:30pm Adjourn

6:00pm–8:00pm Beach BBQ
Thursday, March 3, 2011

Technical Paper Session
Web Security

Theodoor Scholte, Davide Balzarotti and Engin Kirda
Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications

Pern Hui Chia and Svein Knapskog
Re-Evaluating the Wisdom of Crowds in Assessing Web Security

Mohammad Mannan, David Barrera, Carson Brown, David Lie and Paul Van Oorschot
Recovering Forgotten Passwords Using Personal Devices

10:30am–11:00am Break

Closing Talk
Markus Jakobsson (PayPal)

Why Mobile Security is not Like Traditional Security

Consumers think that smartphones are not computers, while many computer scientists think of them simply as computers with radios. Neither is accurate, and both lead to potential security problems. As examples of the technical type, the battery constraints of handsets cause the traditional anti-virus paradigm to fail, and the limited keyboards of handsets make traditional password authentication frustrating and error prone – and likely to be circumvented by many consumers. I will describe how differences in features and form factor affect security – for good and bad – and give examples of security solutions for mobile computing.


Dr. Markus Jakobsson is a founder of the security startups RavenWhite and Fatskunk, and a security strategist at PayPal. He has held positions as Principal Scientist at Palo Alto Research Center, Principal Research Scientist at RSA Security, Member of the Technical Staff at Bell Labs, Associate Professor at Indiana University and Adjunct Associate Professor at New York University. Dr Jakobsson is a visiting research fellow of the Anti-Phishing Working Group, serves on the technical advisory boards of Cellfony and Lifelock, and works at PayPal. His research is focused on socio-technical fraud; he has contributed to the knowledge of phishing, crimeware and efficient cryptographic protocols, and is currently focusing his efforts on mobile malware and mobile user authentication. He is an editor of "Phishing and Countermeasures" (Wiley, 2006) and "Crimeware: Understanding New Attacks and Defenses" (Symantec Press, 2008). He received his PhD in computer science from University of California at San Diego in 1997.

12:00pm–1:00pm Conference Closing
Conference Chairs

7:30pm–9:30pm Workshop Reception
Friday, March 4, 2011

Saturday, March 5, 2011

All-day excursions




This conference is organized annually by the International Financial Cryptography Association.