Tesco Bank was launched in 1997 as a joint venture between Tesco and The Royal Bank of Scotland (RBS). RBS provided the IT and operations while Tesco provided the brand and route to market in a partnership which built a customer base of around 6 million accounts. In 2008, Tesco acquired the remaining 50% RBS shareholding and set about building a standalone bank and migrating customers off RBS infrastructure.

Tesco Bank is a unique case study in security architecture and delivery – an opportunity to start with a blank sheet of paper and to design a bank with security 'baked in' from the start. This talk details how we approached the task, the lessons learnt and some of the security architecture decisions which had the biggest impacts on the organisation ... and those which were the most challenging.

Dr Jolyon Clulow leads the IT security architecture and delivery for Tesco Bank in their efforts to build a secure IT capability for a full retail bank and insurance company. His previous positions include roles in engineering, academia and consulting. Jolyon read his Ph.D. at the University of Cambridge.

Rainer Boehme and Stefanie Poetzsch
Collective Exposure: Peer Effects in Voluntary Disclosure of Personal Data

Nicolas Christin, Serge Egelman, Timothy Vidas and Jens Grossklags
It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice

Julien Freudiger, Reza Shokri and Hubaux Jean-Pierre
Evaluating the Privacy Risk of Location-Based Services

Jeremy Clark and Urs Hengartner
Selections: An Internet Voting System with Over-the-Shoulder Coercion-Resistance

Benedikt Westermann and Dogan Kesdogan
Malice versus AN.ON: Possible Risks of Missing Replay and Integrity Protection

Jay Novak, Jonathan Stribley, Kenneth Meagher, Scott Wolchok and Alex Halderman
Absolute Pwnage: Security Risks of Remote Administration Tools

Ben Palmer, kris bubendorfer and Ian Welch
A Protocol for Anonymously Establishing Digital Provenance in Reseller Chains

Philip Marquardt, David Dagon and Patrick Traynor
Impeding Individual User Profiling in Shopper Loyalty Programs

Debin Liu, Ninghui Li, XiaoFeng Wang and L. Jean Camp
Beyond Risk-Based Access Control: Towards Incentive-Based Access Control

Guomin Yang, Shanshan Duan, Duncan Wong, Chik-How Tan and Huaxiong Wang
Authenticated Key Exchange under Bad Randomness

Martin Franz, Bogdan Carbunar, Radu Sion, Stefan Katzenbeisser, Miroslava Sotakova, Peter Williams and Andreas Peter
Oblivious Outsourced Storage with Delegation

Rob Johnson, Leif Walsh and Michael Lamb
Homomorphic Signatures for Digital Photographs

Femi Olumofin and Ian Goldberg
Revisiting the Computational Practicality of Private Information Retrieval

Mohammed Tuhin and Reihaneh Safavi-Naini
Optimal One Round Almost Perfectly Secure Message Transmission

Oliver Spycher, Reto König, Rolf Haenni and Michael Schläpfer
A New Approach Towards Coercion-Resistant Remote E-Voting in Linear Time

Ulrich Rührmair, Christian Jaeger and Michael Algasinger
An Attack on PUF-based Session Key Exchange and a Hardware-based Countermeasure: Erasable PUFs

Henryk Plötz and Karsten Nohl
Peeling Away Layers of an RFID Security System

Ross Anderson, Mike Bond, Omar Choudary, Steven J. Murdoch and Frank Stajano
Might Financial Cryptography Kill Financial Innovation? – The Curious Case of EMV

Shujun Li, Ahmad-Reza Sadeghi, Soeren Heisrath, Roland Schmitz and Junaid Jameel Ahmad
hPIN/hTAN: A Lightweight and Low-Cost e-Banking Solution against Untrusted Computers

• Ross Anderson, University of Cambridge
• Steven M. Bellovin, Columbia University
• Ahmad-Reza Sadeghi, Ruhr-Universität Bochum
• Lenore Zuck, University of Illinois at Chicago

Christopher Soghoian and Sid Stamm
Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

Kirill Levchenko and Damon McCoy
Proximax: Fighting Censorship With an Adaptive System for Distribution of Open Proxies

Peter Lofgren and Nicholas Hopper
BNymble: More anonymous blacklisting at almost no cost

Martin Franz, Stefan Katzenbeisser, Bjoern Deiseroth, Kay Hamacher, Somesh Jha and Heike Schroeder
Towards Secure Bioinformatics Services

Theodoor Scholte, Davide Balzarotti and Engin Kirda
Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications

Pern Hui Chia and Svein Knapskog
Re-Evaluating the Wisdom of Crowds in Assessing Web Security

Mohammad Mannan, David Barrera, Carson Brown, David Lie and Paul Van Oorschot
Recovering Forgotten Passwords Using Personal Devices

Why Mobile Security is not Like Traditional Security

Consumers think that smartphones are not computers, while many computer scientists think of them simply as computers with radios. Neither is accurate, and both lead to potential security problems. As examples of the technical type, the battery constraints of handsets cause the traditional anti-virus paradigm to fail, and the limited keyboards of handsets make traditional password authentication frustrating and error prone – and likely to be circumvented by many consumers. I will describe how differences in features and form factor affect security – for good and bad – and give examples of security solutions for mobile computing.

Biography

Dr. Markus Jakobsson is a founder of the security startups RavenWhite and Fatskunk, and a security strategist at PayPal. He has held positions as Principal Scientist at Palo Alto Research Center, Principal Research Scientist at RSA Security, Member of the Technical Staff at Bell Labs, Associate Professor at Indiana University and Adjunct Associate Professor at New York University. Dr Jakobsson is a visiting research fellow of the Anti-Phishing Working Group, serves on the technical advisory boards of Cellfony and Lifelock, and works at PayPal. His research is focused on socio-technical fraud; he has contributed to the knowledge of phishing, crimeware and efficient cryptographic protocols, and is currently focusing his efforts on mobile malware and mobile user authentication. He is an editor of "Phishing and Countermeasures" (Wiley, 2006) and "Crimeware: Understanding New Attacks and Defenses" (Symantec Press, 2008). He received his PhD in computer science from University of California at San Diego in 1997.