From optical communications to security: safeguarding online banking

9 January 2017

Dr Sharon Sim Heung Lee received both her BEng degree in electronic engineering (2003), and her MPhil degree in optical communications (2005), from The Chinese University of Hong Kong. In 2008, she was awarded a Croucher Foundation scholarship to pursue her doctorate in electrical engineering at the University of Cambridge.

In 2012 Lee heard about CRONTO, an online banking security start-up created by fellows from Christ’s College, Cambridge. Founded in 2005, CRONTO’s first product, CrontoSign, works by encrypting transaction details in a 2D colour code.

This enables users to authenticate every online banking transaction, defending against advanced hacking attacks, including the Man-in-the-Browser attack. Considered to be one of the biggest threats to online banking, Man-in-the-Browser attacks hide an infectious malware inside everyday browser extensions and user scripts. The malware is able to bypass security mechanisms like two-step authentication because of the way it hides in a browser extension, much like a Trojan Horse. 

Although Lee’s PhD research in itself was not directly related to cybersecurity, her skills and mind-set made her just the kind of person CRONTO was looking for - someone with strong logical thinking and the ability to find errors in product testing.

CrontoSign

Following a two month internship with CRONTO in Cambridge, Lee spent a number of months working on hardware quality assurance for CRONTO at their manufacturing partner’s Shenzhen factory, where she became well-acquainted with the manufacturing side of the business. 

She oversaw the creation of hundreds of thousands of security devices, from plastic injection moulding, circuit board production, to device assembly. Following her stint in Shenzhen, Lee took a permanent position in Cambridge as a Research and Development Innovation Manager.

To illustrate CRONTO’s usefulness, think about shopping online: every time you make a purchase, you are required to submit your credit card information and sometimes the three digit security code on the back of your card. 

But how do you know that the actual payment being authorised is the same as what's displayed on the webpage? 

An array of coloured cells functions as an encryption code.

With CRONTO’s technology, the retailer’s online web page displays a 2D colour code obtained from the bank, which contains all the transaction information in an encrypted form. You then use the CRONTO App on your phone to scan this code and the App decrypts the transaction information and displays it together with a   one-time transaction authorisation code on the screen. 

This out-of-band process is independent from the web browser, shielding the transaction from the potential dangers of a Man-in-the-Browser or other similar malware or virus. 

You only enter the code on the retailer’s webpage to authorise the transaction if the payment details are correct. The technology is now used by large and small European banks as well as banks in Asia and the United States.

Exploring biometrics

In 2013 CRONTO was acquired by VASCO, forming part of the VASCO Innovation Centre. VASCO Innovation Centre’s main focus is on next-generation online security-related products, including biometrics and the Internet of Things. 

Biometrics refers to metrics related to human characteristics, they could be physiological biometrics based on physical characteristics that are assumed to be relatively unchanging, such as fingerprints, iris patterns, retinal patterns, facial features, palm prints, or hand geometry. 

But biometrics can also be behavioural, based on the unique and idiosyncratic ways we all do things like talking, signing our names, moving our hands, or the rhythm we type with on a keyboard. Lee and her colleagues are exploring the possibility of using biometrics to develop the next generation of secure banking solutions.

For Lee, the role of research and innovation manager at VASCO Innovation Centre offers her a good balance between scientific endeavour and working for a commercial venture. She has the freedom to attend relevant conferences - which reminds her of being an academic researcher - and one particular perk is the opportunity to get familiar with all the latest technology.

Lee is grateful to the Croucher Foundation for enabling her study in Cambridge, as she feels that she benefited from the international environment and atmosphere of collaboration and innovation. She sincerely advises young scientists to be flexible in their approach to research and career - it’s important to realise that research topics are very unlikely to last forever - and it is very important to allow your research interests to keep evolving and developing. At some point, you may find this flexibility and exposure to different areas to be extremely valuable. 

Dr Sharon Lee received her B.Eng. degree with first class honours in electronic engineering at The Chinese University of Hong Kong in 2003, and obtained her M.Phil degree in optical communications at the same university in 2005. She was then awarded a Croucher Foundation Scholarship in 2008 to pursue her doctorate in electrical engineering at University of Cambridge. She is currently the Research and Innovation Manager at Cronto.

To view Lee's personal Croucher profile, please click here.