11:15 AM
Connect Directly

Vidoop Authentication Solution Addresses Top Online Security Threat

Bank customers log in using a combination of image recognition and PINs instead of the traditional user name and password.

An innovative new technology promises to strengthen online security for banking customers. According to industry commentators, software from Portland, Ore.-based Vidoop that uses a combination of images and one-time passwords to authenticate online users is superior to existing authentication systems. And it's available for free.

Vidoop´s ImageShield technology uses a combination of images and one-time passwords to authenticate online users.
Vidoop´s ImageShield technology uses a combination of images and one-time passwords to authenticate online users.
In the three months since BS&T encountered Vidoop at Finovate -- a biannual event showcasing approximately 20 technology offerings deemed the most novel by Finovate organizers, the publishers of Net Banker -- the firm signed its first five banks, says Mitchell Savage, EVP of business development with the three-year-old firm. While he is not at liberty to disclose the banks, Savage says they will go live on Vidoop's ImageShield product this summer. He adds that each bank has less than $3 billion in assets.

Though the five banks are Vidoop's first bank customers, about 80 banks use the vendor's technology as clients of Charles Schwab Retirement Technologies, Vidoop's first financial customer. Schwab has been a Vidoop client for most of the two years that ImageShield has been available, Savage reports.

Tom Wills, a senior security analyst with Javelin Strategy & Research (Pleasanton, Calif.), says the Vidoop solution "is the most imaginative approach to security I've seen in a long time." At registration, he describes, users select a category of images (e.g., animals, automobiles, aircraft, etc.). When they log in, they are presented with a grid of images, each displaying an alphanumeric image code. The user enters into the password field the code from the image that fits the preselected category.

"It sounds complicated, but it's very intuitive and easier to remember than a password, as you just have to remember the [image] category you chose," Wills says, adding that Vidoop is one of the first companies to use a combination of image recognition (a relatively new login alternative to passwords) and a one-time pass code. (Huntingdon, England-based GrIDsure is another.) "That makes it a lot harder for someone to break than, say, Sarah Palin's Yahoo password," Wills jokes.

Vidoop also presents its images differently than most image-recognition software does, Wills points out. Instead of showing the same picture again and again, risking the user's habits being observed, Vidoop changes the images while keeping the category (e.g., animals) consistent, he explains.

Further, ImageShield is available with an extra layer of verification. The solution can support two-factor authentication by calling users for voice authentication or sending them one-time access codes via text message.

According to Vidoop's Savage, ImageShield addresses what the vendor claims is today's biggest security threat. "Keylogging malware is now a bigger threat than phishing," he contends. Using keylogging applications, Savage explains, hackers can exploit traditional authentication methods by searching for the giveaway sequence of "user name" and "password" and isolating the necessary data.

While Javelin's Wills does not agree that keylogging has surpassed phishing as a security threat, he acknowledges that these fraud methods are "two of the very top online threats."

Observers consider Vidoop's product of definite value. "That sounds neat," says Richard Harp, director of corporate security with Columbus, Ohio-based Huntington National Bank ($55 billion in assets). Although Harp has not seen the application, asked if he believes the combination of image recognition and PIN gives Vidoop an edge over other authentication solutions, he says, "I think it does."

An Affordable Security Solution

Another advantage that ImageShield has over other online security solutions, Vidoop claims, is a lower cost of ownership. In fact, "This solution is available at no cost," says Vidoop's Savage, who explains that the vendor offers a free sponsored version of the software. According to Savage, manufacturers sponsor categories of images -- for example, Mercedes-Benz, a Daimler AG company, pays Vidoop to ensure that all auto images are of cars made by the automakers Smart division.

Surprisingly, even in a strained economy none of the financial institutions using Vidoop's ImageShield application chose the free option. "When the first does, others will follow," Savage predicts. "But banks are conservative and may think, 'If you don't pay, it isn't worth much.' "

Nonetheless, the banks will realize reduced costs with the ImageShield product, Savage asserts, pointing to a reduction in customer service calls thanks to the user-friendly access method. "The No. 1 call to most customer support centers is login issues," he contends.

Besides, Savage adds, to attract and retain online customers -- especially during the economic downturn -- banks must demonstrate that they are doing everything possible to secure users' accounts.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.