15 Comments

Summary:

Protecting your customers’ private information has always been a pain. Data security is just hard to provide, and thanks to hackers, even harder to protect. Web 2.0 and social networking have only made things worse, providing more opportunities for a breach every hour. Yet web security […]

Protecting your customers’ private information has always been a pain. Data security is just hard to provide, and thanks to hackers, even harder to protect. Web 2.0 and social networking have only made things worse, providing more opportunities for a breach every hour.

Yet web security has long been a last vestige of innovation in the software space, and for one very good reason: there was never any money in it.

But that may be about to change. A one-and-a-half-year-old startup based in Tulsa, Okla., called Vidoop claims it has a business plan — and the technology — to actually make money off user logins.

Vidoop’s engineers (led by a CTO who is ex-Microsoft) have developed software that finally improves upon the leaky “user name + password” method, replacing it with a process of image recognition based on a grid of pictures displayed on the screen.

But here’s the really clever part: Vidoop will monetize the process by selling the images in the grid to advertisers for product placement. Instead of seeing a generic car in the image grid, consumers might see a Ford (F) Mustang, or a Prius (TM) . Instead of a cuppa Joe, they might see a tall Starbucks (SBUX).

The product is called Vidoop Secure. Through one business model, Vidoop will give away its software licenses for free, and then share revenue from the ad sales with its clients. Now large companies that have been putting off upgrading their site security over budgetary constraints (or that standard aversion to a software installation) have a cash incentive to do so.

And since Vidoop plans to broker, bundle and serve up ads from its servers to clients, even small companies — or startups too young to have even yet considered their security risks — have something to gain from installing Vidoop: a potential new revenue stream.

“Web security has always been a cost center. We’re turning it into something that makes you money,” says Vidoop’s 27-year-old founder, Luke Sontag.

The last company that figured out how to convert a utility transaction that we all took for granted into a cash machine has a stock trading at $579. It’s called Google (GOOG).

Here is how it works: When you register on a new site, you’re asked to pick three categories. Suppose you choose cars, planes and beverages. When you log in, Vidoop’s image grid pops up with a display of 12 images, pulled at random from Vidoop’s database. You never see the same combination of images twice — but there will always be a car, a plane and a drink.

Inside each image is a letter or number, also randomized. The letters and numbers displayed in the car, drink and plane act as a pass code for that single login. Since images and characters are chosen at random, no two logins are ever the same. This curbs the riskiest kind of hacking, says Sontag: “It is impossible to keystroke-record this,” Sontag says.

Vidoop might not be the next Google, but this idea is cool, and for my money, it has legs. The technology goes a long way toward advancing OpenID, too. Through a consumer play called MyVidoop, the company will let you log in to any web site you want through http://www.vidoop.com. For a very nice review on MyVidoop’s pros and cons, see our WebWorkerDaily post.

This summer Vidoop Secure landed its first anchor client, Schwab Retirement Technology, a business unit of the discount brokerage firm (SCHW).

Vidoop will make a modest licensing fee off its Schwab RT, but financial services are a huge potential client base. And the real money for Vidoop is in a licensing deal with a major media company, one that sees hundreds of millions of unique visitors a month, like Yahoo (YHOO), AOL (TWX), Google or even Microsoft (MSFT). Partnered with such a company, where ad buyers pay $20 per CPM, Vidoop, which will seek a near-50 percent revenue share, could generate tens of millions in annual revenues off just one contract.

Sontag says this is peanuts compared to what the company could make. “Until now no one track[ed] logins, and why? Because until now, no one knew how to monetize them,” he exclaims.

Vidoop confirms it is negotiating contracts with several of such media companies. Sontag wouldn’t name a potential partner, but at least one announcement is rumored to be imminent.

And security is clearly already on these companies’ radar. Google recently paid $625 million for Postini, which specializes in security email. We’re sure they have an appetite for more. Stay tuned.

  1. Om, the accessibility of this system isn’t mentioned in your article. How will screen readers and visually impaired people cope with such a system?

    Share
  2. Every time I log in, the set of displayed images will contain a sample image from my three categories. If I repeat login attempts, samples from my categories will keep coming up, while the other samples won’t be displayed. Then it’s trivial to tell what a user’s categories are. For example, if the first attempt has “car, dog, mountain” and the second attempt has “coffee, cat, car”, I know “car” is the user’s category.

    Let’s say they have a fixed set of 12 categories, so every login attempt has samples from the same set of sets. Then brute force guessing is easy. If you pick 3 images out of 12, that’s only 1320 possible ordered combinations and 220 unordered combinations.

    Or, you could just scrape the images displayed during a single login, capture the keystrokes, and look at what the pictures are of.

    This can be automated, because there will be a limited set of advertisements or stock photos. Someone just tries a bunch of logins, collects all the image samples they display, and categorizes them. That only needs to happen once and can be crowdsourced. They can keep updating their images, but then it’s just an arms race.

    Share
  3. besides the fact that there’s a lock-out after 3 failed login attempts, the grid is only displayed if the system “sees” a software token on your computer that was put there during registration…you have to go through an out-of-band process to activate any new computers. no software token = no grid = no possibility to brute force.

    i think we can all agree that myvidoop.com has substantially raised the bar in regards to mitigating hacks. it’s always nice to compare things against non-existant “super, solve-all” solutions…however, reality is, they are just that – non-existant. IMO – this is the best of very strong, usable (not to mention FREE) security available at the time.

    Share
  4. You don’t need to have any failed login attempts to defeat this. You need a reload button. All you do is click reload a couple times and keep track of what categories of pictures are consistently displayed. I broke my own password in three attempts.

    The software token doesn’t buy you much since it can be easily stolen by malware, which is what they are claiming they help protect against.

    Regardless, anyone can walk up to a computer with a token installed and break Vidoop’s login in seconds.

    A real two-factor solution makes use of a separate device, such as a CryptoCard or RSA token. If we’re worried about keyloggers, anything on the PC cannot be trusted.

    Share
  5. Actually, S.W., your claim to have broken your own passwords in three attempts is impossible. We always display the same 12 or 16 categories for a given user so that someone /can’t/ use process of elimination to determine the set of secret categories.

    When you’re evaluating the security of Vidoop Secure, keep in mind that all the cash in your bank account is secured by your possession of a plastic ATM card (which can be straightforwardly cloned) and your knowledge of a 4-digit number.

    For access to my account on myVidoop I have, in the place of an ATM card, chosen to require possession of my cell phone. Much like my ATM card, it can be disabled and recreated if it gets lost or stolen. Unlike my ATM card, I’ll notice it missing much faster.

    Of course, those who are less paranoid than I am can choose to activate every computer that they use regularly, and then they only have access using knowledge of their secret categories.

    With myVidoop, users have more (and better) ways to vary the security of their credentials than merely choosing a longer, more complex, harder to remember password.

    /No/ authentication technology solves every problem simultaneously. But of the possible replacements for passwords out there, this one’s available today, for free, across the entire internet.

    If you have another technology that solves more of your problems today, the by all means use it instead of ours.

    And either way, we appreciate your feedback.

    Scott Blomquist
    CTO, Vidoop

    Share
  6. If you say so, but I took three screen shots and it appears that the categories change on each reload. If they are the same, then it’s a usability problem, since the categories are not clearly distinguishable.

    Regardless, you can still scrape the images and build your own corpus by categorizing them. That would allow you to log keystrokes just like a password.

    Vidoop’s user secrets only have about 11-17 bits of information, depending if you choose 3 or 5 categories. That’s assuming users have no bias for certain categories, which they obviously will.

    If a computer is activated, Vidoop’s security is based on essentially a cookie and a tiny shared secret. Both can be stolen by malware. Or, since the secret is so small, a non-trivial portion of activated computers can be brute forced.

    Using the cell phone as a second factor is a better solution and has merit on its own. However, I think the image-based login is weak and would not recommend it to anyone.

    Share
  7. S.W., the difficulty that you saw in categorizing images only serves to impede a hacker, not a legitimate user.

    A hacker has to answer “what category does this yellowish-sphere-with-a-ring-around-it represent?” We don’t spend any effort to make our images work well in this direction.

    Legitimate Vidoop Secure users, on the other hand, have to answer “which image is an example of an object in space?” (It’s that yellowish sphere from before, only now it’s more clear because I know more about what I’m looking for.) We extensively test our images to make sure they work in this direction.

    We’re working to make the hacker version of the question even harder than when you had difficulty with it before. By using images that represent more than one category, a hacker has a bigger identification problem to solve (and one that doesn’t have a unique solution). As you noticed from your experiment, some of our images do this already.

    On the subject of strength-of-secret, it’s true that a Vidoop Secure user’s secret is only 11-17 bits. Remember: an ATM PIN is around 13.3 bits, and is also weakened by end user bias.

    Share
  8. Four-digit ATM PINs are a very low bar and used in a very different security setting. You cannot brute force a physical ATM machine remotely like you could with malware-infected PCs.

    I still contend that the image-based login system doesn’t buy you anything. It doesn’t thwart keylogging since you can scrape and categorize the library of images, plus you can steal the software token.

    The image login system is less secure, harder to use, won’t work on small devices, and can’t be used by anyone who is blind. In almost every respect, it’s weaker than a plain old alphanumeric password.

    The only idea of merit is using SMS as a trusted, out-of-band channel. The image-based login will not be successful because of its usability and security issues.

    Share
  9. S.W. (now I’m over here wondering the same thing)

    You need to go back to school. How exactly does a password (no matter how complex) combat simple keystroke logging? automation? guessing? etc…

    -WONDERING what kind of security related authority you have especially since you sound like you are just hating.

    Share
  10. I’m not going to provide any arguments of my own; I’m just going to summarize the arguments I’m already seeing, in the hope of adding clarity.

    The first is that the following two attacks are of approximately equivalent sophistication:

    Attack against Vidoop:
    1. Exhaustively scrape from a constantly-changing (We aim to turn over the entire image library on a regular basis), randomly-presented library of images
    2. Have a human attach a guess (albeit probably a good guess) of the category or categories represented by each of those images
    3. Steal a user’s soft token
    4. Capture that user’s screen and keystrokes simultaneously during login
    5. Presumably with some kind of computer vision library, exhaustively match all of those scraped images to the images in the grid during sign-in
    6. Use OCR software to match a character to each of the images in the user’s grid
    7. Compare the OCR’d characters to the characters recorded when the user signed in
    8. Sign in by repeating the process of exhaustively matching grid images, OCRing the characters on it, and then entering the appropriate characters

    Attack against passwords:
    1. Capture a user’s keystrokes with keylogging software.
    2. Sign in as the user, using the password captured by the keylogger.

    The other argument I see here is this:
    “If an attacker is assumed to have the ability to execute arbitrary code on a user’s computer, that user screwed.”

    Share

Comments have been disabled for this post