PhishCops™ Multi-Factor Authentication Website Authentication

Download PhishCops™ Multi-Factor Authentication Website Authentication

Post on 23-Jan-2015

1.195 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

 

TRANSCRIPT

<ul><li> 1. PhishCops Multi-Factor AuthenticationWebsite Authentication Click to continue This communication 2006 Sestus Data Corporation. All Rights Reserved. THE CONTENTS OF THIS COMMUNICATION ARE PROTECTED UNDER COPYRIGHT AND/OR PATENT. Some elements, technologies, processes, and/or information contained in this communication are confidential, proprietary or legally privileged information.No confidentiality or privilege is waived or lost by any mis-transmission of this information.You may not, directly or indirectly, use, disclose, distribute, print, or copy any part of this communication if you are not the intended recipient.Requires: Microsoft PowerPoint 2003 Return to Website</li></ul><p> 2. Powerpoint Requirements Click to continue This PresentationThis presentation was developed using Microsoft Powerpoint 2003 .If you are using an earlier version of Microsoft Powerpoint , c ertain visual effects may be unavailable. If you require a earlier (Microsoft Powerpoint 95 ) version of this presentation, a web-based version of this presentation, or would like to have this presentation on CD, please contact us at (800) 788-1927, or email us at[email_address] . Microsoft PowerPoint 2003 Return to Website 3. The FDIC and FFIEC made TWO Recommendations Click to continue The FDICs FindingsOn December 14, 2004, the U.S. Federal Deposit Insurance Corporation (FDIC) published a study presenting their findings on how the financial industry and its regulators could mitigate the risks associated with phishing and identity theft. In this report, the FDIC identified TWO root causes for the problem of online identity theft 1 : 1)Authenticationmethods are insufficientlystrong . 2) The internet lacks email andwebsite authenticationcapabilities. 1. Source: Putting an End to Account Hijacking Identity Theft , FDIC, December 14, 2004. 2. Source: Authentication in an Internet Banking Environment(Updated Guidance Letter), FFIEC, October 12, 2005. The FFIECs RecommendationsOn October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued an updated guidance letter for banks and financial institutions which echoed the FDICs findings and made TWO corresponding recommendations: 2 : 1)Implement strong multi-factor authentication. 2) authenticate their websites to customers BEFORE collecting sensitive information and assess the adequacy of such authentication techniques in light of new or changing risks such as phishing.Return to Website 4. Other Authentication Methods Other Authentication Methods To understand how PhishCops works, it is necessary to understand how it differs from other types of authentication.All Other authentication methods fall under one of 3 categories: Knowledge Based, Object Based, and ID Based Click to continue ID-Based ("who you ARE") methods are the strongest of the three authentication methods, and are characterized by uniqueness to one person. Biometrics, such as a fingerprint, eye scan, voiceprint, or signature fall under this category.Vulnerabilities : I f a biometric is compromised, it can not be as easily replaced. Hardware limitations also make the use of this authentication unaffordable to many and difficult to implement en-masse.Knowledge-Based ("what you KNOW") methods are the most common (and the weakest) of the three authentication methods and are characterized by secrecy or obscurity. This is the most widely used method and includes the memorized Login ID, password, selectable image, personal question challenge / response, etc.Vulnerabilities : People can be tricked into divulging logins, passwords, and the answers to personal questions. Images can be copied and re-used.Object-Based ("what you HAVE")methods are the most technically complex of the three authentication methods and are characterized by physical possession. Physical keys, hardware tokens, etc. fall into this category. Vulnerabilities :Objects can be lost.Users can be tricked into disclosing the objects returned values. The objects are costly and unpopular with consumers.Return to Website 5. Other Authentication Vendors Click to continue Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Knowledge-based Vendors PhishCops , however,uses mathematic authentication algorithms developed by the National Institute of Standards &amp; Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce 3These algorithms are the current standard used by all branches of the U.S. federal government. PhishCops is the ONLY multi-factor authentication solution vendor using government-approved authentication algorithms in a multi-factor authentication solution. 3. Source: Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL). Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Many vendors have rushed to bring image-based or similar shared-secret solutions to market (a knowledge-based approach).In an attempt to satisfy multi-factor authentication requirements, some have added a device ID to the customers computer, but if no device ID can be retrieved from the customers computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a knowledge-based approach).Bottom line: If the customer (or the phisher) can supply the right credentials, and/or answer the questions correctly, these solutions will let them into the account. Return to Website 6. Other Authentication Vendors Click to continue Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.2005 Homeland Security Award Semi-Finalist As a result of our innovative and groundbreaking use of these government-approved authentication algorithms, the U.S. government named PhishCops a semi-finalist for the 2005 Homeland Security Award. PhishCops was the only multi-factor authentication solution named to this award. Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Knowledge-based Vendors Many vendors have rushed to bring image-based or similar shared-secret solutions to market (a knowledge-based approach).In an attempt to satisfy multi-factor authentication requirements, some have added a device ID to the customers computer, but if no device ID can be retrieved from the customers computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a knowledge-based approach).If the customer (or the phisher) can supply the right credentials, or answer the questions correctly, these solutions will let them into the account. Return to Website 7. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Knowledge-based Vendors These solutions, however, authenticate the websiteAFTERthe customer has divulged their website login ID or other sensitive information. PhishCops , follows the FFIECs recommendation andauthenticates websites to customers BEFORE the customer has divulged any website login ID or other sensitive information. In their Guidance Letter, the FFIEC urged financial institutions to: authenticate their web sites to the customerBEFOREcollecting sensitive information Return to Website 8. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Knowledge-based Vendors Object-based Vendors Vasco RSA As a result, some hardware token vendors are latching on to knowledge-based solution vendors in an attempt to keep their aging technologies viable in a changing world. = Passmark = Cyota PhishCops , however, was specificallydeveloped for the modern challenges of online identity theft. Sestus Data Corporation developed PhishCops from the ground up, working with internet "backbone" companies and government regulators, merging thoroughly tested unbreakable (andgovernment-approved) authentication algorithms with modern web-based technologies to create the most powerful and user-friendlymulti-factor authentication solution in the world.Verisign TriCipher Object based vendors (hardware solution providers) have struggled to adapt outdated technology to meet the modern problems of online identity theft. Unfortunately, while possessing a token or other physical piece of hardware may help identify a user to the website, they are incapable of authenticating the website to the user. Return to Website 9. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Object-based Vendors Vasco RSA = Passmark = Cyota PhishCops Virtual Tokens exist virtually and cannot be lost or stolen.As a result, customers experience no account down-time. Verisign TriCipher Objects such as hardware tokens, smart cards, and other devices can be lost, stolen, or forgotten. Until they are retrieved or restored, the customer is unable to access their online account. Knowledge-based Vendors Return to Website 10. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Object-based Vendors Vasco RSA = Passmark = Cyota The PhishCops Virtual Token Device can only be accessed by their owners, and only following a valid request from a genuine website, eliminating the Nordea Bank possibility of man-in-the-middle type attacks.4. Source: Scandinavian Attack Against Two-Factor Authentication Schneier on Security. October 25, 2005 Verisign TriCipher Knowledge-based Vendors Many organizations mistakenly believe hardware tokens, smartcards, and similar devices are invulnerable to phishing and other forms of online identity theft.Nordea Banks recent experience shows the error of this thinking. In Nordea Banks widely publicized phishing scare, phishers simply acted as the go-between, or man-in-the-middle between the banks customers and the legitimate website, and accessed the victims accounts using token data solicited from unsuspecting customers 4 . Return to Website 11. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Object-based Vendors Vasco RSA = Passmark = Cyota PhishCops users, however, ARE more secure.PhishCops alsoprovides unbreakable security at a fraction of the cost of object-based authentication devices. Finally, PhishCops utilizes user-friendly technology familiar to every internet user. 5. Source: The Washington Post, August 28, 2005 Verisign TriCipher Knowledge-based Vendors Hardware based approaches are among the most costly solutions. In addition to being costly, they are unpopular with users. The Washington Post reported on a study conducted by Gartner Research that concluded: devices like the RSA token are unpopular with consumers. What's more, they might not be offering the right kind of protectionThese tokens mainly offer a "placebo effect" to users who want tofeelmore secure. 5 Return to Website 12. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Object-based Vendors Vasco RSA = Passmark = Cyota We agree. Physical tokens and similar hardware devices are stealable.PhishCops is not. For its patent-pending virtual token based approach, InfoWorld Magazine awarded PhishCops its highest honor, the Infoworld 100 Award. Of the 100 organizations honored for their groundbreaking technological achievements, PhishCops was the only multi-factor authentication solution so honored.6. Source: International Biometric Industry Association Letter to the NIST.March 15, 2004 Verisign TriCipher Knowledge-based Vendors Regarding hardware tokens, smartcards, and similar device-based authentication, the International Biometric Industry Association (IBIA) recently reported in a strongly-worded letter of concern to the National Institute of Standards and Technology: IBIA does NOT agree that combining a token with a password offers good two-factor authentication[why?] passwords and tokens are eminently stealable . 6 Return to Website 13. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Object-based Vendors Vasco RSA = Passmark = Cyota Verisign TriCipher ID (Biometric) Based Vendors PhishCops includes biometric notification features that does not require hardware.This feature ispatent-pending andthe first of its kind in the world. By integrating biometrics into our process, PhishCops can deliver unbreakable mathematic authentication in a form easily understandable by human beings. Knowledge-based Vendors Biometric authentication is recognized as the strongest authentication method, but biometrics can only authenticate customers to the website. Biometrics cannot authenticate the website to the customer as recommended by the FFIEC.In addition, biometric authentication is the costliest approach and hardware limitations prevent its general use. Return to Website 14. Problems reported with other solutions Click to continue Bank of America Reports Implementation Problems with Passmark SitekeyPCWorld 8 Bank of America spokesperson, Betty Riess declined to comment on whether or not the BofA's Sitekey system would even meet FFIEC requirements. 9. Source: Information Week, Phishing Attacks Show Sixfold Increase This YearJune 13, 2005 Cloudmark, Cyota, PassMark Security, PostX, None Offer a Complete Answer to the ProblemInformation Week 9 There are a number of anti-phishing products available from companies such as Cloudmark, Cyota, PassMark Security, PostX, and others, but none offer a complete answer...</p>

Recommended

View more >