phishcops™ multi-factor authentication website authentication

Download PhishCops™ Multi-Factor Authentication Website Authentication

Post on 23-Jan-2015

1.199 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

 

TRANSCRIPT

  • 1. PhishCops Multi-Factor AuthenticationWebsite Authentication Click to continue This communication 2006 Sestus Data Corporation. All Rights Reserved. THE CONTENTS OF THIS COMMUNICATION ARE PROTECTED UNDER COPYRIGHT AND/OR PATENT. Some elements, technologies, processes, and/or information contained in this communication are confidential, proprietary or legally privileged information.No confidentiality or privilege is waived or lost by any mis-transmission of this information.You may not, directly or indirectly, use, disclose, distribute, print, or copy any part of this communication if you are not the intended recipient.Requires: Microsoft PowerPoint 2003 Return to Website

2. Powerpoint Requirements Click to continue This PresentationThis presentation was developed using Microsoft Powerpoint 2003 .If you are using an earlier version of Microsoft Powerpoint , c ertain visual effects may be unavailable. If you require a earlier (Microsoft Powerpoint 95 ) version of this presentation, a web-based version of this presentation, or would like to have this presentation on CD, please contact us at (800) 788-1927, or email us at[email_address] . Microsoft PowerPoint 2003 Return to Website 3. The FDIC and FFIEC made TWO Recommendations Click to continue The FDICs FindingsOn December 14, 2004, the U.S. Federal Deposit Insurance Corporation (FDIC) published a study presenting their findings on how the financial industry and its regulators could mitigate the risks associated with phishing and identity theft. In this report, the FDIC identified TWO root causes for the problem of online identity theft 1 : 1)Authenticationmethods are insufficientlystrong . 2) The internet lacks email andwebsite authenticationcapabilities. 1. Source: Putting an End to Account Hijacking Identity Theft , FDIC, December 14, 2004. 2. Source: Authentication in an Internet Banking Environment(Updated Guidance Letter), FFIEC, October 12, 2005. The FFIECs RecommendationsOn October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued an updated guidance letter for banks and financial institutions which echoed the FDICs findings and made TWO corresponding recommendations: 2 : 1)Implement strong multi-factor authentication. 2) authenticate their websites to customers BEFORE collecting sensitive information and assess the adequacy of such authentication techniques in light of new or changing risks such as phishing.Return to Website 4. Other Authentication Methods Other Authentication Methods To understand how PhishCops works, it is necessary to understand how it differs from other types of authentication.All Other authentication methods fall under one of 3 categories: Knowledge Based, Object Based, and ID Based Click to continue ID-Based ("who you ARE") methods are the strongest of the three authentication methods, and are characterized by uniqueness to one person. Biometrics, such as a fingerprint, eye scan, voiceprint, or signature fall under this category.Vulnerabilities : I f a biometric is compromised, it can not be as easily replaced. Hardware limitations also make the use of this authentication unaffordable to many and difficult to implement en-masse.Knowledge-Based ("what you KNOW") methods are the most common (and the weakest) of the three authentication methods and are characterized by secrecy or obscurity. This is the most widely used method and includes the memorized Login ID, password, selectable image, personal question challenge / response, etc.Vulnerabilities : People can be tricked into divulging logins, passwords, and the answers to personal questions. Images can be copied and re-used.Object-Based ("what you HAVE")methods are the most technically complex of the three authentication methods and are characterized by physical possession. Physical keys, hardware tokens, etc. fall into this category. Vulnerabilities :Objects can be lost.Users can be tricked into disclosing the objects returned values. The objects are costly and unpopular with consumers.Return to Website 5. Other Authentication Vendors Click to continue Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Knowledge-based Vendors PhishCops , however,uses mathematic authentication algorithms developed by the National Institute of Standards & Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce 3These algorithms are the current standard used by all branches of the U.S. federal government. PhishCops is the ONLY multi-factor authentication solution vendor using government-approved authentication algorithms in a multi-factor authentication solution. 3. Source: Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL). Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Many vendors have rushed to bring image-based or similar shared-secret solutions to market (a knowledge-based approach).In an attempt to satisfy multi-factor authentication requirements, some have added a device ID to the customers computer, but if no device ID can be retrieved from the customers computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a knowledge-based approach).Bottom line: If the customer (or the phisher) can supply the right credentials, and/or answer the questions correctly, these solutions will let them into the account. Return to Website 6. Other Authentication Vendors Click to continue Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.2005 Homeland Security Award Semi-Finalist As a result of our innovative and groundbreaking use of these government-approved authentication algorithms, the U.S. government named PhishCops a semi-finalist for the 2005 Homeland Security Award. PhishCops was the only multi-factor authentication solution named to this award. Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Knowledge-based Vendors Many vendors have rushed to bring image-based or similar shared-secret solutions to market (a knowledge-based approach).In an attempt to satisfy multi-factor authentication requirements, some have added a device ID to the customers computer, but if no device ID can be retrieved from the customers computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a knowledge-based approach).If the customer (or the phisher) can supply the right credentials, or answer the questions correctly, these solutions will let them into the account. Return to Website 7. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Knowledge-based Vendors These solutions, however, authenticate the websiteAFTERthe customer has divulged their website login ID or other sensitive information. PhishCops , follows the FFIECs recommendation andauthenticates websites to customers BEFORE the customer has divulged any website login ID or other sensitive information. In their Guidance Letter, the FFIEC urged financial institutions to: authenticate their web sites to the customerBEFOREcollecting sensitive information Return to Website 8. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Knowledge-based Vendors Object-based Vendors Vasco RSA As a result, some hardware token vendors are latching on to knowledge-based solution vendors in an attempt to keep their aging technologies viable in a changing world. = Passmark = Cyota PhishCops , however, was specificallydeveloped for the modern challenges of online identity theft. Sestus Data Corporation developed PhishCops from the ground up, working with internet "backbone" companies and government regulators, merging thoroughly tested unbreakable (andgovernment-approved) authentication algorithms with modern web-based technologies to create the most powerful and user-friendlymulti-factor authentication solution in the world.Verisign TriCipher Object based vendors (hardware solution providers) have struggled to adapt outdated technology to meet the modern problems of online identity theft. Unfortunately, while possessing a token or other physical piece of hardware may help identify a user to the website, they are incapable of authenticating the website to the user. Return to Website 9. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods.Object-based Vendors Vasco RSA = Passmark = Cyota PhishCops Virtual Tokens exist virtually and cannot be lost or stolen.As a result, customers experience no account down-time. Verisign TriCipher Objects such as hardware tokens, smart cards, and other devices can be lost, stolen, or forgotten. Until they are retrieved or restored, the customer is unable to access their online account. Knowledge-based Vendors Return to Website 10. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall

Recommended

View more >