Compliance Comparison

 

How does PhishCops® work?

 

 

 

 

 

Comparison Chart: Regulatory Guideline Compliance

 
 

This chart compares PhishCops® to other solutions in re: their ability to satisfy various FFIEC and FDIC regulatory guidelines.

For a Fraud Attack Vector comparison, click here.
For costs, strength vs. ease of use, and information disclosure vs. customer acceptance comparison, click here
Compare PhishCops® to Hardware Tokens here.

Guideline #1. Implement Multi-Factor Authentication (see: clarification re: "challenge question" / response approaches)
Guideline #2. Implement Website Authentication
Guideline #3. Limit the Use of Personal Information used in Authentication
Guideline #4. Implement authentication methods which "cannot be collected by fraudsters"
Guideline #5  Any considered approach should SPECIFICALLY address the risks of phishing, pharming, and malware

Comparison Chart: Regulatory Compliance

   

 

 

Guideline #1
Multi-Factor?

 

Guideline #2
Website
Authentication?

 

Guideline #3
Limit
Personal
Information?

 

Guideline #4
Collection
Avoidance?

 

Guidance #5
Specifically Address Phishing,Pharming, and Malware?

 

PhishCops®

 

 

Yes - PhishCops® is a true multi-factor approach as defined by the FFIEC.
 

 

Yes - PhishCops® performs Mutual (website) authentication using government- approved mathematic algorithms.
 

 

Yes - PhishCops® NEVER solicits personal information from users AT ANY TIME.

 

Yes - PhishCops® cannot be stolen or lost, and its mathematic authentication approach is, by definition, "uncollectable".
 

 

Yes - PhishCops® is specifically designed to address the risks of phishing, pharming, and malware.

 

Hardware Tokens, Smartcards, Dongles, etc.

i.e:
RSA
Vasco
TriCipher
ActiveCard
etc...

 

 

Yes - When combined with traditional logins / Passwords.

 

 

No -Hardware tokens do not authenticate websites.  They cannot. They are physically disconnected from the internet.
 

 

Yes - Typically, hardware tokens do not rely on solicited personal information.

 

No - hardware tokens can be collected on fraudulent websites and re-transmitted to the genuine website by the fraudster.

 

No - Hardware tokens are vulnerable to phishing, pharming, and malware since they do not authenticate the website to users. Nordea Bank's recent experience shows one example of this.
 

 

Passmark (RSA)- SiteKey

Click here for a detailed "side-by-side" comparison of SiteKey to PhishCops®

 

 

No - In the absence of a "Device ID" on the user's computer, Passmark Sitekey relies on multiple challenge questions, i.e., simply more of the same "something the user knows".

 

Weak - While site authentication images are a form of website authentication, they are a very weak form and, per a recent MIT/Harvard study, they are "fundamentally flawed" and provide "little additional protection"

 

No - In the absence of any "Device ID" found on the user's computer, users must divulge multiple pieces of personal questions in response to challenge questions.
 

 

No - All parts of the authentication process, the image, the passphrase, the login ID and password, and the answers to personal questions, can be easily collected by fraudsters.
 

 

No - Passmark SiteKey CTO Louie Gasparini confirmed in a Baseline Magazine interview that a "big hole" in the Sitekey approach was its vulnerability to malware, trojans, viruses or worms. Said Gasparini,
“If malware is on your machine, it's much more difficult for everybody.”
 

 

Cyota (RSA) - eStamp

 

 

No - In the absence of a "Device ID" on the user's computer, Cyota eStamp relies on multiple challenge questions, i.e., simply more of the same "something the user knows".

 

Weak - While site authentication images are a form of website authentication, they are a very weak form and, per a recent MIT/Harvard study, they are "fundamentally flawed" and provide "little additional protection"
 

 

No - In the absence of any "Device ID" found on the user's computer, users must divulge multiple pieces of personal questions in response to challenge questions.
 

 

No - All parts of the authentication process, the image, the passphrase, the login ID and password, and the answers to personal questions, can be collected by fraudsters using phishing websites or social engineering methods.
 

 

No - Cyota is essentially identical to Passmark Sitekey (see above), and is similarly vulnerable to phishing, pharming, and malware.

 

Business Signatures

 

 

No - In the absence of a cookie retrieved from the user's computer, Business Signatures relies on multiple challenge questions, i.e., simply more of the same "something the user knows".

 

Weak - While site authentication images are a form of website authentication, they are a very weak form and, per a recent MIT/Harvard study, they are "fundamentally flawed" and provide "little additional protection"
 

 

No -In the absence of a cookie retrieved from the user's computer, users must divulge multiple pieces of personal questions in response to challenge questions.

 

No - All parts of the authentication process, the image, the passphrase, the login ID and password, and the answers to personal questions, can be collected by fraudsters using phishing websites or social engineering methods.
 

 

No - Business Signature's approach is essentially identical to Passmark Sitekey (see above), and is similarly vulnerable to phishing, pharming, and malware.

 

*Digital Envoy (Digital Resolve)

 

 

No -  If the user doesn't wish to install its software, it forces users to answer multiple challenge questions, i.e., simply supplying more of "something the user knows".

 

Weak - While site authentication images are a form of website authentication, they are a very weak form and, per a recent MIT/Harvard study, they are "fundamentally flawed" and provide "little additional protection"
 

 

No - If the user doesn't wish to install its software, users must divulge multiple pieces of personal questions in response to challenge questions.
 

 

No - All parts of the authentication process, the image, the passphrase, the login ID and password, and the answers to personal questions, can be collected by fraudsters using phishing websites or social engineering methods.
 

 

No - Digital Resolve's approach is essentially identical to Passmark Sitekey (see above), and is similarly vulnerable to phishing, pharming, and malware.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

* = Software Approach. The customer is required to install software which must then be supported.

 

 

 

 

 

 

 

Home   |   Sitemap   |   Contact Us   |   Print this Page   |   Search 
© 2008 Sestus Data Company   All Rights Reserved. PhishCops® is Patent Pending.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124    |   New York (Manhattan) Tel. (718) 841-7350