| |
|
|
|
Guideline
#1
Multi-Factor? |
|
Guideline
#2
Website
Authentication? |
|
Guideline
#3
Limit
Personal
Information? |
|
Guideline
#4
Collection
Avoidance? |
|
Guidance
#5
Specifically
Address
Phishing,Pharming,
and Malware? |
|
|
PhishCops®
|
|
|
Yes
- PhishCops®
is a true
multi-factor
approach
as defined
by the FFIEC.
|
|
Yes
- PhishCops®
performs
Mutual (website)
authentication
using government-
approved
mathematic
algorithms.
|
|
Yes
- PhishCops®
NEVER solicits
personal
information
from users
AT ANY TIME. |
|
Yes
- PhishCops®
cannot be
stolen or
lost, and
its mathematic
authentication
approach
is, by definition,
"uncollectable".
|
|
Yes
- PhishCops®
is specifically
designed
to address
the risks
of phishing,
pharming,
and malware. |
|
|
Hardware
Tokens,
Smartcards,
Dongles,
etc.
i.e:
RSA
Vasco
TriCipher
ActiveCard
etc...
|
|
|
Yes
- When
combined
with traditional
logins /
Passwords.
|
|
No
-Hardware
tokens do
not authenticate
websites.
They
cannot.
They are
physically
disconnected
from the
internet.
|
|
Yes
- Typically,
hardware
tokens do
not rely
on solicited
personal
information. |
|
No -
hardware
tokens can
be collected
on fraudulent
websites
and re-transmitted
to the genuine
website
by the fraudster. |
|
No
- Hardware
tokens are
vulnerable
to phishing,
pharming,
and malware
since they
do not authenticate
the website
to users.
Nordea Bank's recent experience
shows one
example
of this.
|
|
|
Passmark
(RSA)- SiteKey
Click
here
for a detailed
"side-by-side"
comparison
of SiteKey
to PhishCops® |
|
|
No
- In the
absence
of a "Device
ID"
on the user's
computer,
Passmark
Sitekey
relies on
multiple
challenge
questions,
i.e., simply
more of
the same
"something
the user
knows". |
|
Weak
-
While site
authentication
images are
a form of
website
authentication,
they are
a very weak
form and,
per a recent
MIT/Harvard
study,
they are
"fundamentally
flawed"
and provide
"little
additional
protection" |
|
No
- In the
absence
of any "Device
ID"
found on
the user's
computer,
users must
divulge
multiple
pieces of personal
questions
in response
to challenge
questions.
|
|
No
- All parts
of the authentication
process,
the image,
the passphrase,
the login
ID and password,
and the
answers
to personal
questions,
can be easily
collected
by fraudsters.
|
|
No
- Passmark
SiteKey
CTO Louie
Gasparini
confirmed
in a Baseline
Magazine
interview
that a "big
hole"
in the Sitekey
approach
was its
vulnerability
to malware,
trojans,
viruses
or worms.
Said Gasparini,
“If
malware
is on your
machine,
it's much
more difficult
for everybody.”
|
| |
Cyota
(RSA) -
eStamp
|
|
|
No
- In the
absence
of a "Device
ID"
on the user's
computer,
Cyota eStamp relies
on multiple
challenge
questions,
i.e., simply
more of
the same
"something
the user
knows". |
|
Weak
-
While site
authentication
images are
a form of
website
authentication,
they are
a very weak
form and,
per a recent
MIT/Harvard
study,
they are
"fundamentally
flawed"
and provide
"little
additional
protection"
|
|
No
- In the
absence
of any "Device
ID"
found on
the user's
computer,
users must
divulge
multiple
pieces of personal
questions
in response
to challenge
questions.
|
|
No
- All parts
of the authentication
process,
the image,
the passphrase,
the login
ID and password,
and the
answers
to personal
questions,
can be collected
by fraudsters
using phishing
websites
or social
engineering
methods.
|
|
No
- Cyota
is essentially
identical
to Passmark
Sitekey
(see above),
and is similarly
vulnerable
to phishing,
pharming,
and malware. |
|
|
Business
Signatures
|
|
|
No
- In the
absence
of a cookie
retrieved
from the
user's computer,
Business
Signatures
relies on
multiple
challenge
questions,
i.e., simply
more of
the same
"something
the user
knows". |
|
Weak
-
While site
authentication
images are
a form of
website
authentication,
they are
a very weak
form and,
per a recent
MIT/Harvard
study,
they are
"fundamentally
flawed"
and provide
"little
additional
protection"
|
|
No
-In the
absence
of a cookie
retrieved
from the
user's computer,
users must
divulge
multiple
pieces of personal
questions
in response
to challenge
questions. |
|
No
- All parts
of the authentication
process,
the image,
the passphrase,
the login
ID and password,
and the
answers
to personal
questions,
can be collected
by fraudsters
using phishing
websites
or social
engineering
methods.
|
|
No
- Business
Signature's
approach
is essentially
identical
to Passmark
Sitekey
(see above),
and is similarly
vulnerable
to phishing,
pharming,
and malware. |
| |
*Digital
Envoy (Digital
Resolve)
|
|
|
No
-
If the user
doesn't
wish to
install
its software,
it forces
users to
answer multiple
challenge
questions,
i.e., simply
supplying
more of
"something
the user
knows". |
|
Weak
-
While site
authentication
images are
a form of
website
authentication,
they are
a very weak
form and,
per a recent
MIT/Harvard
study,
they are
"fundamentally
flawed"
and provide
"little
additional
protection"
|
|
No
- If the
user doesn't
wish to
install
its software,
users must
divulge
multiple
pieces of personal
questions
in response
to challenge
questions.
|
|
No
- All parts
of the authentication
process,
the image,
the passphrase,
the login
ID and password,
and the
answers
to personal
questions,
can be collected
by fraudsters
using phishing
websites
or social
engineering
methods.
|
|
No
- Digital
Resolve's
approach
is essentially
identical
to Passmark
Sitekey
(see above),
and is similarly
vulnerable
to phishing,
pharming,
and malware. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* = Software
Approach.
The customer
is required
to install
software
which must
then be
supported. |
|
|
