Fraud Attack Vector Comparison

 

How does PhishCops® work?

 

 

 

 

 

Comparison Chart: Fraud Attack Vectors

 
 

This chart compares PhishCops® to other solutions in re: their ability to mitigate the various forms of online fraud and account hijacking.

For a Regulatory Compliance comparison, click here.
For costs, strength vs. ease of use, and information disclosure vs. customer acceptance comparison, click here.
Compare PhishCops® to Hardware Tokens here.
 NEW VIDEO  Watch two university students easily defeat RSA Sitekey at Bank of America! 

Comparison Chart: Fraud Attack Vectors

   

 

 

Phishing (Use of fraudulent websites to solicit account credentials)

 

Pharming (DNS poisoning)

 

Man-in-the-middle (Intermediary communication with legitimate website)

 

Malware (Use of malicious software programs to steal computer information)

  Social Engineering
and Vishing
(Telephone based and other "in person" fraud)

 

Hostile Proxy (Fraudster's control of a proxy server)

 

PhishCops®

 

 

Strong
 

 

Strong

 

Strong

 

Strong
 

 

Strong
 

 

Strong

 

Hardware Tokens, Smartcards, Dongles, etc.

 

 

Weak  (1)

 

Vulnerable

 

Vulnerable (2)

 

Vulnerable (3)

 

Vulnerable

 

Vulnerable

 

Passmark (RSA)- SiteKey
 

 

 

Weak  (4)

 

Vulnerable

 

Vulnerable

 

Vulnerable  (5)

 

Vulnerable

 

Vulnerable

 

Cyota (RSA) - eStamp

 

 

Weak  (4)

 

Vulnerable

 

Vulnerable

 

Vulnerable  (5)

 

Vulnerable

 

Vulnerable

 

Business Signatures

 

 

Weak  (4)

 

Vulnerable

 

Vulnerable

 

Vulnerable  (5)

 

Vulnerable

 

Vulnerable

 

Digital Envoy (Digital Resolve)

 

 

Weak  (4)

 

Vulnerable

 

Vulnerable

 

Vulnerable  (5)

 

Vulnerable

 

Vulnerable

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(1) While hardware tokens and other physical OTP approaches add a little more protection than simple login/passwords, the physical token value can be easily solicited on phishing websites and reused by the fraudster on the legitimate website. Symantec, the Anti-Phishing Working Group, and numerous other security firms have all noted this vulnerability in published reports. See Nordea Bank.

(2) S
ee Nordea Bank recent inability to stop man-in-the-middle phishing using hardware and similar OTP physical tokens.

(3) USB-based hardware tokens, once connected to the customer's computer, are vulnerable to malware which can read and transmit the token values, digital keys, and other data to the fraudster. Non-USB hardware tokens rely on the customer entering Login IDs and other information, including typing the produced token value onto the screen, all of which can be intercepted by malware and transmitted swiftly to fraudsters within the token expiration time frame. Citigroup recently experienced this type of man-in-the-middle attack against its hardware token-equipped business customers.

(4) While "shared secret" approaches add a little more protection than simple login/password approaches, they require users to divulge even more personal information than they would have previously divulged, putting users at even GREATER risk for identity theft.  Also, the user's account credentials and personal information can be easily solicited on phishing websites and then re-used by the fraudster on the legitimate website to access the account. Thus, shared secret approaches offer little additional protection and actually increase the probability of identity theft. Symantec, the Anti-Phishing Working Group, and numerous other security firms have all noted these failings in published reports.

(5) Passmark SiteKey's own CTO, Louie Gasparini, confirmed in an recent interview that a "big hole" in the Sitekey approach was its vulnerability to malware, trojans, viruses or worms. Said Gasparini, "If malware is on your machine, it's much more difficult for everybody."  It should be noted that Cyota, Business Signatures, and Digital Envoy, being similar "shared secret" approaches, all suffer from this same vulnerability.

 

 

 

Home   |   Sitemap   |   Contact Us   |   Print this Page   |   Search 
© 2008 Sestus Data Company   All Rights Reserved. PhishCops® is Patent Pending.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124    |   New York (Manhattan) Tel. (718) 841-7350