PhishCops® : Fraud Attack Vector Comparison

Fraud Attack Vector Comparison

Comparison Chart: Fraud Attack Vectors

This chart compares PhishCops® to other solutions in re: their ability to mitigate the various forms of online fraud and account hijacking.

For a Regulatory Compliance comparison, click here.
For costs, strength vs. ease of use, and information disclosure vs. customer acceptance comparison, click here.
Compare PhishCops® to Hardware Tokens here.
NEW VIDEO Watch two university students easily defeat RSA Sitekey at Bank of America!

Comparison Chart: Fraud Attack Vectors

Phishing (Use of fraudulent websites to solicit account credentials)

Pharming (DNS poisoning)

Man-in-the-middle (Intermediary communication with legitimate website)

Malware (Use of malicious software programs to steal computer information)

Social Engineering
and Vishing (Telephone based and other "in person" fraud)

Hostile Proxy (Fraudster's control of a proxy server)

PhishCops®

Strong

Hardware Tokens, Smartcards, Dongles, etc.

Weak (1)

Vulnerable

Vulnerable (2)

Vulnerable (3)

Vulnerable

Passmark (RSA)- SiteKey

Weak (4)

Vulnerable

Vulnerable (5)

Vulnerable

Cyota (RSA) - eStamp

Weak (4)

Vulnerable

Vulnerable (5)

Vulnerable

Business Signatures

Weak (4)

Vulnerable

Vulnerable (5)

Vulnerable

Digital Envoy (Digital Resolve)

Weak (4)

Vulnerable

Vulnerable (5)

Vulnerable

(1) While hardware tokens and other physical OTP approaches add a little more protection than simple login/passwords, the physical token value can be easily solicited on phishing websites and reused by the fraudster on the legitimate website. Symantec, the Anti-Phishing Working Group, and numerous other security firms have all noted this vulnerability in published reports. See Nordea Bank.

(2) See Nordea Bank recent inability to stop man-in-the-middle phishing using hardware and similar OTP physical tokens.

(3) USB-based hardware tokens, once connected to the customer's computer, are vulnerable to malware which can read and transmit the token values, digital keys, and other data to the fraudster. Non-USB hardware tokens rely on the customer entering Login IDs and other information, including typing the produced token value onto the screen, all of which can be intercepted by malware and transmitted swiftly to fraudsters within the token expiration time frame. Citigroup recently experienced this type of man-in-the-middle attack against its hardware token-equipped business customers.

(4) While "shared secret" approaches add a little more protection than simple login/password approaches, they require users to divulge even more personal information than they would have previously divulged, putting users at even GREATER risk for identity theft. Also, the user's account credentials and personal information can be easily solicited on phishing websites and then re-used by the fraudster on the legitimate website to access the account. Thus, shared secret approaches offer little additional protection and actually increase the probability of identity theft. Symantec, the Anti-Phishing Working Group, and numerous other security firms have all noted these failings in published reports.

(5) Passmark SiteKey's own CTO, Louie Gasparini, confirmed in an recent interview that a "big hole" in the Sitekey approach was its vulnerability to malware, trojans, viruses or worms. Said Gasparini, "If malware is on your machine, it's much more difficult for everybody." It should be noted that Cyota, Business Signatures, and Digital Envoy, being similar "shared secret" approaches, all suffer from this same vulnerability.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124 | New York (Manhattan) Tel. (718) 841-7350