SiteKey attempts to
retrieve a “Device ID" from the user’s computer, however, millions of consumers
routinely purge cookies, flash, and similar objects from their computers on a
When SiteKey cannot
retrieve this Device ID, it resorts to soliciting personal information in
response to challenge questions, i.e. simply requesting more of what the user
SiteKey is therefore not a (consistently) multi-factor
authentication approach, as defined by the FFIEC and the FDIC.
definition true multifactor authentication requires the use of solutions from
two or more of
the three categories of factors
multiple solutions from the same category at
in the process may be part of a layered security or other compensating control
approach, but it would not constitute multifactor
authentication uses two of the three types of credentials mentioned
above (something a person knows or has or is)".
FDIC. PhishCops® is a true multi-factor solution, as defined by the
PhishCops® users supply:
"Something they KNOW" (their PhishCops® Virtual Token
ID and PIN), and
"Something they HAVE" (a digital signature
retrieved from their computer).
guidelines. SiteKey requires the user to
disclose numerous pieces of personal information in response to challenge questions.
In many cases, the
of solicited personal
"Although consumers are worried
about phishing and the trustworthiness of e-mail messages from their banks,
they are also concerned about the security of their personal information
"One study revealed that two-thirds
of respondents said they will switch banks if their bank fails to secure
their personal information."
"When banks consider
authentication methods for retail customers, they should be aware that these
customers value security and the protection of confidential information...
Consumers will require a clear explanation of any security mechanism and the use
of any personal information required to implement that security mechanism."
"Consumers are also concerned
about the risk associated with large databases of personal information
and the potential for the information that is used by authentication methods
to be compromised, copied, or imitated."
on the use of personal information and the existence of privacy safeguards
are important elements of consumer acceptance."
guidelines. PhishCops® NEVER
SiteKey uses no "strong"
authentication methods, relying instead on simple alphanumeric device information,
solicited personal information, and copyable images.
The FFIEC, however has required
to "man-in-the-middle" attacks.
FFIEC: "Consistent with the FFIEC Information Technology
Examination Handbook, Information Security Booklet, December 2002, financial
institutions should periodically ensure that their information security program: Identifies risk mitigation actions, including
appropriate authentication strength"
disadvantage of this [shared secret] method is that it is susceptible to
man-in-the-middle attacks, where the fraudster successfully impersonates
the user and gains access to the shared secret"
world. PhishCops®' authentication algorithms were developed by the National Institute
of Standards and Technology (NIST) and the Information Technology Laboratory
(ITL) under the authority of the U.S. Department of Commerce.
unbreakable mathematic algorithms are now the current U.S. standard in algorithmic
authentication and are used
to protect all sensitive U.S. government data.
There are no stronger
authentication algorithms in the world.
guidelines. ALL of SiteKey’s credentials,
Login ID and their solicited personal information, to the user's pre-selected "shared
image, can be collected by
The FDIC, however, has recommended
"In the last stage [of a phishing
attack], collected credentials are used to access the victim's account.
Financial institutions can mitigate this threat with a variety of tools to
better identify who is accessing the account. This includes authentication
methods which cannot be collected by the fraudster."
PhishCops® uses authentication methods which cannot be collected by fraudsters,
as per FDIC
guidelines. The PhishCops virtual token
generator itself exists "virtually" as "server-side" programming which cannot be
lost or stolen. This "virtual token generator" also produces a unique type of one-time
using unbreakable government-approved mathematics and other uncollectable information
including server-date/time information and private cryptographic keys
SiteKey’s "shared secret" approach is vulnerable to
phishing, pharming, and malware, contrary to FFIEC and FDIC guidelines. In their August 15, 2006 FAQ Supplement, the FFIEC
stated that any considered solution should SPECIFICALLY address the risks of
phishing, pharming, and malware.
SiteKey is a "shared secret" approach, using
secrets". The FDIC, the FFIEC, and numerous
"The disadvantage of this method is
that it is susceptible to man-in-the-middle attacks, where the fraudster
successfully impersonates the user and gains access to the shared secret"
attacker could outwit this system in the following way….” (describing a
man-in-the-middle scenario)... Another
security flaw can arise. If the user has no stored Device ID cookie on his
machine, he will be
challenged with alternative methods of authentication.
These include sending a password through
or answering a predefined question. An attacker could spoof this
SiteKey anti-phishing system used by Bank of America and other financial
institutions is susceptible to a real-time exploit in which an attacker can
create a fake web page that includes a victim’s correct, secret SiteKey image,
text phrase and challenge questions....Finding 1: SiteKey
is susceptible to a real-time, man-in-the-middle attack
. An attacker can create a fake web site that looks
like a legitimate Bank of America web site, including a victim’s correct
SiteKey secret image and text phrase."
Passmark Sitekey CTO, Louie
Gasparini, confirmed in an recent interview that a "big hole" in the
Sitekey approach was its vulnerability to malware, trojans, viruses or worms.
Said Gasparini, “If malware is on your machine, it's much more difficult for
IT Management News:
SiteKey system fails...
to address the fundamental problem of phishing because it leaves the
customer susceptible to the classic "Man in the Middle"
SiteKey approach still relies on the storage of images and so on in your
personal records on the merchant's database. Compromise of this data would
leave you just as vulnerable as you'd be if your login and password were
PhishCops® was specifically designed to mitigate phishing, pharming, and
as per FFIEC
guidelines. PhishCops® is the ONLY
multi-factor authentication solution in the world that is entirely effective
against phishing, pharming, and malware.
Indeed, the United States government recognized PhishCops®
for its success in this area when it named it a semi-finalist for the 2005
Homeland Security Award for cyber-security.