Compare Passmark SiteKey to PhishCops®

 

How does PhishCops® work?

     

 

 

 

 

Compare Passmark (RSA) SiteKey to PhishCops®  

 
 

Side-by-Side Comparison: Passmark (RSA) SiteKey and PhishCops®
For a Regulatory Compliance comparison, click here.
For a Fraud Attack Vector comparison, click here.
For costs, strength vs. ease of use, and information disclosure vs. customer acceptance comparison, click here
Compare PhishCops® to Hardware Tokens here.
NEW VIDEO: Watch two university students easily defeat RSA Sitekey at Bank of America!

 

 

 

Passmark (RSA) SiteKey

 

 

PhishCops® v 2.0

 

 


 

 

 

 

 

Not a (Consistently) Multi-Factor Solution.
SiteKey attempts to retrieve a “Device ID" from the user’s computer, however, millions of consumers routinely purge cookies, flash, and similar objects from their computers on a regular basis.   When SiteKey cannot retrieve this Device ID, it resorts to soliciting personal information in response to challenge questions, i.e. simply requesting more of what the user "knows".

SiteKey is therefore not a (consistently) multi-factor authentication approach, as defined by the FFIEC and the FDIC.

FFIEC: " By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors

"Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication".


FDIC: " Two-factor authentication uses two of the three types of credentials mentioned above (something a person knows or has or is)".

Sources:
FFIEC: Authentication in an Internet Banking Environment (Updated Guidance Letter), October 12, 2005. Pg 3
FFIEC: FAQ Supplement , August 15, 2006.

FDIC: Putting an End to Account-Hijacking Identity Theft , December 14, 2004. Pg 26
 

 

 

Multi-Factor Solution as Defined by the FFIEC and the FDIC.
PhishCops® is a true multi-factor solution, as defined by the FFIEC and the FDIC. PhishCops® users supply:

    1. "Something they KNOW" (their PhishCops® Virtual Token ID and PIN), and

    2. "Something they HAVE" (a digital signature retrieved from their computer).

 

 

 

Requires the user to disclose numerous pieces of personal information, contrary to FDIC guidelines.
SiteKey requires the user to disclose numerous pieces of personal information in response to challenge questions. In many cases, the disclosure and validation of solicited personal information is SiteKey's only authentication method.

The FDIC, however, has issued numerous warnings against the use of personal information for authentication, citing its weakness and unpopularity with consumers. It should also be noted that the solicitation of personal information on commercial websites is strictly regulated, or even prohibited, by numerous state and federal regulations.

FDIC: "Although consumers are worried about phishing and the trustworthiness of e-mail messages from their banks, they are also concerned about the security of their personal information more generally." 

"One study revealed that two-thirds of respondents said they will switch banks if their bank fails to secure their personal information."

"When banks consider authentication methods for retail customers, they should be aware that these customers value security and the protection of confidential information... Consumers will require a clear explanation of any security mechanism and the use of any personal information required to implement that security mechanism." 

"Consumers are also concerned about the risk associated with large databases of personal information and the potential for the information that is used by authentication methods to be compromised, copied, or imitated."

"Limitations on the use of personal information and the existence of privacy safeguards are important elements of consumer acceptance."

Source:
FDIC: FDIC Supplemental : Federal Deposit Insurance Corporation, Division of Supervision and Consumer Protection, Technology Supervision Branch. June 17, 2005. Pg 13 - 16
 

 

 

Users NEVER disclose personal information, as per FDIC guidelines.
PhishCops® NEVER solicits personal information from users, as per FFIEC guidelines. 

 

 

SiteKey uses no "strong" authentication methods, contrary to FFIEC guidelines.
SiteKey uses no "strong" authentication methods, relying instead on simple alphanumeric device information, solicited personal information, and copyable images. 

The FFIEC, however has required financial institutions to use methods with "appropriate authentication strength". The FFIEC has further clarified that SiteKey's "shared secret" approach is susceptible to "man-in-the-middle" attacks.

FFIEC: "Consistent with the FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002, financial institutions should periodically ensure that their information security program: Identifies risk mitigation actions, including appropriate authentication strength"

"The disadvantage of this [shared secret] method is that it is susceptible to man-in-the-middle attacks, where the fraudster successfully impersonates the user and gains access to the shared secret"

 

 

 

PhishCops® authentication methods rely on the strongest mathematic authentication algorithms in the world.
PhishCops®' authentication algorithms were developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce.

These unbreakable mathematic algorithms are now the current U.S. standard  in algorithmic authentication and are used to protect all sensitive U.S. government data.

There are no stronger authentication algorithms in the world.
 

 

 

All of SiteKey credentials, personal information, and images can be "collected" by fraudsters, contrary to FDIC guidelines.
ALL of SiteKey’s credentials, from the user's account Login ID and their solicited personal information, to the user's pre-selected "shared secret"  image, can be collected by fraudsters.

The FDIC, however, has recommended financial institutions adopt authentication methods which "cannot be collected by fraudsters". 

FDIC: "In the last stage [of a phishing attack], collected credentials are used to access the victim's account. Financial institutions can mitigate this threat with a variety of tools to better identify who is accessing the account. This includes authentication methods which cannot be collected by the fraudster."

Source:
FDIC: FDIC Supplemental : Federal Deposit Insurance Corporation, Division of Supervision and Consumer Protection, Technology Supervision Branch. June 17, 2005.
 

 

 

PhishCops® uses authentication methods which cannot be collected by fraudsters, as per FDIC guidelines.  
The PhishCops virtual token generator itself exists "virtually" as "server-side" programming which cannot be lost or stolen.  This "virtual token generator" also produces a unique type of one-time password, produced using unbreakable government-approved mathematics and other uncollectable information including server-date/time information and private cryptographic keys not easily "collectible" by fraudsters.

 

 

SiteKey’s "shared secret" approach is vulnerable to phishing, pharming, and malware, contrary to FFIEC and FDIC guidelines.
In their August 15, 2006 FAQ Supplement, the FFIEC stated that any considered solution should SPECIFICALLY address the risks of phishing, pharming, and malware.

SiteKey is a "shared secret" approach, using a pre-selected static image and the answers to pre-defined personal questions as its "shared secrets". The FDIC, the FFIEC, and numerous security organizations, including SiteKey itself, have acknowledged that "shared secret" approaches, however, do not address the above issues and are vulnerable to man-in-the-middle phishing attacks, and malware.  

FDIC: "The disadvantage of this method is that it is susceptible to man-in-the-middle attacks, where the fraudster successfully impersonates the user and gains access to the shared secret"

Symantec: "an attacker could outwit this system in the following way….” (describing a man-in-the-middle scenario)... Another security flaw can arise. If the user has no stored Device ID cookie on his machine, he will be challenged with alternative methods of authentication. These include sending a password through email or answering a predefined question. An attacker could spoof this re-authentication page."

CR-Labs: "The SiteKey anti-phishing system used by Bank of America and other financial institutions is susceptible to a real-time exploit in which an attacker can create a fake web page that includes a victim’s correct, secret SiteKey image, text phrase and challenge questions....Finding 1: SiteKey is susceptible to a real-time, man-in-the-middle attack . An attacker can create a fake web site that looks like a legitimate Bank of America web site, including a victim’s correct SiteKey secret image and text phrase."

Passmark Security (SiteKey): Passmark Sitekey CTO, Louie Gasparini, confirmed in an recent interview that a "big hole" in the Sitekey approach was its vulnerability to malware, trojans, viruses or worms. Said Gasparini, “If malware is on your machine, it's much more difficult for everybody.”

IT Management News: "The SiteKey system fails... to address the fundamental problem of phishing because it leaves the customer susceptible to the classic "Man in the Middle" false-storefront attack...the SiteKey approach still relies on the storage of images and so on in your personal records on the merchant's database. Compromise of this data would leave you just as vulnerable as you'd be if your login and password were obtained."

Sources:
FFIEC: Authentication in an Internet Banking Environment (Updated Guidance Letter), October 12, 2005. Pg 13
FDIC: Putting an End to Account-Hijacking Identity Theft , December 14, 2004. Pg 27
CR-Labs: " Fraud Vulnerabilities in SiteKey Security at Bank of America, July 18, 2006."
Symantec Corporation: “Phishing In The Middle Of The Stream” - Today’s Threats To Online Banking.   From the proceedings of the AVAR 2005 conference.
Baseline Magazine: "Computer Security: Your 5-Step Survival Guide", May 15, 2006.
IT Management News: " PassMark's SiteKey - Answering The Wrong Question". July 26, 2005
 

 

 

PhishCops® was specifically designed to mitigate phishing, pharming, and malware, as per FFIEC and FDIC guidelines.
PhishCops® is the ONLY multi-factor authentication solution in the world that is entirely effective against phishing, pharming, and malware.

Indeed, the United States government recognized PhishCops®  for its success in this area when it named it a semi-finalist for the 2005 Homeland Security Award for cyber-security.
 

 

 

 

 

 

Home   |   Sitemap   |   Contact Us   |   Print this Page   |   Search 
© 2008 Sestus Data Company   All Rights Reserved. PhishCops® is Patent Pending.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124    |   New York (Manhattan) Tel. (718) 841-7350