Notice: This webpage is intended to educate technical specialists, webmasters, and security professionals within financial institutions about PhishCops® Virtual Tokens. For a detailed side-by-side comparison of traditional hardware tokens against PhishCops®, click here.  Note: The virtual token concept is patent pending and may not be used or replicated in any fashion without the express written permission of Sestus Data Company.
 

The Token Concept - Traditional and Virtual

Traditional Hardware Tokens

The traditional hardware token concept has three distinct parts:

1. An unique PKI hash key (based on the SHA1 algorithm, also called the OATH standard), which is processed by
    
2. an internal microprocessor, to produce
    
3. a one-time use, time expiring, random number for authentication purposes.
   
    


Inside the traditional hardware token

 

Virtual Tokens

The virtual token concept has these same three parts, but with some significant improvements that result in NO HARDWARE OR SOFTWARE distributed to the end-user:

1. An unique PKI hash key... (Improvement: This PKI key is now based on the SHA256 algorithm, which replaced the compromised SHA1/OATH algorithm in 2005 as the current U.S. authentication standard.  Using our patent-pending process, this key has also been cryptographically 'localized' for the connected device, frustrating malware)
   
   ...which is processed by
    
2. a microprocessor... (Improvement: This job is now performed by your existing webserver, whose own microprocessor now provides the processing 'muscle', eliminating the need to distribute separate costly hardware to each user)
   
   ... to produce
    
3. a one-time use, time expiring, random number for authentication purposes (Improvement: This number has now been 'localized' for the connected device, frustrating man-in-the-middle attacks).
    

The Virtual Token concept
 

Virtual Token Advantages

The advantages of the virtual token concept over traditional hardware tokens and other authentication systems are numerous.

• Authentication Strength:  Since PhishCops® is based on the SHA-256 algorithm, instead of the now-compromised SHA-1 algorithm, the process is based on the current approved authentication standards and the produced hash keys and token numbers cannot be mathematically predicted, even with computer assistance.
   
• Cost Reduction: Since no additional hardware must be purchased or distributed, the (very significant) costs associated with a traditional hardware token process have been eliminated.  No hardware must be purchased for users, there is nothing to ship, and, since the concept utilizes the organization's existing web server to perform the processing "muscle", no additional servers must be purchased or installed by the organization. On the average, PhishCops® costs are 1/50th of that of a traditional hardware token system.
   
• User Acceptance: Users are permitted to use their existing computers, web-enabled telephones, and other devices.  These devices are already familiar to users and users are not required to carry any additional hardware on their keychains, nor look for their token  device when they wish to login. The research firm Gartner conducted a survey and found that traditional hardware token devices are unpopular with consumers.  By contrast, a (soon to be published) Credit Union Journal study found that PhishCops® had the lowest support costs and the greatest user acceptance levels of any authentication product.
   
• Man-in-the-middle Attack Protection: With traditional hardware tokens, fraudsters do not need to steal the actual token devices to compromise a user's account. They only need to convince the user to disclose their token number to the fraudster'sr fictitious website and then pass these values on to the genuine websites to access the accounts. This type of "man-in-the-middle attack" has already been experienced by Citibank, Nordea Bank, and other organizations who have deployed hardware tokens to their members¹. By contrast, the keys and token numbers produced by the PhishCops® virtual token process have been "localized" to the user's specific device, eliminating their use by fraudsters who would be supplying these stolen values from their own (different) devices.
   
• Regulatory Multi-Factor Authentication Compliance: Unlike challenge question and secret image systems, PhishCops® satisfies FFIEC & FDIC Regulatory multi-factor authentication requirements.  PhishCops® authenticates the user's supplied credentials ("something the user knows") AND the user's connected device ("something the user has").
   
• Regulatory Mutual Authentication Compliance:  Traditionally, mutual authentication has been based on mathematics and cryptographic processes that operated "without user interaction". It has only been recently, with the introduction of weak "secret image" based systems, that many organizations have begun to associate mutual authentication with on-screen images. While on-screen images are a form of mutual authentication, they represent the weakest form. Fraudsters can (and do) replicate on-screen images and other information with shocking ease. On-screen images "provide little extra protection" and "might actually detract from security by giving users a false sense of confidence". (Quoted from the New York Times article on a recent MIT / Hardware University study of "site-authentication images").
  
  PhishCops®, however, uses the more traditional and vastly stronger mathematic form of mutual authentication. The Website is mathematically authenticated to the user and the user’s device is mathematically authenticated to the website "without user interaction". Only the genuine website can produce a valid virtual token number, which will only validate when entered from the genuine user’s internet device.
   
• Privacy of User Information: Unlike challenge question and secret image systems, PhishCops® never solicits any user information. Because no user information is used in the virtual token generation and validation process, user information becomes useless to fraudsters as a means of compromising the user's account. It doesn't matter if fraudsters replicate the website precisely and convince the user to divulge every piece of information they can think of.  There is no amount of information that a user can divulge to the fraudster that will allow the fraudster to access the user's account.
  
  1. Business Report, “Swedish bank closes phishing hole”, Oct 4, 2005
      Bank Systems & Technology, “Phishers Beat Citi’s Two-Factor Authentication”, July 18, 2006.
      ComputerWorld, “Phishers edge past banks' strong authentication”, July 14, 2006.

SUMMARY:
Traditional hardware tokens were designed to solve the problems of an earlier era.  In today's internet climate, with man-in-the-middle attacks, phishing, malware, vishing, pharming, and botnet attacks, they are simply outdated.

PhishCops® represents the very latest in online security.  PhishCops® is simply stronger, more afforable, more user-friendly, and more secure than traditional hardware tokens. For a detailed side-by-side comparison of hardware tokens to PhishCops®, click here.