Frequently Asked Questions


How does PhishCops® work?






Jump to a Frequently Asked Question:




What makes the PhishCops® solution different from other authentication methods?



What is a "Man in the Middle" Phishing Attack?



What stops a fraudster from creating a fake bank login page and just replicating your process to trick consumers?



What happens if a fraudster steals a user's Login ID and password?


FAQ: Frequently Asked Questions

What makes the PhishCops® solution different from other authentication methods?

  • PhishCops® is a mathematic solution.
    The PhishCops® Website Authentication Process is a mathematic solution. PhishCops® utilizes unbreakable mathematic algorithms which were developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Dept of Commerce. These algorithms are significantly stronger than the 160-bit algorithm used by SSL certificates and most hardware-based token vendors. The same algorithms used by PhishCops® are the now the approved method for authenticating sensitive data used by all departments of the U.S. federal government. PhishCops® uses these algorithms in a patent-pending process to generate a "virtual", or hardware-free two-factor token to authenticate websites. The process cannot be compromised by phishers and is invulnerable to hacking, fraud, and abuse.

    2005 Homeland Security Award Semi-finalistAs a result of our breakthrough solution to the problem of phishing and identity theft, the U.S. government recently named PhishCops® a semi-finalist for both the 2005 and 2007 Homeland Security Award.  You may read the official press release here

  • PhishCops® Mitigates the Two Root Causes of Phishing, meeting both of the FFIEC's recommendations.
    On Dec 14, 2004, the U.S. Federal Deposit Insurance Corporation (the FDIC) published a report presenting their findings on how the financial industry and its regulators could mitigate the risks associated with Phishing. In this report, the FDIC identified two root causes for the problem of phishing and made recommendations regarding mitigating both. On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued an updated guidance letter for banks and financial institutions which echoed the FDIC’s findings and made corresponding recommendations:

    1) Implement strong  (2-factor) authentication
    2) Assess the adequacy of such authentication techniques in light of new or changing risks such as phishing...

    (FFIEC Recommendations)

For a summary of FFIEC and FDIC regulatory requirements, click here.

Virtually all other anti-phishing approaches fail to satisfy these two FFIEC recommendations. Some approaches lookup IP or other domain records and calculate risk. Some rely on databases of blacklisted websites and selectively permit or block access based on company-defined filtering rules (while tracking your browsing habits in the process). Others approaches simply enhance an existing weak login process with multiple layers of images, audio recordings, or other user-supplied information. Strictly speaking, none of these other approaches are actually "authenticating" anything. At best, they are simply adding additional "red tape" to an already weak process using non-standard rules, vulnerable databases and questionable public records. At worst, they may actually be providing phishers with even more confidential user information through their use of user-supplied images, recordings, and other personal information.

PhishCops® authenticates websites using government-approved authentication algorithms and provides FFIEC recommended two-factor authentication and website authentication in a single integrated solution. PhishCops® does not rely on any database of "blacklisted" phishing websites, obscure filtering rules, hardware devices, software, or potentially fraudulent "whois" and other data records.

You can compare PhishCops® with other authentication approaches here.
For a side-by-side comparison of traditional hardware tokens against PhishCops®, click here.   Top

What is a "Man in the Middle" Phishing Attack?
"Man in the Middle" phishing attacks, also called "Pass Through" phishing attacks, occur when a phisher captures the authentication credentials on a phishing website, passes them to the authentic website while the victim waits, then returns the shared secret produced by the authentic website back to the victim. Although rare and difficult to implement, these types of phishing attacks are extremely difficult to prevent since the authentic website is designed to produce a valid shared secret which the phisher can intercept and pass on to the victim.

Often, the phisher discovers the shared secret simply by testing stolen emails and other user-identifiable information against the target webpage itself. This is what makes traditional shared secret solutions especially vulnerable to man-in-the-middle attacks; the shared secret is directly associated with identifiable user information, such as an email address, user names, or account IDs. The phisher is then able to use this information to contact specific, identifiable victims by email or other means.

The PhishCops® Website Authentication process is resistant to "man-in-the-middle" attacks and malware.  Top

What stops a fraudster from creating a fake bank login page and just replicating your process to trick consumers?
Nothing, but there is no amount of information which a fraudster can trick their victim into disclosing that will permit the fraudster to access the victim's account. Top

What happens if a fraudster steals a user's login ID and password?
Nothing. Fraudsters can steal all the credentials they wish but it will not permit them to access the account.  Fraudsters cannot access the account using stolen credentials ("something the user knows") unless they are ALSO in possession of the user's enrolled device ("something the user has"). This is the nature of TRUE multi-factor authentication. Top






Home   |   Sitemap   |   Contact Us   |   Print this Page   |   Search 
© 2008 Sestus Data Company   All Rights Reserved. PhishCops® is Patent Pending.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124    |   New York (Manhattan) Tel. (718) 841-7350