|
What
makes the PhishCops®
solution different from
other authentication
methods?
- PhishCops®
is a mathematic
solution.
The
PhishCops® Website
Authentication
Process is a
mathematic solution.
PhishCops® utilizes
unbreakable
mathematic algorithms
which were developed
by the National
Institute of
Standards and
Technology (NIST)
and the Information
Technology Laboratory
(ITL) under
the authority
of the U.S.
Dept of Commerce.
These algorithms
are significantly
stronger than
the 160-bit
algorithm used
by SSL certificates
and most hardware-based
token vendors.
The same algorithms
used by PhishCops®
are the now
the approved
method for authenticating
sensitive data
used by all
departments
of the U.S.
federal government.
PhishCops® uses
these algorithms
in a patent-pending
process to generate
a "virtual",
or hardware-free
two-factor token
to authenticate
websites. The
process cannot
be compromised
by phishers
and is invulnerable
to hacking,
fraud, and abuse.
 As
a result of
our breakthrough
solution to
the problem
of phishing
and identity
theft, the U.S.
government recently
named PhishCops®
a semi-finalist
for both the 2005
and 2007
Homeland Security
Award. You
may read the
official press
release
here.
- PhishCops®
Mitigates the
Two Root
Causes of Phishing,
meeting both
of the FFIEC's
recommendations.
On
Dec 14, 2004,
the U.S. Federal
Deposit Insurance
Corporation
(the FDIC) published
a report presenting
their findings
on how the financial
industry and
its regulators
could mitigate
the risks associated
with Phishing.
In
this report,
the FDIC identified
two root causes
for the problem
of phishing
and made recommendations
regarding mitigating
both. On October
12, 2005, the
Federal Financial
Institutions
Examination
Council (FFIEC)
issued an updated
guidance letter
for banks and
financial institutions
which echoed
the FDIC’s findings
and made corresponding
recommendations:
1)
Implement strong
(2-factor)
authentication
2) Assess
the adequacy
of such authentication
techniques in
light of new
or changing
risks such as
phishing...
(FFIEC
Recommendations)
For
a summary of FFIEC
and FDIC regulatory
requirements, click
here.
Virtually
all other anti-phishing
approaches fail
to satisfy these
two FFIEC recommendations.
Some approaches
lookup IP or other
domain records and
calculate risk.
Some rely on databases
of blacklisted websites
and selectively
permit or block
access based on
company-defined
filtering rules
(while tracking
your browsing habits
in the process).
Others approaches
simply enhance an
existing weak login
process with multiple
layers of images,
audio recordings,
or other user-supplied
information. Strictly
speaking, none of
these other approaches
are actually "authenticating"
anything. At best,
they are simply
adding additional
"red tape"
to an already weak
process using non-standard
rules, vulnerable
databases and questionable
public records.
At worst, they may
actually be providing
phishers with even
more confidential
user information
through their use
of user-supplied
images, recordings,
and other personal
information.
PhishCops®
authenticates websites
using government-approved
authentication algorithms
and provides FFIEC
recommended two-factor
authentication and
website authentication
in a single integrated
solution. PhishCops®
does not rely on
any database of
"blacklisted"
phishing websites,
obscure filtering
rules, hardware devices,
software, or potentially
fraudulent "whois"
and other data records.
You
can compare PhishCops®
with other authentication
approaches here.
For a
side-by-side comparison
of traditional hardware
tokens against PhishCops®,
click
here.
Top
What
is a "Man in the
Middle" Phishing
Attack?
"Man
in the Middle"
phishing attacks, also
called "Pass Through"
phishing attacks, occur
when a phisher captures
the authentication credentials
on a phishing website,
passes them to the authentic
website while the victim
waits, then returns
the shared secret produced
by the authentic website
back to the victim.
Although rare
and difficult to implement,
these types of phishing
attacks are extremely
difficult to prevent
since the authentic
website is designed
to produce a valid shared
secret which the phisher
can intercept and pass
on to the victim.
Often,
the phisher discovers
the shared secret simply
by testing stolen emails
and other user-identifiable
information against
the target webpage itself.
This is what makes traditional
shared secret solutions
especially vulnerable
to man-in-the-middle
attacks; the shared
secret is directly associated
with identifiable user
information, such as
an email address, user
names, or account IDs.
The phisher is then
able to use this information
to contact specific,
identifiable victims
by email or other means.
The
PhishCops® Website Authentication
process is resistant
to "man-in-the-middle"
attacks and malware. Top
What
stops a fraudster from
creating a fake bank
login page and just
replicating your
process to trick consumers?
Nothing,
but there is no amount
of information which
a fraudster can trick
their victim into disclosing
that will permit
the fraudster to access
the victim's account.
Top
What
happens if a fraudster
steals a user's login
ID and password?
Nothing.
Fraudsters can steal
all the credentials
they wish but it will
not permit them to access
the account. Fraudsters
cannot access the account
using stolen credentials
("something the
user knows") unless
they are ALSO in possession
of the user's enrolled
device ("something
the user has").
This is the nature of
TRUE multi-factor authentication.
Top
|
|
