How Does PhishCops® Work?

 

How does PhishCops® work?

 

 

 

 

 

 

Welcome!

 


This page presents a general introduction to PhishCops®, describes its history, its government-approved multi-factor authentication methods, and assists with learning how PhishCops® solves many of the problems that have plagued other authentication approaches.

This page does not address general business questions related to licensing, pricing, implementation, or support. If you are a prospective PhishCops® customer and would like more information about PhishCops®, please contact us here. We will arrange a live WebEx™ presentation during which we will explain the PhishCops® technology in detail and answer any licensing, pricing, implementation, or support questions.

If you would like to experience PhishCops® from a user's perspective, try our live demo here.

 


Due to the volume of material presented on this page, we have organized this page into chapters.

 

 

 

Product Summary

 

How Does PhishCops® Work?

 

 

User's Device Enrollment

 

 

User's Authentication Process

 

A New Approach: the History of PhishCops®

 

Multi-factor Authentication Defined

 

 

Challenge Question / Response = NOT multi-factor authentication

 

Understanding Authentication Vulnerabilities

 

 

Geo-Location

 

 

Risk Scoring

 

 

Challenge / Response  (Shared Secrets)

 

 

Hardware Tokens & Software Certificates

 

 

Telephone-Based Authentication

 

 

Biometrics (including biometric-keystroke authentication)

 

 

 

 

Product Summary
PhishCops® is a cryptographic multi-factor authentication process, also described as a "virtual token" system. PhishCops® is a true multi-factor approach as recommended by the FDIC and the FFIEC. PhishCops® complies with section 8.3 of the PCI Data Security Standard and it satisfies U.S. "Level 3" multi-factor authentication requirements as specified in NIST Special Publication 800-63. PhishCops® is the strongest multi-factor authentication in the world and is based on government-approved authentication standards. PhishCops® is extremely easy to deploy and it has the lowest support costs of any multi-factor authentication product. There is no hardware to purchase or ship, no software or active-x objects to install, no javascripting requirements, and no certificates to manage.  PhishCops® is 100% cross-browser, cross-device compatible.  For its breakthrough in cyber security, the U.S. government has twice named PhishCops® a semi-finalist for both the Homeland Security Award.

After authenticating “something the user knows” (the user's login ID and password), PhishCops® cryptographically authenticates “something the user has” (a key retrieved from the user's connected device, authenticated against the device itself). Following this multi-factor authentication, PhishCops® produces and validates a one-time use, time expiring "virtual" token number (a cryptographic "nonce") unique to the authenticating device.

With traditional hardware token authentication systems, users are issued costly hardware token devices which contain contain a microchip and stored programming code. These distributed hardware token devices must be synchronized with the authenticating server and are designed to produce a one-time use time expiring value.

PhishCops® is a hardware token process but the hardware it uses is the hardware the user already has (their connected device). Traditional hardware token devices process internal cryptographic keys to produce their token values. PhishCops®, however, distributes only the cryptographic key to the user's EXISTING device, leaving the processing tasks to be performed by the organization's webserver. This eliminates the need for an organization to distribute additional hardware to their users. The organization's webserver provides the processing 'muscle', producing a time-expiring one time use "virtual token" value from the user's retrieved key. The keys and virtual token values are also cryptographically authenticated against the user's connected device, making PhishCops® the first product in the world which offers any resistance to malware, keylogging trojans, or man-in-the-middle attacks.

So, PhishCops® IS a hardware token approach, but no hardware tokens must be purchased or distributed to users. The hardware is the user's computer, PDA, or web-enabled phone. No software must be deployed by users and the process uses only native browser functionality supported by all operating systems and devices with no special configuration required.

PhishCops®, its underlying Hash Authentication Standard-Device Localized (HASDL) process, and the "virtual token" concept are protected by U.S. and international patent and copyright. PhishCops® may not be employed, replicated, or used in any other process or product without the express written permission of Sestus Data Company.

Top

How Does PhishCops® Work?

 

  User's Device Enrollment

 

  1. Users enter their existing login and password on the organization's existing web page. These "something the user knows" credentials are authenticated using whatever method is currently used by the organization (i.e. database verification, active directory verification, etc). PhishCops® does not impact or interfere with the organization's current credential validation process.
     
  2. After the user's login credentials are validated by the organization, the user is redirected to a page on the organization's servers where they are permitted to enter a “name” for their device, such as “work computer”, "PDA", “laptop”, "iPhone", etc. They may also (optionally) enter an email and/or telephone number associated with this device. At this time, the connected device's 'fingerprint' is analyzed and, from this fingerprint, a key is cryptographically produced and stored on the device using normal browser functionality (no software or activeX objects are installed by the user).
     
  3. After the user 'names' their device, they are prompted to bookmark the page (create a favorite link).

 

That's it!

Users do not supply any personal information, upload any pictures, or register any new challenge questions. Users do not configure any browser settings, install any software, nor are they required to remember ANY new credentials.

After the first device has been enrolled, all subsequent devices are enrolled via an out-of-band process. This restricts device enrollment to only the account owner.  Devices are enrolled only once.  Once the device has been enrolled, the user never needs to check their out-of-band email or telephone again to authenticate using the device. Note: If the organization wishes, the first device may also be enrolled via an out-of-band process.

 

To experience a live demo of PhishCops® from a user's perspective, click here.

 
Top

  User's Authentication Process

 

  1. Users enter their existing login and password on the organization's existing web page. These "something the user knows" credentials are authenticated using whatever method is currently used by the organization (i.e. database verification, active directory verification, etc). PhishCops® does not impact or interfere with the organization's current credential validation process.
     
  2. After the user's login credentials are validated by the organization, the user's device is cryptographically authenticated. First a key is retrieved from the user's device using normal browser functionality (no software or activeX objects are installed by the user). This key is then authenticated against the connected device itself.
     
  3. Then, a 6-digit virtual token value is produced ( using the connected device's retrieved key and other device elements).  This 'virtual token' is displayed to the user, who enters the token to continue.

 

That's it!

There are no challenge questions to answer, no pass phrases or credentials to remember, no software to install, and no hardware to carry.

Since the virtual token is produced using the connected device's key and other device elements, it is resistant to malware. This virtual token value is a one-time use, time-expiring value, designed to prevent replay attacks by introducing a random value into the login process.

With traditional hardware token authentication, a key is retrieved from the hardware token device and, using this key, a random number is produced.

PhishCops® also retrieves a key from a hardware device (the user's connected computer, PDA, iPhone, etc.) and produces a random number.   Unlike traditional hardware token authentication, however, PhishCops® uses only government-approved authentication standards to produce its keys and token numbers.  Also, since we retrieve the key from the user's existing device, no new hardware must be purchased or distributed. As a result, PhishCops® is mathematically stronger than traditional hardware tokens, is considerably more affordable, and is much easier to implement and support.

 

To experience a live demo of PhishCops® from a user's perspective, click here.

 

Top

A New Approach: the History of PhishCops®

 

PhishCops® is a new approach in authentication. Although PhishCops® is easy for users to use, and easy for an organization to implement, behind the scenes PhishCops® uses an extremely powerful and cutting-edge multi-factor authentication process (HASDL), employing the latest in government-approved mathematic and cryptographic algorithms, and revolutionary authentication concepts.

Preamble
By 1996, the internet had grown to become a global communication medium. E-commerce giants like eBay and Amazon.com were making headlines and the "dot.com" boom was booming. As more and more financial transactions began to be transacted over the internet, the U.S. government began to grow alarmed at the corresponding growth in online fraud and in the growing weakness of traditional authentication methods. Virtually the only online security protocol available to internet-based companies was an aging 160-bit SHA encryption algorithm that powered hardware tokens and SSL certificates. As computing power increased, mathematicians around the globe were reporting they were close to "cracking the code" of this SHA-1 algorithm. Logins and passwords were proving vulnerable to new fraud attacks (such as phishing) and government analysts were growing concerned about the inability of either hardware tokens or certificates to withstand these attacks.

1996
In 1996, the U.S government took up the challenge of reforming online security. Pursuant to Section 5131 of the Information Technology Management Reform Act of 1996, the U.S. Department of Commerce commissioned the National Institute of Standards and Technology (NIST) and the Information Technology laboratory (ITL) to develop several new authentication standards.

1997
February 1997, PKI authentication concepts introduced by the NIST and approved by the U.S. Secretary of Commerce.

2002
March 2002, HMAC authentication concepts introduced by the NIST and approved by the U.S. Secretary of Commerce.

Aug 2002: Under the authority of the U.S. Dept of Commerce, the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) introduce a series of new Secure Hash Standard (SHS) mathematic authentication algorithms .  

2003
Feb 2003: These new algorithms are adopted as the current U.S. Authentication standard.

May 2003: Sestus Data Company initiates a year-long research study to find ways to apply these newly-introduced authentication concepts to the modern challenges of phishing and online identity theft.

2004
Oct 2004: A new multi-factor authentication approach (utilizing elements from SHS, HMAC, PKI, and other proprietary processes) is introduced by Sestus Data Company as the Hash Authentication Standard - Device Localized (HASDL).  A proof-of-concept for a commercial product based on this standard is successfully completed and dubbed "PhishCops®".

Dec 2004: The FDIC publishes regulatory guidelines recommending the use of multi-factor authentication. In this same publication, the FDIC repeatedly warn against the use of authentication methods that solicit personal information from consumers.

2005
Feb 2005: A live implementation of PhishCops® is successfully tested.

Throughout 2005, PhishCops is refined through a series of technical trials and focus groups facilitated by internet "backbone" companies and industry leading financial organizations, including a 9-month technical trial conducted by one of the “big four” credit card companies. No faults or compromise techniques are evidenced.

Mar 2005: The (older) SHA1 algorithm powering SSL and hardware tokens is broken by Chinese mathematicians. All U.S. government agencies and numerous commercial organizations announce plans to abandon SHA1 and convert to the new standards by 2010.  PhishCops® is already there.

Jun 2005: In recognition of our breakthrough in multi-factor authentication, the United States government names PhishCops a semi-finalist for the 2005 Homeland Security Award for "making a measurable and constructive contribution related to basic and/or advanced research in the area of homeland security which will result in a significant and positive benefit to society".

Dec 2005: InfoWorld Magazine awards PhishCops its highest honor, the InfoWorld 100 Award for the "best use of technology to meet business goals".  

2006
Mar 2006: PhishCops®