Headline News: Multi-Factor
authentication alone cannot stop phishing. To stop phishing, Website Authentication is also
In their December 14, 2004 study, the FDIC identified the lack of "website authentication" as one of the two root causes of phishing.In their guidance letter dated October 12, 2005, the FFIEC echoed this finding, stating "Currently, most financial institutions do not authenticate their web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed web sites". Read a summary of FFIEC and FDIC regulator recommendationshere.
To stop phishing, "website authentication" must be combined with strong "2-factor authentication". PhishCops® supplies both in a single integrated solution. For a side-by-side comparison of hardware tokens and PhishCops™, click here. The following is a collection of recent news stories and expert opinions which illustrate the failure of 2-factor authentication methods to stop phishing without website authentication.
Two-factor authentication won't stop ID theft - CNET News “People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago." The well-known encryption expert, who has authored books on information security and terrorism, argued in a posting to his blog that e-commerce companies and security providers need to think more deeply about what two-factor authentication can solve. "It's not going to prevent identity theft," he wrote. "It's not going to secure online accounts from fraudulent transactions."
International Biometric Industry Association Letter to the NIST (Referring to traditional hardware tokens) "IBIA believes that tokens, passwords, and PKI are not true and valid methods of “personal” authentication...IBIA does not agree that combining a token with a password offers “good” two-factor authentication...IBIA has serious concerns about NIST’s overwhelming reliance on passwords, PKI, and tokens. To reiterate, combining a token with a password has the advantage of creating two factor authentication, but it cannot be called “good” for the simple reason that passwords and tokens are eminently stealable... In IBIA’s view, the statement “tokens for proving identity” is wrong. Tokens can prove that a person holds a valid access tool, but tokens cannot prove that person’s identity."
A New Key to Fighting Identity Theft - The Washington Post (Referring to traditional hardware tokens) "research firm Gartner conducted a survey and found that devices like the RSA token are unpopular with consumers -- even the ones who say they want more security options.What's more, they might not be offering the right kind of protection. Avivah Litan, a fraud analyst at Gartner, said these tokens mainly offer a "placebo effect" to users who want to feel more secure."