Mutual Authentication is Required


How does PhishCops® work?






Headline News:    Mutual Authentication is Required





Headline News:    
Multi-Factor authentication alone cannot stop phishing.
To stop phishing, Website Authentication is also required.

In their December 14, 2004 study, the FDIC identified the lack of "website authentication" as one of the two root causes of phishing. In their guidance letter dated October 12, 2005, the FFIEC echoed this finding, stating "Currently, most financial institutions do not authenticate their web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed web sites". Read a summary of FFIEC and FDIC regulator recommendations here.

To stop phishing, "website authentication" must be combined with strong "2-factor authentication".  PhishCops® supplies both in a single integrated solution.
For a side-by-side comparison of hardware tokens and PhishCops, click here.

The following is a collection of recent news stories and expert opinions which illustrate the failure of 2-factor authentication methods to stop phishing without website authentication.



Two-factor authentication won't stop ID theft - CNET News
People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago." The well-known encryption expert, who has authored books on information security and terrorism, argued in a posting to his blog that e-commerce companies and security providers need to think more deeply about what two-factor authentication can solve. "It's not going to prevent identity theft," he wrote. "It's not going to secure online accounts from fraudulent transactions."



Hackers crack two-factor security - VNUNET News
"IT experts warned today that, contrary to popular belief, two-factor authentication is not secure enough to curb internet banking fraud."



Anti-Phishing Working Group Department of Homeland Security Report
(Referring to traditional hardware tokens)   "..they are vulnerable to phishing attacks…"



International Biometric Industry Association Letter to the NIST
(Referring to traditional hardware tokens)   "IBIA believes that tokens, passwords, and PKI are not true and valid methods of “personal” authentication...IBIA does not agree that combining a token with a password offers “good” two-factor authentication...IBIA has serious concerns about NIST’s overwhelming reliance on passwords, PKI, and tokens. To reiterate, combining a token with a password has the advantage of creating two factor authentication, but it cannot be called “good” for the simple reason that passwords and tokens are eminently stealable... In IBIA’s view, the statement “tokens for proving identity” is wrong. Tokens can prove that a person holds a valid access tool, but tokens cannot prove that person’s identity."



ETrade to deploy RSA tokens - but does it stop phishing? by Nick Owen, CEO WikID
"using two-factor alone doesn't stop phishing"



Scandinavian Attack Against Two-Factor Authentication - Schneier on Security
"Two-factor authentication won't stop identity theft, because identity theft is not an authentication problem. It's a transaction-security problem."



A New Key to Fighting Identity Theft - The Washington Post
(Referring to traditional hardware tokens) "
research firm Gartner conducted a survey and found that devices like the RSA token are unpopular with consumers -- even the ones who say they want more security options.What's more, they might not be offering the right kind of protection. Avivah Litan, a fraud analyst at Gartner, said these tokens mainly offer a "placebo effect" to users who want to feel more secure."



Hackers can beat security tokens -
"Two-factor authentication doesn't solve anything. It won't work for remote authentication over the internet"







Home   |   Sitemap   |   Contact Us   |   Print this Page   |   Search 
© 2008 Sestus Data Company   All Rights Reserved. PhishCops® is Patent Pending.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124    |   New York (Manhattan) Tel. (718) 841-7350