|
|
|
|
|
|
|
|
For a Regulatory Compliance comparison, click here.
For a Fraud Attack Vector comparison, click here.
For costs,
strength vs. ease of
use, and information
disclosure vs. customer
acceptance comparison,
click here.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"Users must be aware that at today's level of delivered products, private data can be accessed from USB keys without having legitimate credentials. If a user loses their USB key, all data should be considered to have been potentially compromised" - Source: Attacks on and Countermeasures for USB Hardware Token Devices, Proceedings of the Fifth Nordic Workshop on Secure IT Systems Encouraging Co-operation, Reykjavik, Iceland, October 12-13, 2000, pp 35-57, ISBN 99799483-0-2
|
|
|
|
|
|
|
|
Physical (USB & other hardware) Tokens
|
|
|
PhishCops® (Virtual) Tokens
|
|
|
|
|
|
|
|
|
|
|
Difficult to Support
Physical tokens are hardware devices which must be purchased, configured, delivered, and supported.
|
|
|
Easy to Support
PhishCops® tokens are "virtual" token devices executed from/on a webserver. There is no hardware or software to purchase, configure, deliver, or support.
|
|
|
|
Uses Older (Compromised) Algorithms
Many physical token devices are built on the aging 160-bit "OATH" standard, using the SHA-1 algorithm which has recently been "broken" by mathematicians and is no longer secure. For additional information on the vulnerability of SHA-1, click here.
|
|
|
Uses Recommended U.S. Standard
PhishCops® utilizes the "next generation" SHA-256 algorithm, which remains unbroken and has been approved by the U.S. Department of Commerce in 2002 for use by all U.S. federal government agencies.
|
|
|
|
Future Upgrades/Device Replacement Needed to Bring Them up to Recommended U.S. Standard
Because of the vulnerability of the “OATH” standard’s underlying SHA-1 algorithm (see above), the National Institute of Standards and Technology (NIST), a government standards body which advises the FDIC and the FFIEC, has called for all regulatory departments and commercial security technology firms to migrate from the 160-bit SHA-1 to algorithms such as SHA-256 by 2010.
|
|
|
Already Using Recommended U.S. Standard
PhishCops® is already there.
|
|
|
|
Incapable of FFIEC Recommended Mutual Authentication
In addition to two-factor authentication, the FFIEC has recommended financial institutions also perform mutual (website
to user)
authentication, stating "Currently, most financial institutions do not authenticate their web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer".
Hardware tokens
do not
authenticating websites to users. Hardware tokens authenticate users to websites only.
|
|
|
Performs FFIEC Recommended Mutual Authentication
As recommended by the FFIEC and the FDIC, PhishCops® prevents phishing by authenticating websites to users (mutual authentication) while simultaneously authenticating users to the website (two factor authentication).
|
|
|
|
Account Downtime
Physical token devices can be lost,
stolen,
get
'out
of sync',
or stop
working. When this occurs, they must be replaced, during which time, the user cannot easily
access their account.
|
|
|
No Account Downtime
PhishCops® Virtual Token devices cannot be lost or stolen so users experience no account downtime.
|
|
|
|
Unpopular with Users
Typically, physical token devices are usable at only the specified website. This results in an unpopular "necklacing" effect, i.e., users being required to carry multiple token devices for use at multiple websites. The research firm Gartner conducted a survey and found that devices like the RSA token are unpopular with consumers.
|
|
|
Nothing for Users to Carry
With PhishCops®, there is nothing for the user to carry.
|
|
|
|
Vulnerable to Man-in-the-middle Attacks
Because physical tokens are in the physically
'disconnected'
from
the
internet, they
are
vulnerable
to simple
man-in-the-middle
attacks
in which
phishers trick token owners into divulging their token device values and
then
re-entering
these
stolen
values
on the
genuine
website. Nordea Bank's experience shows one example of this vulnerability.
Other
well-known
financial
institutions
using hardware
tokens have
also been
recently
compromised
in this
way.
|
|
|
Resistant to Man-in-the-middle Attacks
and
even
Malware!
PhishCops® Virtual Tokens are executed from/on a webserver that retrieves mathematic key data
from
the
member's
device
using
only
native
browser
functionality. Without the appropriate mathematic key
retrieved
from
the
member's
device,
a valid token response
cannot
be
generated.
This
alone
eliminates
man-in-the-middle
attacks.
Also,
since
each
key
is
mathematically
authenticated
against
its device,
even
if
a
fraudster
manages
to
steal
the
keys
using
malware
(much more
difficult
to
accomplish
than
a
launching
a
sucessful man-in-the-middle
attack),
the
fraudster
cannot
use
the
stolen
keys
from
their
own
(different) computer.
The
keys
will
only
work
if
supplied
from
identical
devices.
As
a
result,
the
PhishCops®
keys
are
the
only
keys
in
the
world
that
are
actually
resistant
to
malware!
|
|
|
|
Expensive
Physical token devices are among
the
most
expensive
authentication
solutions.
|
|
|
Affordable
PhishCops® is affordable.
|
|
|
|
Difficult to Implement - Additional Hardware and Software Required
Integrating a physical token solution with a website often requires modification and configuration of existing website processes and usually the purchase of additional servers and related software.
|
|
|
Easy to Implement - NO Additional Hardware and Software Required
PhishCops® can be implemented swiftly, using simple "copy and paste" actions that any webmaster can perform. No additional server hardware or software is required and users are not required to carry any hardware nor download any software.
|
|
|
|
Vulnerable to Phishing Attacks - APWG
According to the Anti-Phishing Working Group, physical tokens "are vulnerable to phishing attacks…"
|
|
|
Significant Advantages - APWG
According to the Anti-Phishing Working Group, the virtual token concept is "a valid approach, and has significant cost and usability advantages when compared with hardware-based second-factor authentication."
|
|
|
|
Physical Token Approach has Already Been Defeated
Nordea Bank's recent experience shows one example of how fraudster have defeated physical physical
authentication approaches.
Many other
well-known
financial
institutions
using hardware
tokens have
also been
compromised.
|
|
|
PhishCops® has Never Been Defeated
For its unbreakable approach to cyber-security, the U.S. government has named PhishCops® a semi-finalist for both
the 2005
and 2007
Homeland Security Award.
|
|
