Hardware Tokens vs. PhishCops®


How does PhishCops® work?






Compare Hardware Tokens to PhishCops®









For a Regulatory Compliance comparison, click here.
For a Fraud Attack Vector comparison, click here.
For costs, strength vs. ease of use, and information disclosure vs. customer acceptance comparison, click here













"Users must be aware that at today's level of delivered products, private data can be accessed from USB keys without having legitimate credentials. If a user loses their USB key, all data should be considered to have been potentially compromised"  -  Source: Attacks on and Countermeasures for USB Hardware Token Devices, Proceedings of the Fifth Nordic Workshop on Secure IT Systems Encouraging Co-operation, Reykjavik, Iceland, October 12-13, 2000, pp 35-57, ISBN 99799483-0-2





Physical (USB & other hardware) Tokens



PhishCops® (Virtual) Tokens







Difficult to Support
Physical tokens are hardware devices which must be purchased, configured, delivered, and supported.



Easy to Support
tokens are "virtual" token devices executed from/on a webserver. There is no hardware or software to purchase, configure, deliver, or support.



Uses Older (Compromised) Algorithms
Many physical token devices are built on the aging 160-bit "OATH" standard, using the SHA-1 algorithm which has recently been "broken" by mathematicians and is no longer secure.
For additional information on the vulnerability of SHA-1, click here.



Uses Recommended U.S. Standard
utilizes the "next generation" SHA-256 algorithm, which remains unbroken and has been approved by the U.S. Department of Commerce in 2002 for use by all U.S. federal government agencies.



Future Upgrades/Device Replacement Needed to Bring Them up to Recommended U.S. Standard
Because of the vulnerability of the “OATH” standard’s underlying SHA-1 algorithm (see above), the National Institute of Standards and Technology (NIST), a government standards body which advises the FDIC and the FFIEC, has
called for all regulatory departments and commercial security technology firms to migrate from the 160-bit SHA-1 to algorithms such as SHA-256 by 2010.



Already Using Recommended U.S. Standard
PhishCops® is
already there.



Incapable of FFIEC Recommended Mutual Authentication
In addition to two-factor authentication, the FFIEC has recommended financial institutions also perform
mutual (website to user) authentication,  stating "
Currently, most financial institutions do not authenticate their web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer".

Hardware tokens do not authenticating websites to users. Hardware tokens authenticate users to websites only.



Performs FFIEC Recommended Mutual Authentication
As recommended by the FFIEC and the FDIC,
PhishCops® prevents phishing by authenticating websites to users (mutual authentication) while simultaneously authenticating users to the website (two factor authentication).



Account Downtime
Physical token devices can be lost, stolen, get 'out of sync', or stop working. When this occurs, they must be replaced, during which time, the user cannot easily access their account.



No Account Downtime
Virtual Token devices cannot be lost or stolen so users experience no account downtime.



Unpopular with Users
Typically, physical token devices are usable at only the specified website. This results in an unpopular "necklacing" effect, i.e., users being required to carry multiple token devices for use at multiple websites. The
research firm Gartner conducted a survey and found that devices like the RSA token are unpopular with consumers.



Nothing for Users to Carry
With PhishCops®,
there is nothing for the user to carry.



Vulnerable to Man-in-the-middle Attacks
Because physical tokens are in the physically 'disconnected' from the internet, they are vulnerable to simple man-in-the-middle attacks in which phishers trick token owners into divulging their token device values and then re-entering these stolen values on the genuine website. Nordea Bank's
experience shows one example of this vulnerability. Other well-known financial institutions using hardware tokens have also been recently compromised in this way.



Resistant to Man-in-the-middle Attacks and even Malware!
Virtual Tokens are executed from/on a webserver that retrieves mathematic key data from the member's device using only native browser functionality. Without the appropriate mathematic key retrieved from the member's device, a valid token response cannot be generated. This alone eliminates man-in-the-middle attacks. Also, since each key is mathematically authenticated against its device, even if a fraudster manages to steal the keys using malware (much more difficult to accomplish than a launching a sucessful man-in-the-middle attack), the fraudster cannot use the stolen keys from their own (different) computer. The keys will only work if supplied from identical devices. As a result, the PhishCops® keys are the only keys in the world that are actually resistant to malware!



Physical token devices are among the most expensive authentication solutions.



is affordable.



Difficult to Implement - Additional Hardware and Software Required
Integrating a physical token solution with a website often requires modification and configuration of existing website processes and usually the purchase of additional servers and related software.



Easy to Implement - NO Additional Hardware and Software Required
PhishCops® can be implemented swiftly, using simple "copy and paste" actions that any webmaster can perform. No additional server hardware or software is required and users are not required to carry any hardware nor download any software.



Vulnerable to Phishing Attacks - APWG
According to the Anti-Phishing Working Group, physical tokens "a
re vulnerable to phishing attacks…"



Significant Advantages - APWG
According to the Anti-Phishing Working Group, the virtual token concept is "
a valid approach, and has significant cost and usability advantages when compared with hardware-based second-factor authentication."



Physical Token Approach has Already Been Defeated
Nordea Bank's recent experience shows one example of how fraudster have defeated physical physical authentication approaches. Many other well-known financial institutions using hardware tokens have also been compromised.



PhishCops® has Never Been Defeated
For its unbreakable approach to cyber-security, the U.S. government has named PhishCops® a semi-finalist for both the 2005 and 2007 Homeland Security Award.








Home   |   Sitemap   |   Contact Us   |   Print this Page   |   Search 
© 2008 Sestus Data Company   All Rights Reserved. PhishCops® is Patent Pending.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124    |   New York (Manhattan) Tel. (718) 841-7350