26
PhishCops™ PhishCops™ Multi-Factor Authentication Website Authentication Click to continue This communication © 2006 Sestus Data Corporation. All Rights Reserved. THE CONTENTS OF THIS COMMUNICATION ARE PROTECTED UNDER COPYRIGHT AND/OR PATENT. Some elements, technologies, processes, and/or information contained in this communication are confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission of this information. You may not, directly or indirectly, use, disclose, distribute, print, or copy any part of this communication if you are not the intended recipient. Requires: Microsoft PowerPoint ® 2003 Return to Website

PhishCops™ Multi-Factor Authentication Website Authentication

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: PhishCops™ Multi-Factor Authentication Website Authentication

PhishCops™PhishCops™Multi-Factor Authentication

Website Authentication

Click to continue

This communication © 2006 Sestus Data Corporation. All Rights Reserved. THE CONTENTS OF THIS COMMUNICATION ARE PROTECTED UNDER COPYRIGHT AND/OR PATENT. Some elements, technologies, processes, and/or information contained in this communication are confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission of this information. You may not, directly or indirectly, use, disclose, distribute, print, or copy any part of this communication if you are not the intended recipient.

Requires:Microsoft PowerPoint® 2003

Return to Website

Page 2: PhishCops™ Multi-Factor Authentication Website Authentication

Powerpoint RequirementsPowerpoint Requirements

Click to continue

This Presentation This presentation was developed using Microsoft Powerpoint 2003® . If you are using an earlier version of Microsoft Powerpoint®, certain visual effects may be unavailable.  

If you require a earlier (Microsoft Powerpoint 95®) version of this presentation, a web-based version of this presentation, or would like to have this presentation on CD, please contact us at (800) 788-1927, or email us at [email protected].

Microsoft PowerPoint® 2003

Return to Website

Page 3: PhishCops™ Multi-Factor Authentication Website Authentication

The FDIC and FFIEC made TWO RecommendationsThe FDIC and FFIEC made TWO Recommendations

Click to continue

The FDIC’s Findings On December 14, 2004, the U.S. Federal Deposit Insurance Corporation (FDIC) published a study presenting their findings on how the financial industry and its regulators could mitigate the risks associated with phishing and identity theft. In this report, the FDIC identified TWO root causes for the problem of online identity theft 1:  

1) Authentication methods are insufficiently strong.

2) The internet lacks email and website authentication capabilities.

1. Source: “Putting an End to Account Hijacking Identity Theft”, FDIC, December 14, 2004.2. Source: “Authentication in an Internet Banking Environment (Updated Guidance Letter)”, FFIEC, October 12, 2005.

The FFIEC’s Recommendations On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued an updated guidance letter for banks and financial institutions which echoed the FDIC’s findings and made TWO corresponding recommendations: 2:  

1) Implement strong multi-factor authentication.

2) “authenticate their websites to customers BEFORE collecting sensitive information” and “assess the adequacy of such authentication techniques in light of new or changing risks such as phishing”.

Return to Website

Page 4: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication MethodsOther Authentication Methods

Other Authentication MethodsTo understand how PhishCops™ works, it is necessary to understand how it differs from other types of authentication. All Other authentication methods fall under one of 3 categories: Knowledge Based, Object Based, and ID Based… 

Click to continue

ID-Based ("who you ARE") methods are the strongest of the three authentication methods, and are characterized by uniqueness to one person. Biometrics, such as a fingerprint, eye scan, voiceprint, or signature fall under this category.

Vulnerabilities: If a biometric is compromised, it can not be as easily replaced. Hardware limitations also make the use of this authentication unaffordable to many and difficult to implement en-masse.

Knowledge-Based ("what you KNOW") methods are the most common (and the weakest) of the three authentication methods and are characterized by secrecy or obscurity. This is the most widely used method and includes the memorized Login ID, password, selectable image, personal question challenge / response, etc.

Vulnerabilities: People can be tricked into divulging logins, passwords, and the answers to personal questions. Images can be copied and re-used.

Object-Based ("what you HAVE") methods are the most technically complex of the three authentication methods and are characterized by physical possession. Physical keys, hardware tokens, etc. fall into this category.

Vulnerabilities: Objects can be lost. Users can be tricked into disclosing the object’s returned values. The objects are costly and unpopular with consumers.

Return to Website

Page 5: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Knowledge-based Vendors

PhishCops™, however, uses mathematic authentication algorithms developed by the National Institute of Standards & Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce3

These algorithms are the current standard used by all branches of the U.S. federal government.

PhishCops™ is the ONLY multi-factor authentication solution vendor using government-approved authentication algorithms in a multi-factor authentication solution.

3. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL).

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Many vendors have rushed to bring “image-based” or similar shared-secret solutions to market (a “knowledge-based” approach).

In an attempt to satisfy “multi-factor” authentication requirements, some have added a “device ID” to the customer’s computer, but if no device ID can be retrieved from the customer’s computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a “knowledge-based” approach).

Bottom line: If the customer (or the phisher) can supply the right credentials, and/or answer the questions correctly, these solutions will let them into the account.

Return to Website

Page 6: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

2005 Homeland Security Award Semi-FinalistAs a result of our innovative and groundbreaking use of these government-approved authentication algorithms, the U.S. government named PhishCops™ a semi-finalist for the 2005 Homeland Security Award.

PhishCops™ was the only multi-factor authentication solution named to this award.

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Knowledge-based VendorsMany vendors have rushed to bring “image-based” or similar shared-secret solutions to market (a “knowledge-based” approach).

In an attempt to satisfy “multi-factor” authentication requirements, some have added a “device ID” to the customer’s computer, but if no device ID can be retrieved from the customer’s computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a “knowledge-based” approach).

If the customer (or the phisher) can supply the right credentials, or answer the questions correctly, these solutions will let them into the account.

Return to Website

Page 7: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Knowledge-based Vendors

These solutions, however, authenticate the website AFTER the customer has divulged their website login ID or other sensitive information.

PhishCops™, follows the FFIEC’s recommendation and authenticates websites to customers BEFORE the customer has divulged any website login ID or other sensitive information.

In their Guidance Letter, the FFIEC urged financial institutions to:

“authenticate their web sites to the customer BEFORE collecting sensitive information”

Return to Website

Page 8: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Knowledge-based VendorsObject-based Vendors

Vasco RSA

As a result, some hardware token vendors are latching on to knowledge-based solution vendors in an attempt to keep their aging technologies viable in a changing world.

= Passmark = Cyota

PhishCops™, however, was specifically developed for the modern challenges of online identity theft.

Sestus Data Corporation developed PhishCops™ from the ground up, working with internet "backbone" companies and government regulators, merging thoroughly tested unbreakable (and government-approved) authentication algorithms with modern web-based technologies to create the most powerful and user-friendly multi-factor authentication solution in the world.

VerisignTriCipher

Object based vendors (hardware solution providers) have struggled to adapt outdated technology to meet the modern problems of online identity theft. Unfortunately, while possessing a token or other physical piece of hardware may help identify a user to the website, they are incapable of authenticating the website to the user.

Return to Website

Page 9: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Object-based Vendors

Vasco RSA= Passmark = Cyota

PhishCops™ Virtual Tokens exist “virtually” and cannot be lost or stolen. As a result, customers experience no account “down-time”.

VerisignTriCipher

Objects such as hardware tokens, smart cards, and other devices can be lost, stolen, or forgotten. Until they are retrieved or restored, the customer is unable to access their online account.

Knowledge-based Vendors

Return to Website

Page 10: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Object-based Vendors

Vasco RSA= Passmark = Cyota

The PhishCops™ Virtual Token Device can only be accessed by their owners, and only following a valid request from a genuine website, eliminating the “Nordea Bank” possibility of “man-in-the-middle” type attacks.

4. Source: “Scandinavian Attack Against Two-Factor Authentication” Schneier on Security. October 25, 2005

VerisignTriCipher

Knowledge-based Vendors

Many organizations mistakenly believe hardware tokens, smartcards, and similar devices are invulnerable to phishing and other forms of online identity theft. Nordea Bank’s recent experience shows the error of this thinking.

In Nordea Bank’s widely publicized phishing scare, phishers simply acted as the “go-between”, or “man-in-the-middle” between the bank’s customers and the legitimate website, and accessed the victim’s accounts using token data solicited from unsuspecting customers4.

Return to Website

Page 11: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Object-based Vendors

Vasco RSA= Passmark = Cyota

PhishCops™ users, however, ARE more secure.

PhishCops™ also provides unbreakable security at a fraction of the cost of object-based authentication devices.

Finally, PhishCops™ utilizes user-friendly technology familiar to every internet user.

5. Source: The Washington Post, August 28, 2005

VerisignTriCipher

Knowledge-based Vendors

Hardware based approaches are among the most costly solutions. In addition to being costly, they are unpopular with users.

The Washington Post reported on a study conducted by Gartner Research that concluded: “devices like the RSA token are unpopular with consumers. What's more, they might not be offering the right kind of protection… These tokens mainly offer a "placebo effect" to users who want to feel more secure.“5

Return to Website

Page 12: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Object-based Vendors

Vasco RSA= Passmark = Cyota

We agree. Physical tokens and similar hardware devices are stealable. PhishCops™ is not.

For its patent-pending “virtual” token based approach, InfoWorld Magazine awarded PhishCops™ its highest honor, the Infoworld 100 Award. Of the 100 organizations honored for their groundbreaking technological achievements, PhishCops™ was the only multi-factor authentication solution so honored.

6. Source: International Biometric Industry Association Letter to the NIST.March 15, 2004

VerisignTriCipher

Knowledge-based Vendors

Regarding hardware tokens, smartcards, and similar device-based authentication, the International Biometric Industry Association (IBIA) recently reported in a strongly-worded letter of concern to the National Institute of Standards and Technology:

“IBIA does NOT agree that combining a token with a password offers “good” two-factor authentication… [why?] …passwords and tokens are eminently stealable .“6

Return to Website

Page 13: PhishCops™ Multi-Factor Authentication Website Authentication

Other Authentication VendorsOther Authentication Vendors

Click to continue

Passmark SitekeyCyota eStampPostX Anakam

Cloudmark

CavionDigital ResolveSecure Computing

Soltrus

41st Parameter

Other Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.

Object-based Vendors

Vasco RSA= Passmark = CyotaVerisignTriCipher

ID (Biometric) Based Vendors

PhishCops™ includes biometric notification features that does not require hardware. This feature is patent-pending and the first of its kind in the world.

By integrating biometrics into our process, PhishCops™ can deliver unbreakable mathematic authentication in a form easily understandable by human beings.

Knowledge-based Vendors

Biometric authentication is recognized as the strongest authentication method, but biometrics can only authenticate customers to the website. Biometrics cannot authenticate the website to the customer as recommended by the FFIEC. In addition, biometric authentication is the costliest approach and hardware limitations prevent its general use.

Return to Website

Page 14: PhishCops™ Multi-Factor Authentication Website Authentication

Problems reported with other solutions…Problems reported with other solutions…

Click to continue

Bank of America Reports Implementation Problems with Passmark Sitekey… PCWorld8

Bank of America spokesperson, Betty Riess “declined to comment” on whether or not the BofA's Sitekey system would even meet FFIEC requirements.

9. Source: Information Week, “Phishing Attacks Show Sixfold Increase This Year” June 13, 2005

Cloudmark, Cyota, PassMark Security, PostX, None Offer a Complete Answer to the Problem… Information Week9

“There are a number of anti-phishing products available from companies such as Cloudmark, Cyota, PassMark Security, PostX, and others, but none offer a complete answer to the problem.…They don't confirm if a web site is legitimate".

8. Source: PCWorld, “Bank of America Delays Security Update” October 21, 2005

Passmark Sitekey: Answering the Wrong Question… IT Management News10

“The SiteKey system fails to address the fundamental problem of phishing because it leaves the customer susceptible to the classic Man in the Middle false-storefront attack.”

10. Source: IT Management News, “PassMark's SiteKey - Answering The Wrong Question ” July 26, 2005

RSA (Cyota) is Entering Markets it has no Experience in… Gartner Group11

“RSA Security Acquires Cyota, but Relationship Will Need Work…RSA is entering markets it has no experience in”

11. Source: Gartner Group, “RSA Security Acquires Cyota, but Relationship Will Need Work ” January 4, 2006

Other Authentication VendorsBecause of their reliance on fundamentally inadequate technology and flawed processes, problems are already being reported by early adopters of other solutions.

Return to Website

Gartner Groups warns prospective Passmark Sitekey customers to “consider alternative vendors”… Gartner Group7

“Consider smaller competitors that offer similar solutions at lower prices.”

7. Source: Gartner Group, “RSA/PassMark Deal” April 27, 2006

Page 15: PhishCops™ Multi-Factor Authentication Website Authentication

StrongStrong multi-factor authentication multi-factor authentication

Both the FDIC and the FFIEC recommended implementing “strong” multi-factor authentication methods.

The strongest authentication methods available are mathematic algorithms developed by the National Institute of Standards & Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce12. These algorithms are the current standard used by all branches of the U.S. federal government.

PhishCops™ uses these unbreakable government-approved algorithms to accomplish all of its critical processes. First, PhishCops™ uses these algorithms to authenticate a website for the user in such a way that it is mathematically invulnerable to fraud or abuse. Next, PhishCops™ uses these algorithms to produce a “virtual” token which the user uses to identify themselves to the website, which token value also cannot be mathematically predicted.

For a more thorough technical review of the PhishCops™ process, we invite you to refer to our technical whitepaper.

Click to continue

12. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL).

Return to Website

Page 16: PhishCops™ Multi-Factor Authentication Website Authentication

The PhishCopsThe PhishCops™ Process™ Process

The Process ExplainedPhishCops™ uses unbreakable mathematic authentication algorithms in a patent-pending approach that employs elements of public-key & private-key cryptography. PhishCops™ does not resort to blacklisted databases, obscure filtering, questionable public records, replicatable images, or other non-standard approaches. PhishCops™ Authentication is real authentication and is invulnerable to fraud or abuse.

If the website is authentic, the user's "virtual" token generator is presented for their use.

If the website is counterfeit, the generator is unavailable and a warning is presented to the user.

There is no way for a phisher to compromise the process. In addition, unlike other authentication solutions, users are able to authenticate the website BEFORE divulging any website login or other confidential account information.

Click to continue

Return to Website

Page 17: PhishCops™ Multi-Factor Authentication Website Authentication

The PhishCopsThe PhishCops™ Process™ Process

The Process ExplainedFirst, the user types their anonymous PhishCops™ User ID into a simple textbox on the webpage.

Click to continue

“WILDMAN345”

IMPORTANT: This “PhishCops™ User ID” is NOT the user’s website account login or password.

If the website is a phishing website, the user will not have compromised any account login credentials.

This User ID is simply an anonymous identifier which the user created during the enrollment process (or had created for them by the website owner). It acts as sort of a “virtual token device serial number”, telling the authentic website which “virtual token device” to retrieve from PhishCops.com (or from the authenticating website if they are hosting the solution).

Return to Website

Page 18: PhishCops™ Multi-Factor Authentication Website Authentication

The PhishCopsThe PhishCops™ Process™ Process

The Process ExplainedThe website performs the necessary processing to produce a “digital signature”. This signature is produced using mathematic authentication scripts previously supplied to the website by PhishCops™. The website uses this produced “signature” to request the user’s virtual token device from PhishCops.com (or from the financial services website if they are hosting the authentication solution).

Click to continue

325f8a61c85aef21fc8dba14a250420a3754e13ebef833da615637f210793c5d

IMPORTANT: Only an authentic website can produce a valid “digital signature”. If the signature is invalid, authentication stops.

Return to Website

Page 19: PhishCops™ Multi-Factor Authentication Website Authentication

The PhishCopsThe PhishCops™ Process™ Process

The Process ExplainedSince the digital signature is valid, the requested “virtual” token device is returned to the user.

Click to continue

IMPORTANT: Since ONLY a genuine website can produce a valid digital signature, a phishing website cannot present their victims with their virtual token device. This also means users cannot be tricked into divulging their token values to phishers and there is no device which can be lost or stolen.

Return to Website

Page 20: PhishCops™ Multi-Factor Authentication Website Authentication

The PhishCopsThe PhishCops™ Process™ Process

The Process ExplainedThe token is presented in a ‘locked’ state. The user/owner enters their 4-digit Token PIN to unlock their token in much the same way they would unlock a physical token device. This produces a valid token value which they then enter to the requesting website.

Click to continue

1234 744012

Authentication is now complete.

The website has been authenticated to the user because only a valid website can produce the user’s token device.

The user has been authenticated to the website because only they can retrieve a valid token value from their virtual token device.

Return to Website

Page 21: PhishCops™ Multi-Factor Authentication Website Authentication

The PhishCopsThe PhishCops™ Process™ Process

The Process SummaryAll the user has to do to use PhishCops™ is request their virtual token device, unlock the device, and return its secure token to the website.

Simple and easy.

Click to continue

The User:

1) enters “WILDMAN345” (to request their virtual token device from the website)

2) enters “1234” (to unlock their virtual token device and generate a token)

3) returns the secure token “744012” to the website.

Return to Website

Page 22: PhishCops™ Multi-Factor Authentication Website Authentication

Click to continue

Other…

This represents, in the simplest terms, the basic PhishCops™ process.

This presentation did not describe how PhishCops™ prevents “man in the middle” phishing attacks through our “Restricted Access” feature, how we protect user’s privacy in the event of a data breach, how we notify users that the authentication was successful through our patent-pending biometric notification feature, and many other security features of PhishCops™.

Obviously, much more time will be required to explain these and other elements in detail, however we invite you to refer to the technical whitepaper on our website for a more thorough discussion.

The PhishCopsThe PhishCops™ Process™ Process

Return to Website

Page 23: PhishCops™ Multi-Factor Authentication Website Authentication

ArchitectureArchitecture

Click to continue

Architecture

OPERATING SYSTEM REQUIREMENTSNone. Entirely web-based.

SOFTWARE & HARDWARE REQUIREMENTSNone. Entirely web-based using traditional HTML and server-side scripting.

STAFFING & SUPPORT REQUIREMENTSIf the website already employs someone to maintain their website, they already have all the technical support staffing they need to support PhishCops™.

USER REQUIREMENTS:None. If the user can get to the internet, they can use PhishCops™.

Return to Website

Page 24: PhishCops™ Multi-Factor Authentication Website Authentication

ArchitectureArchitecture

Click to continue

Architecture

Since PhishCops™ is an entirely web-based process, interoperability is no longer a concern. Unlike other solutions which must accommodate different operating system environments, hardware constraints, and user computer configurations, PhishCops™ relies entirely on traditional html and server-side scripting.

ALL websites in the world can implement PhishCops™.

ALL Internet users in the world can use PhishCops™.

Since PhishCops™ uses only traditional html and server-side scripting, it can be accessed from any device with browser capabilities, including PDAs, PCs, web-effective phones, etc.

Processing constraints are extremely low on the part of the hosting website. The website server performs no processing which may be different than that which the website currently performs.

The solution is also infinitely scalable to accommodate future growth.

Return to Website

Page 25: PhishCops™ Multi-Factor Authentication Website Authentication

Sestus Data CorporationSestus Data Corporation

Click to continue

Sestus Data Corporation

Company BackgroundPhishCops™ is solely owned by Sestus Data Corporation. Headquartered in Phoenix, Arizona, Sestus Data Corporation has created innovative solutions to internet challenges for more than 10 years. Sestus Data Corporation is entirely self-funded and maintains development and support staff in both the United States and Canada.

The PhishCops™ ProjectDevelopment of PhishCops™ began in 2004 in response to the growing problem of internet account hijacking and identity theft. PhishCops™ is copyrighted, patent pending, and is protected by both U.S. and international laws.

Industry RecognitionPhishCops™ was recently rated #1 among multi-factor authentication solutions for ease of implementation and overall low-cost of ownership, and it was the only multi-factor authentication solution to receive InfoWorld's highest honor, the InfoWorld 100 Award. Within the past 30 days, we have facilitated 3528 live demonstrations and 286 companies have contacted us for additional information or to begin a free 14-day trial implementation. 

Government PraisePhishCops™ uses unbreakable mathematic authentication algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce. For its use of these unbreakable authentication algorithms in a revolutionary new approach to internet security, in 2005 the U.S. government named PhishCops™ a semi-finalist for the Homeland Security Award, the only multi-factor authentication solution ever named to this award.

Return to Website

Page 26: PhishCops™ Multi-Factor Authentication Website Authentication

Thank YouThank You

Contact Information:

Sestus Data Corporation10030 W. McDowell Rd.Suite 150-508Avondale, AZ 85323 USA

Tel: (800) 788-1927 Fax: (800) 741-9048Email: [email protected]

End of Presentation

Return to Website