Phishcops multifactor-authentication-website-authentication1096
Upcoming SlideShare
Loading in...5
×
 

Phishcops multifactor-authentication-website-authentication1096

on

  • 179 views

 

Statistics

Views

Total Views
179
Views on SlideShare
179
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Phishcops multifactor-authentication-website-authentication1096 Phishcops multifactor-authentication-website-authentication1096 Presentation Transcript

  • PhishCops™PhishCops™Multi-Factor AuthenticationWebsite AuthenticationClick to continueThis communication © 2006 Sestus Data Corporation. All Rights Reserved. THE CONTENTS OF THIS COMMUNICATION AREPROTECTED UNDER COPYRIGHT AND/OR PATENT. Some elements, technologies, processes, and/or information contained inthis communication are confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost byany mis-transmission of this information. You may not, directly or indirectly, use, disclose, distribute, print, or copy any part of thiscommunication if you are not the intended recipient.Requires:Microsoft PowerPoint®2003Return to Website
  • Powerpoint RequirementsPowerpoint RequirementsClick to continueThis PresentationThis presentation was developed using Microsoft Powerpoint 2003® . If you are using an earlier version of MicrosoftPowerpoint®, certain visual effects may be unavailable.If you require a earlier (Microsoft Powerpoint 95®) version of this presentation, a web-based version of this presentation,or would like to have this presentation on CD, please contact us at (800) 788-1927, or email us at info@sestusdata.com.Microsoft PowerPoint®2003Return to Website
  • The FDIC and FFIEC made TWO RecommendationsThe FDIC and FFIEC made TWO RecommendationsClick to continueThe FDIC’s FindingsOn December 14, 2004, the U.S. Federal Deposit Insurance Corporation (FDIC) published a study presenting theirfindings on how the financial industry and its regulators could mitigate the risks associated with phishing and identitytheft. In this report, the FDIC identified TWO root causes for the problem of online identity theft1:1) Authentication methods are insufficiently strong.2) The internet lacks email and website authentication capabilities.1. Source: “Putting an End to Account Hijacking Identity Theft”, FDIC, December 14, 2004.2. Source: “Authentication in an Internet Banking Environment (Updated Guidance Letter)”, FFIEC, October 12, 2005.The FFIEC’s RecommendationsOn October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued an updated guidance letterfor banks and financial institutions which echoed the FDIC’s findings and made TWO corresponding recommendations:2:1) Implement strong multi-factor authentication.2) “authenticate their websites to customers BEFORE collecting sensitive information”and “assess the adequacy of such authentication techniques in light of new or changingrisks such as phishing”.Return to Website
  • Other Authentication MethodsOther Authentication MethodsOther Authentication MethodsTo understand how PhishCops™ works, it is necessary to understand how it differs from other types of authentication.All Other authentication methods fall under one of 3 categories: Knowledge Based, Object Based, and ID Based…Click to continueID-Based ("who you ARE") methods are the strongest of the three authentication methods, and are characterizedby uniqueness to one person. Biometrics, such as a fingerprint, eye scan, voiceprint, or signature fall under thiscategory.Vulnerabilities: If a biometric is compromised, it can not be as easily replaced. Hardware limitations also makethe use of this authentication unaffordable to many and difficult to implement en-masse.Knowledge-Based ("what you KNOW") methods are the most common (and the weakest) of the threeauthentication methods and are characterized by secrecy or obscurity. This is the most widely used method andincludes the memorized Login ID, password, selectable image, personal question challenge / response, etc.Vulnerabilities: People can be tricked into divulging logins, passwords, and the answers to personal questions.Images can be copied and re-used.Object-Based ("what you HAVE") methods are the most technically complex of the three authentication methodsand are characterized by physical possession. Physical keys, hardware tokens, etc. fall into this category.Vulnerabilities: Objects can be lost. Users can be tricked into disclosing the object’s returned values. Theobjects are costly and unpopular with consumers.Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continueOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Knowledge-based VendorsPhishCops™, however, uses mathematicauthentication algorithms developed by the NationalInstitute of Standards & Technology (NIST) and theInformation Technology Laboratory (ITL) under theauthority of the U.S. Department of Commerce3These algorithms are the current standard used by allbranches of the U.S. federal government.PhishCops™ is the ONLY multi-factor authenticationsolution vendor using government-approvedauthentication algorithms in a multi-factorauthentication solution.3. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST),Information Technology Laboratory (ITL).Passmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterMany vendors have rushed to bring “image-based” orsimilar shared-secret solutions to market (a “knowledge-based” approach).In an attempt to satisfy “multi-factor” authenticationrequirements, some have added a “device ID” to thecustomer’s computer, but if no device ID can be retrievedfrom the customer’s computer, they simply fall back onasking the customer (or the phisher) to supply answers topersonal questions (again, a “knowledge-based”approach).Bottom line: If the customer (or the phisher) can supply theright credentials, and/or answer the questions correctly,these solutions will let them into the account.Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continueOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.2005 Homeland Security Award Semi-FinalistAs a result of our innovative and groundbreaking useof these government-approved authenticationalgorithms, the U.S. government named PhishCops™a semi-finalist for the 2005 Homeland Security Award.PhishCops™ was the only multi-factor authenticationsolution named to this award.Passmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterKnowledge-based VendorsMany vendors have rushed to bring “image-based” orsimilar shared-secret solutions to market (a “knowledge-based” approach).In an attempt to satisfy “multi-factor” authenticationrequirements, some have added a “device ID” to thecustomer’s computer, but if no device ID can be retrievedfrom the customer’s computer, they simply fall back onasking the customer (or the phisher) to supply answers topersonal questions (again, a “knowledge-based”approach).If the customer (or the phisher) can supply the rightcredentials, or answer the questions correctly, thesesolutions will let them into the account.Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continuePassmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Knowledge-based VendorsThese solutions, however, authenticate the websiteAFTER the customer has divulged their website login IDor other sensitive information.PhishCops™, follows the FFIEC’s recommendationand authenticates websites to customers BEFORE thecustomer has divulged any website login ID or othersensitive information.In their Guidance Letter, the FFIEC urged financialinstitutions to:“authenticate their web sites to the customer BEFOREcollecting sensitive information”Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continuePassmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Knowledge-based VendorsObject-based VendorsVasco RSAAs a result, some hardware token vendors are latchingon to knowledge-based solution vendors in an attempt tokeep their aging technologies viable in a changing world.= Passmark = CyotaPhishCops™, however, was specifically developedfor the modern challenges of online identity theft.Sestus Data Corporation developed PhishCops™from the ground up, working with internet "backbone"companies and government regulators, mergingthoroughly tested unbreakable (and government-approved) authentication algorithms with modernweb-based technologies to create the most powerfuland user-friendly multi-factor authentication solutionin the world.VerisignTriCipherObject based vendors (hardware solution providers) havestruggled to adapt outdated technology to meet themodern problems of online identity theft. Unfortunately,while possessing a token or other physical piece ofhardware may help identify a user to the website, they areincapable of authenticating the website to the user.Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continuePassmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Object-based VendorsVasco RSA= Passmark = CyotaPhishCops™ Virtual Tokens exist “virtually” and cannotbe lost or stolen. As a result, customers experience noaccount “down-time”.VerisignTriCipherObjects such as hardware tokens, smart cards, and otherdevices can be lost, stolen, or forgotten. Until they areretrieved or restored, the customer is unable to accesstheir online account.Knowledge-based VendorsReturn to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continuePassmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Object-based VendorsVasco RSA= Passmark = CyotaThe PhishCops™ Virtual Token Device can only beaccessed by their owners, and only following a validrequest from a genuine website, eliminating the“Nordea Bank” possibility of “man-in-the-middle” typeattacks.4. Source: “Scandinavian Attack Against Two-Factor Authentication” Schneier on Security. October 25, 2005VerisignTriCipherKnowledge-based VendorsMany organizations mistakenly believe hardware tokens,smartcards, and similar devices are invulnerable tophishing and other forms of online identity theft. NordeaBank’s recent experience shows the error of this thinking.In Nordea Bank’s widely publicized phishing scare,phishers simply acted as the “go-between”, or “man-in-the-middle” between the bank’s customers and the legitimatewebsite, and accessed the victim’s accounts using tokendata solicited from unsuspecting customers4.Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continuePassmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Object-based VendorsVasco RSA= Passmark = CyotaPhishCops™ users, however, ARE more secure.PhishCops™ also provides unbreakable security at afraction of the cost of object-based authenticationdevices.Finally, PhishCops™ utilizes user-friendly technologyfamiliar to every internet user.5. Source: The Washington Post, August 28, 2005VerisignTriCipherKnowledge-based VendorsHardware based approaches are among the mostcostly solutions. In addition to being costly, they areunpopular with users.The Washington Post reported on a study conductedby Gartner Research that concluded: “devices like theRSA token are unpopular with consumers. Whatsmore, they might not be offering the right kind ofprotection… These tokens mainly offer a "placeboeffect" to users who want to feel more secure.“5Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continuePassmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Object-based VendorsVasco RSA= Passmark = CyotaWe agree. Physical tokens and similar hardwaredevices are stealable. PhishCops™ is not.For its patent-pending “virtual” token based approach,InfoWorld Magazine awarded PhishCops™ its highesthonor, the Infoworld 100 Award. Of the 100organizations honored for their groundbreakingtechnological achievements, PhishCops™ was the onlymulti-factor authentication solution so honored.6. Source: International Biometric Industry Association Letter to the NIST.March 15, 2004VerisignTriCipherKnowledge-based VendorsRegarding hardware tokens, smartcards, and similardevice-based authentication, the International BiometricIndustry Association (IBIA) recently reported in a strongly-worded letter of concern to the National Institute ofStandards and Technology:“IBIA does NOT agree that combining a token with apassword offers “good” two-factor authentication…[why?] …passwords and tokens are eminently stealable .“6Return to Website
  • Other Authentication VendorsOther Authentication VendorsClick to continuePassmark SitekeyCyota eStampPostX AnakamCloudmarkCavionDigital ResolveSecure ComputingSoltrus41st ParameterOther Authentication VendorsAll other authentication products fall under one of these 3 authentication methods.Object-based VendorsVasco RSA= Passmark = CyotaVerisignTriCipherID (Biometric) Based VendorsPhishCops™ includes biometric notification featuresthat does not require hardware. This feature is patent-pending and the first of its kind in the world.By integrating biometrics into our process, PhishCops™can deliver unbreakable mathematic authentication in aform easily understandable by human beings.Knowledge-based VendorsBiometric authentication is recognized as the strongestauthentication method, but biometrics can onlyauthenticate customers to the website. Biometricscannot authenticate the website to the customer asrecommended by the FFIEC. In addition, biometricauthentication is the costliest approach and hardwarelimitations prevent its general use.Return to Website
  • Problems reported with other solutions…Problems reported with other solutions…Click to continueBank of America Reports Implementation Problems with Passmark Sitekey… PCWorld8Bank of America spokesperson, Betty Riess “declined to comment” on whether or not the BofAs Sitekey system would even meet FFIECrequirements.9. Source: Information Week, “Phishing Attacks Show Sixfold Increase This Year” June 13, 2005Cloudmark, Cyota, PassMark Security, PostX, None Offer a Complete Answer to the Problem… Information Week9“There are a number of anti-phishing products available from companies such as Cloudmark, Cyota, PassMark Security, PostX, and others, but noneoffer a complete answer to the problem.…They dont confirm if a web site is legitimate".8. Source: PCWorld, “Bank of America Delays Security Update” October 21, 2005Passmark Sitekey: Answering the Wrong Question… IT Management News10“The SiteKey system fails to address the fundamental problem of phishing because it leaves the customer susceptible to the classic Man in theMiddle false-storefront attack.”10. Source: IT Management News, “PassMarks SiteKey - Answering The Wrong Question ” July 26, 2005RSA (Cyota) is Entering Markets it has no Experience in… Gartner Group11“RSA Security Acquires Cyota, but Relationship Will Need Work…RSA is entering markets it has no experience in”11. Source: Gartner Group, “RSA Security Acquires Cyota, but Relationship Will Need Work ” January 4, 2006Other Authentication VendorsBecause of their reliance on fundamentally inadequate technology and flawed processes,problems are already being reported by early adopters of other solutions.Return to WebsiteGartner Groups warns prospective Passmark Sitekey customers to “consider alternative vendors”… Gartner Group7“Consider smaller competitors that offer similar solutions at lower prices.”7. Source: Gartner Group, “RSA/PassMark Deal” April 27, 2006
  • StrongStrong multi-factor authenticationmulti-factor authenticationBoth the FDIC and the FFIEC recommended implementing “strong” multi-factor authentication methods.The strongest authentication methods available are mathematic algorithms developed by the National Institute ofStandards & Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S.Department of Commerce12. These algorithms are the current standard used by all branches of the U.S. federalgovernment.PhishCops™ uses these unbreakable government-approved algorithms to accomplish all of its critical processes.First, PhishCops™ uses these algorithms to authenticate a website for the user in such a way that it is mathematicallyinvulnerable to fraud or abuse. Next, PhishCops™ uses these algorithms to produce a “virtual” token which the useruses to identify themselves to the website, which token value also cannot be mathematically predicted.For a more thorough technical review of the PhishCops™ process, we invite you to refer to our technical whitepaper.Click to continue12. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST),Information Technology Laboratory (ITL).Return to Website
  • The PhishCopsThe PhishCops™ Process™ ProcessThe Process ExplainedPhishCops™ uses unbreakable mathematic authentication algorithms in a patent-pending approach that employselements of public-key & private-key cryptography. PhishCops™ does not resort to blacklisted databases, obscurefiltering, questionable public records, replicatable images, or other non-standard approaches. PhishCops™Authentication is real authentication and is invulnerable to fraud or abuse.If the website is authentic, the users "virtual" token generator is presented for their use.If the website is counterfeit, the generator is unavailable and a warning is presented to the user.There is no way for a phisher to compromise the process. In addition, unlike other authentication solutions, users areable to authenticate the website BEFORE divulging any website login or other confidential account information.Click to continueReturn to Website
  • The PhishCopsThe PhishCops™ Process™ ProcessThe Process ExplainedFirst, the user types their anonymous PhishCops™ User ID into a simple textbox on the webpage.Click to continue“WILDMAN345”IMPORTANT:This “PhishCops™ User ID” is NOT the user’s website account login or password.If the website is a phishing website, the user will not have compromised any account login credentials.This User ID is simply an anonymous identifier which the user created during the enrollment process (or had createdfor them by the website owner). It acts as sort of a “virtual token device serial number”, telling the authentic websitewhich “virtual token device” to retrieve from PhishCops.com (or from the authenticating website if they are hosting thesolution).Return to Website
  • The PhishCopsThe PhishCops™ Process™ ProcessThe Process ExplainedThe website performs the necessary processing to produce a “digital signature”. This signature is produced usingmathematic authentication scripts previously supplied to the website by PhishCops™. The website uses thisproduced “signature” to request the user’s virtual token device from PhishCops.com (or from the financial serviceswebsite if they are hosting the authentication solution).Click to continue325f8a61c85aef21fc8dba14a250420a3754e13ebef833da615637f210793c5dIMPORTANT:Only an authentic website can produce a valid “digital signature”.If the signature is invalid, authentication stops.Return to Website
  • The PhishCopsThe PhishCops™ Process™ ProcessThe Process ExplainedSince the digital signature is valid, the requested “virtual” token device is returned to the user.Click to continueIMPORTANT:Since ONLY a genuine website can produce a valid digitalsignature, a phishing website cannot present their victimswith their virtual token device. This also means userscannot be tricked into divulging their token values tophishers and there is no device which can be lost or stolen.Return to Website
  • The PhishCopsThe PhishCops™ Process™ ProcessThe Process ExplainedThe token is presented in a ‘locked’ state. The user/owner enters their 4-digit Token PIN to unlock their token in muchthe same way they would unlock a physical token device. This produces a valid token value which they then enter tothe requesting website.Click to continue1234 744012Authentication is now complete.The website has been authenticated to the user because only a validwebsite can produce the user’s token device.The user has been authenticated to the website because only theycan retrieve a valid token value from their virtual token device.Return to Website
  • The PhishCopsThe PhishCops™ Process™ ProcessThe Process SummaryAll the user has to do to use PhishCops™ is request their virtual token device, unlock the device, and return its securetoken to the website.Simple and easy.Click to continueThe User:1) enters “WILDMAN345” (to requesttheir virtual token device from thewebsite)2) enters “1234” (to unlock their virtualtoken device and generate a token)3) returns the secure token “744012”to the website.Return to Website
  • Click to continueOther…This represents, in the simplest terms, the basic PhishCops™ process.This presentation did not describe how PhishCops™ prevents “man in the middle” phishing attacks through our“Restricted Access” feature, how we protect user’s privacy in the event of a data breach, how we notify users that theauthentication was successful through our patent-pending biometric notification feature, and many other securityfeatures of PhishCops™.Obviously, much more time will be required to explain these and other elements in detail, however we invite you torefer to the technical whitepaper on our website for a more thorough discussion.The PhishCopsThe PhishCops™ Process™ ProcessReturn to Website
  • ArchitectureArchitectureClick to continueArchitectureOPERATING SYSTEM REQUIREMENTSNone. Entirely web-based.SOFTWARE & HARDWARE REQUIREMENTSNone. Entirely web-based using traditional HTML and server-side scripting.STAFFING & SUPPORT REQUIREMENTSIf the website already employs someone to maintain their website, they already have all the technical support staffingthey need to support PhishCops™.USER REQUIREMENTS:None. If the user can get to the internet, they can use PhishCops™.Return to Website
  • ArchitectureArchitectureClick to continueArchitectureSince PhishCops™ is an entirely web-based process, interoperability is no longer a concern. Unlike other solutionswhich must accommodate different operating system environments, hardware constraints, and user computerconfigurations, PhishCops™ relies entirely on traditional html and server-side scripting.ALL websites in the world can implement PhishCops™.ALL Internet users in the world can use PhishCops™.Since PhishCops™ uses only traditional html and server-side scripting, it can be accessed from any device withbrowser capabilities, including PDAs, PCs, web-effective phones, etc.Processing constraints are extremely low on the part of the hosting website. The website server performs noprocessing which may be different than that which the website currently performs.The solution is also infinitely scalable to accommodate future growth.Return to Website
  • Sestus Data CorporationSestus Data CorporationClick to continueSestus Data CorporationCompany BackgroundPhishCops™ is solely owned by Sestus Data Corporation. Headquartered in Phoenix, Arizona, Sestus DataCorporation has created innovative solutions to internet challenges for more than 10 years. Sestus Data Corporationis entirely self-funded and maintains development and support staff in both the United States and Canada.The PhishCops™ ProjectDevelopment of PhishCops™ began in 2004 in response to the growing problem of internet account hijacking andidentity theft. PhishCops™ is copyrighted, patent pending, and is protected by both U.S. and international laws.Industry RecognitionPhishCops™ was recently rated #1 among multi-factor authentication solutions for ease of implementation andoverall low-cost of ownership, and it was the only multi-factor authentication solution to receive InfoWorlds highesthonor, the InfoWorld 100 Award. Within the past 30 days, we have facilitated 3528 live demonstrations and 286companies have contacted us for additional information or to begin a free 14-day trial implementation.Government PraisePhishCops™ uses unbreakable mathematic authentication algorithms developed by the National Institute ofStandards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S.Department of Commerce. For its use of these unbreakable authentication algorithms in a revolutionary newapproach to internet security, in 2005 the U.S. government named PhishCops™ a semi-finalist for the HomelandSecurity Award, the only multi-factor authentication solution ever named to this award.Return to Website
  • Thank YouThank YouContact Information:Sestus Data Corporation10030 W. McDowell Rd.Suite 150-508Avondale, AZ 85323 USATel: (800) 788-1927Fax: (800) 741-9048Email: info@sestusdata.comEnd of PresentationReturn to Website