This document discusses PhishCops, a multi-factor authentication solution. It begins by summarizing recommendations from the FDIC and FFIEC regarding strengthening authentication methods and authenticating websites before collecting sensitive information. It then compares PhishCops' approach, which uses government-approved authentication algorithms, to other authentication vendors that rely on knowledge-based or object-based approaches. Problems reported with other solutions are also mentioned. The document promotes PhishCops as offering the strongest multi-factor authentication through its use of unbreakable government-approved algorithms.

1. PhishCops™PhishCops™
Multi-Factor Authentication
Website Authentication
Click to continue
This communication © 2006 Sestus Data Corporation. All Rights Reserved. THE CONTENTS OF THIS COMMUNICATION ARE
PROTECTED UNDER COPYRIGHT AND/OR PATENT. Some elements, technologies, processes, and/or information contained in
this communication are confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by
any mis-transmission of this information. You may not, directly or indirectly, use, disclose, distribute, print, or copy any part of this
communication if you are not the intended recipient.
Requires:
Microsoft PowerPoint®
2003
Return to Website

2. Powerpoint RequirementsPowerpoint Requirements
Click to continue
This Presentation
This presentation was developed using Microsoft Powerpoint 2003® . If you are using an earlier version of Microsoft
Powerpoint®, certain visual effects may be unavailable.
If you require a earlier (Microsoft Powerpoint 95®) version of this presentation, a web-based version of this presentation,
or would like to have this presentation on CD, please contact us at (800) 788-1927, or email us at info@sestusdata.com.
Microsoft PowerPoint®
2003
Return to Website

3. The FDIC and FFIEC made TWO RecommendationsThe FDIC and FFIEC made TWO Recommendations
Click to continue
The FDIC’s Findings
On December 14, 2004, the U.S. Federal Deposit Insurance Corporation (FDIC) published a study presenting their
findings on how the financial industry and its regulators could mitigate the risks associated with phishing and identity
theft. In this report, the FDIC identified TWO root causes for the problem of online identity theft1
:
1) Authentication methods are insufficiently strong.
2) The internet lacks email and website authentication capabilities.
1. Source: “Putting an End to Account Hijacking Identity Theft”, FDIC, December 14, 2004.
2. Source: “Authentication in an Internet Banking Environment (Updated Guidance Letter)”, FFIEC, October 12, 2005.
The FFIEC’s Recommendations
On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued an updated guidance letter
for banks and financial institutions which echoed the FDIC’s findings and made TWO corresponding recommendations:2
:
1) Implement strong multi-factor authentication.
2) “authenticate their websites to customers BEFORE collecting sensitive information”
and “assess the adequacy of such authentication techniques in light of new or changing
risks such as phishing”.
Return to Website

4. Other Authentication MethodsOther Authentication Methods
Other Authentication Methods
To understand how PhishCops™ works, it is necessary to understand how it differs from other types of authentication.
All Other authentication methods fall under one of 3 categories: Knowledge Based, Object Based, and ID Based…
Click to continue
ID-Based ("who you ARE") methods are the strongest of the three authentication methods, and are characterized
by uniqueness to one person. Biometrics, such as a fingerprint, eye scan, voiceprint, or signature fall under this
category.
Vulnerabilities: If a biometric is compromised, it can not be as easily replaced. Hardware limitations also make
the use of this authentication unaffordable to many and difficult to implement en-masse.
Knowledge-Based ("what you KNOW") methods are the most common (and the weakest) of the three
authentication methods and are characterized by secrecy or obscurity. This is the most widely used method and
includes the memorized Login ID, password, selectable image, personal question challenge / response, etc.
Vulnerabilities: People can be tricked into divulging logins, passwords, and the answers to personal questions.
Images can be copied and re-used.
Object-Based ("what you HAVE") methods are the most technically complex of the three authentication methods
and are characterized by physical possession. Physical keys, hardware tokens, etc. fall into this category.
Vulnerabilities: Objects can be lost. Users can be tricked into disclosing the object’s returned values. The
objects are costly and unpopular with consumers.
Return to Website

5. Other Authentication VendorsOther Authentication Vendors
Click to continue
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Knowledge-based Vendors
PhishCops™, however, uses mathematic
authentication algorithms developed by the National
Institute of Standards & Technology (NIST) and the
Information Technology Laboratory (ITL) under the
authority of the U.S. Department of Commerce3
These algorithms are the current standard used by all
branches of the U.S. federal government.
PhishCops™ is the ONLY multi-factor authentication
solution vendor using government-approved
authentication algorithms in a multi-factor
authentication solution.
3. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST),
Information Technology Laboratory (ITL).
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Many vendors have rushed to bring “image-based” or
similar shared-secret solutions to market (a “knowledge-
based” approach).
In an attempt to satisfy “multi-factor” authentication
requirements, some have added a “device ID” to the
customer’s computer, but if no device ID can be retrieved
from the customer’s computer, they simply fall back on
asking the customer (or the phisher) to supply answers to
personal questions (again, a “knowledge-based”
approach).
Bottom line: If the customer (or the phisher) can supply the
right credentials, and/or answer the questions correctly,
these solutions will let them into the account.
Return to Website

6. Other Authentication VendorsOther Authentication Vendors
Click to continue
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
2005 Homeland Security Award Semi-Finalist
As a result of our innovative and groundbreaking use
of these government-approved authentication
algorithms, the U.S. government named PhishCops™
a semi-finalist for the 2005 Homeland Security Award.
PhishCops™ was the only multi-factor authentication
solution named to this award.
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Knowledge-based Vendors
Many vendors have rushed to bring “image-based” or
similar shared-secret solutions to market (a “knowledge-
based” approach).
In an attempt to satisfy “multi-factor” authentication
requirements, some have added a “device ID” to the
customer’s computer, but if no device ID can be retrieved
from the customer’s computer, they simply fall back on
asking the customer (or the phisher) to supply answers to
personal questions (again, a “knowledge-based”
approach).
If the customer (or the phisher) can supply the right
credentials, or answer the questions correctly, these
solutions will let them into the account.
Return to Website

7. Other Authentication VendorsOther Authentication Vendors
Click to continue
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Knowledge-based Vendors
These solutions, however, authenticate the website
AFTER the customer has divulged their website login ID
or other sensitive information.
PhishCops™, follows the FFIEC’s recommendation
and authenticates websites to customers BEFORE the
customer has divulged any website login ID or other
sensitive information.
In their Guidance Letter, the FFIEC urged financial
institutions to:
“authenticate their web sites to the customer BEFORE
collecting sensitive information”
Return to Website

8. Other Authentication VendorsOther Authentication Vendors
Click to continue
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Knowledge-based VendorsObject-based Vendors
Vasco RSA
As a result, some hardware token vendors are latching
on to knowledge-based solution vendors in an attempt to
keep their aging technologies viable in a changing world.
= Passmark = Cyota
PhishCops™, however, was specifically developed
for the modern challenges of online identity theft.
Sestus Data Corporation developed PhishCops™
from the ground up, working with internet "backbone"
companies and government regulators, merging
thoroughly tested unbreakable (and government-
approved) authentication algorithms with modern
web-based technologies to create the most powerful
and user-friendly multi-factor authentication solution
in the world.
VerisignTriCipher
Object based vendors (hardware solution providers) have
struggled to adapt outdated technology to meet the
modern problems of online identity theft. Unfortunately,
while possessing a token or other physical piece of
hardware may help identify a user to the website, they are
incapable of authenticating the website to the user.
Return to Website

9. Other Authentication VendorsOther Authentication Vendors
Click to continue
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Object-based Vendors
Vasco RSA= Passmark = Cyota
PhishCops™ Virtual Tokens exist “virtually” and cannot
be lost or stolen. As a result, customers experience no
account “down-time”.
VerisignTriCipher
Objects such as hardware tokens, smart cards, and other
devices can be lost, stolen, or forgotten. Until they are
retrieved or restored, the customer is unable to access
their online account.
Knowledge-based Vendors
Return to Website

10. Other Authentication VendorsOther Authentication Vendors
Click to continue
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Object-based Vendors
Vasco RSA= Passmark = Cyota
The PhishCops™ Virtual Token Device can only be
accessed by their owners, and only following a valid
request from a genuine website, eliminating the
“Nordea Bank” possibility of “man-in-the-middle” type
attacks.
4. Source: “Scandinavian Attack Against Two-Factor Authentication” Schneier on Security. October 25, 2005
VerisignTriCipher
Knowledge-based Vendors
Many organizations mistakenly believe hardware tokens,
smartcards, and similar devices are invulnerable to
phishing and other forms of online identity theft. Nordea
Bank’s recent experience shows the error of this thinking.
In Nordea Bank’s widely publicized phishing scare,
phishers simply acted as the “go-between”, or “man-in-the-
middle” between the bank’s customers and the legitimate
website, and accessed the victim’s accounts using token
data solicited from unsuspecting customers4
.
Return to Website

11. Other Authentication VendorsOther Authentication Vendors
Click to continue
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Object-based Vendors
Vasco RSA= Passmark = Cyota
PhishCops™ users, however, ARE more secure.
PhishCops™ also provides unbreakable security at a
fraction of the cost of object-based authentication
devices.
Finally, PhishCops™ utilizes user-friendly technology
familiar to every internet user.
5. Source: The Washington Post, August 28, 2005
VerisignTriCipher
Knowledge-based Vendors
Hardware based approaches are among the most
costly solutions. In addition to being costly, they are
unpopular with users.
The Washington Post reported on a study conducted
by Gartner Research that concluded: “devices like the
RSA token are unpopular with consumers. What's
more, they might not be offering the right kind of
protection… These tokens mainly offer a "placebo
effect" to users who want to feel more secure.“5
Return to Website

12. Other Authentication VendorsOther Authentication Vendors
Click to continue
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Object-based Vendors
Vasco RSA= Passmark = Cyota
We agree. Physical tokens and similar hardware
devices are stealable. PhishCops™ is not.
For its patent-pending “virtual” token based approach,
InfoWorld Magazine awarded PhishCops™ its highest
honor, the Infoworld 100 Award. Of the 100
organizations honored for their groundbreaking
technological achievements, PhishCops™ was the only
multi-factor authentication solution so honored.
6. Source: International Biometric Industry Association Letter to the NIST.March 15, 2004
VerisignTriCipher
Knowledge-based Vendors
Regarding hardware tokens, smartcards, and similar
device-based authentication, the International Biometric
Industry Association (IBIA) recently reported in a strongly-
worded letter of concern to the National Institute of
Standards and Technology:
“IBIA does NOT agree that combining a token with a
password offers “good” two-factor authentication…
[why?] …passwords and tokens are eminently stealable .“6
Return to Website

13. Other Authentication VendorsOther Authentication Vendors
Click to continue
Passmark Sitekey
Cyota eStamp
PostX Anakam
Cloudmark
Cavion
Digital ResolveSecure Computing
Soltrus
41st Parameter
Other Authentication Vendors
All other authentication products fall under one of these 3 authentication methods.
Object-based Vendors
Vasco RSA= Passmark = Cyota
VerisignTriCipher
ID (Biometric) Based Vendors
PhishCops™ includes biometric notification features
that does not require hardware. This feature is patent-
pending and the first of its kind in the world.
By integrating biometrics into our process, PhishCops™
can deliver unbreakable mathematic authentication in a
form easily understandable by human beings.
Knowledge-based Vendors
Biometric authentication is recognized as the strongest
authentication method, but biometrics can only
authenticate customers to the website. Biometrics
cannot authenticate the website to the customer as
recommended by the FFIEC. In addition, biometric
authentication is the costliest approach and hardware
limitations prevent its general use.
Return to Website

14. Problems reported with other solutions…Problems reported with other solutions…
Click to continue
Bank of America Reports Implementation Problems with Passmark Sitekey… PCWorld8
Bank of America spokesperson, Betty Riess “declined to comment” on whether or not the BofA's Sitekey system would even meet FFIEC
requirements.
9. Source: Information Week, “Phishing Attacks Show Sixfold Increase This Year” June 13, 2005
Cloudmark, Cyota, PassMark Security, PostX, None Offer a Complete Answer to the Problem… Information Week9
“There are a number of anti-phishing products available from companies such as Cloudmark, Cyota, PassMark Security, PostX, and others, but none
offer a complete answer to the problem.…They don't confirm if a web site is legitimate".
8. Source: PCWorld, “Bank of America Delays Security Update” October 21, 2005
Passmark Sitekey: Answering the Wrong Question… IT Management News10
“The SiteKey system fails to address the fundamental problem of phishing because it leaves the customer susceptible to the classic Man in the
Middle false-storefront attack.”
10. Source: IT Management News, “PassMark's SiteKey - Answering The Wrong Question ” July 26, 2005
RSA (Cyota) is Entering Markets it has no Experience in… Gartner Group11
“RSA Security Acquires Cyota, but Relationship Will Need Work…RSA is entering markets it has no experience in”
11. Source: Gartner Group, “RSA Security Acquires Cyota, but Relationship Will Need Work ” January 4, 2006
Other Authentication Vendors
Because of their reliance on fundamentally inadequate technology and flawed processes,
problems are already being reported by early adopters of other solutions.
Return to Website
Gartner Groups warns prospective Passmark Sitekey customers to “consider alternative vendors”… Gartner Group7
“
Consider smaller competitors that offer similar solutions at lower prices.”
7. Source: Gartner Group, “RSA/PassMark Deal” April 27, 2006

15. StrongStrong multi-factor authenticationmulti-factor authentication
Both the FDIC and the FFIEC recommended implementing “strong” multi-factor authentication methods.
The strongest authentication methods available are mathematic algorithms developed by the National Institute of
Standards & Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S.
Department of Commerce12
. These algorithms are the current standard used by all branches of the U.S. federal
government.
PhishCops™ uses these unbreakable government-approved algorithms to accomplish all of its critical processes.
First, PhishCops™ uses these algorithms to authenticate a website for the user in such a way that it is mathematically
invulnerable to fraud or abuse. Next, PhishCops™ uses these algorithms to produce a “virtual” token which the user
uses to identify themselves to the website, which token value also cannot be mathematically predicted.
For a more thorough technical review of the PhishCops™ process, we invite you to refer to our technical whitepaper.
Click to continue
12. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST),
Information Technology Laboratory (ITL).
Return to Website

16. The PhishCopsThe PhishCops™ Process™ Process
The Process Explained
PhishCops™ uses unbreakable mathematic authentication algorithms in a patent-pending approach that employs
elements of public-key & private-key cryptography. PhishCops™ does not resort to blacklisted databases, obscure
filtering, questionable public records, replicatable images, or other non-standard approaches. PhishCops™
Authentication is real authentication and is invulnerable to fraud or abuse.
If the website is authentic, the user's "virtual" token generator is presented for their use.
If the website is counterfeit, the generator is unavailable and a warning is presented to the user.
There is no way for a phisher to compromise the process. In addition, unlike other authentication solutions, users are
able to authenticate the website BEFORE divulging any website login or other confidential account information.
Click to continue
Return to Website

17. The PhishCopsThe PhishCops™ Process™ Process
The Process Explained
First, the user types their anonymous PhishCops™ User ID into a simple textbox on the webpage.
Click to continue
“WILDMAN345”
IMPORTANT:
This “PhishCops™ User ID” is NOT the user’s website account login or password.
If the website is a phishing website, the user will not have compromised any account login credentials.
This User ID is simply an anonymous identifier which the user created during the enrollment process (or had created
for them by the website owner). It acts as sort of a “virtual token device serial number”, telling the authentic website
which “virtual token device” to retrieve from PhishCops.com (or from the authenticating website if they are hosting the
solution).
Return to Website

18. The PhishCopsThe PhishCops™ Process™ Process
The Process Explained
The website performs the necessary processing to produce a “digital signature”. This signature is produced using
mathematic authentication scripts previously supplied to the website by PhishCops™. The website uses this
produced “signature” to request the user’s virtual token device from PhishCops.com (or from the financial services
website if they are hosting the authentication solution).
Click to continue
325f8a61c85aef21fc8dba14a250420a3754e13ebef833da615637f210793c5d
IMPORTANT:
Only an authentic website can produce a valid “digital signature”.
If the signature is invalid, authentication stops.
Return to Website

19. The PhishCopsThe PhishCops™ Process™ Process
The Process Explained
Since the digital signature is valid, the requested “virtual” token device is returned to the user.
Click to continue
IMPORTANT:
Since ONLY a genuine website can produce a valid digital
signature, a phishing website cannot present their victims
with their virtual token device. This also means users
cannot be tricked into divulging their token values to
phishers and there is no device which can be lost or stolen.
Return to Website

20. The PhishCopsThe PhishCops™ Process™ Process
The Process Explained
The token is presented in a ‘locked’ state. The user/owner enters their 4-digit Token PIN to unlock their token in much
the same way they would unlock a physical token device. This produces a valid token value which they then enter to
the requesting website.
Click to continue
1234 744012
Authentication is now complete.
The website has been authenticated to the user because only a valid
website can produce the user’s token device.
The user has been authenticated to the website because only they
can retrieve a valid token value from their virtual token device.
Return to Website

21. The PhishCopsThe PhishCops™ Process™ Process
The Process Summary
All the user has to do to use PhishCops™ is request their virtual token device, unlock the device, and return its secure
token to the website.
Simple and easy.
Click to continue
The User:
1) enters “WILDMAN345” (to request
their virtual token device from the
website)
2) enters “1234” (to unlock their virtual
token device and generate a token)
3) returns the secure token “744012”
to the website.
Return to Website

22. Click to continue
Other…
This represents, in the simplest terms, the basic PhishCops™ process.
This presentation did not describe how PhishCops™ prevents “man in the middle” phishing attacks through our
“Restricted Access” feature, how we protect user’s privacy in the event of a data breach, how we notify users that the
authentication was successful through our patent-pending biometric notification feature, and many other security
features of PhishCops™.
Obviously, much more time will be required to explain these and other elements in detail, however we invite you to
refer to the technical whitepaper on our website for a more thorough discussion.
The PhishCopsThe PhishCops™ Process™ Process
Return to Website

23. ArchitectureArchitecture
Click to continue
Architecture
OPERATING SYSTEM REQUIREMENTS
None. Entirely web-based.
SOFTWARE & HARDWARE REQUIREMENTS
None. Entirely web-based using traditional HTML and server-side scripting.
STAFFING & SUPPORT REQUIREMENTS
If the website already employs someone to maintain their website, they already have all the technical support staffing
they need to support PhishCops™.
USER REQUIREMENTS:
None. If the user can get to the internet, they can use PhishCops™.
Return to Website

24. ArchitectureArchitecture
Click to continue
Architecture
Since PhishCops™ is an entirely web-based process, interoperability is no longer a concern. Unlike other solutions
which must accommodate different operating system environments, hardware constraints, and user computer
configurations, PhishCops™ relies entirely on traditional html and server-side scripting.
ALL websites in the world can implement PhishCops™.
ALL Internet users in the world can use PhishCops™.
Since PhishCops™ uses only traditional html and server-side scripting, it can be accessed from any device with
browser capabilities, including PDAs, PCs, web-effective phones, etc.
Processing constraints are extremely low on the part of the hosting website. The website server performs no
processing which may be different than that which the website currently performs.
The solution is also infinitely scalable to accommodate future growth.
Return to Website

25. Sestus Data CorporationSestus Data Corporation
Click to continue
Sestus Data Corporation
Company Background
PhishCops™ is solely owned by Sestus Data Corporation. Headquartered in Phoenix, Arizona, Sestus Data
Corporation has created innovative solutions to internet challenges for more than 10 years. Sestus Data Corporation
is entirely self-funded and maintains development and support staff in both the United States and Canada.
The PhishCops™ Project
Development of PhishCops™ began in 2004 in response to the growing problem of internet account hijacking and
identity theft. PhishCops™ is copyrighted, patent pending, and is protected by both U.S. and international laws.
Industry Recognition
PhishCops™ was recently rated #1 among multi-factor authentication solutions for ease of implementation and
overall low-cost of ownership, and it was the only multi-factor authentication solution to receive InfoWorld's highest
honor, the InfoWorld 100 Award. Within the past 30 days, we have facilitated 3528 live demonstrations and 286
companies have contacted us for additional information or to begin a free 14-day trial implementation.
Government Praise
PhishCops™ uses unbreakable mathematic authentication algorithms developed by the National Institute of
Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S.
Department of Commerce. For its use of these unbreakable authentication algorithms in a revolutionary new
approach to internet security, in 2005 the U.S. government named PhishCops™ a semi-finalist for the Homeland
Security Award, the only multi-factor authentication solution ever named to this award.
Return to Website

26. Thank YouThank You
Contact Information:
Sestus Data Corporation
10030 W. McDowell Rd.
Suite 150-508
Avondale, AZ 85323 USA
Tel: (800) 788-1927
Fax: (800) 741-9048
Email: info@sestusdata.com
End of Presentation
Return to Website