PhishCops™ Multi-Factor Authentication Website Authentication

1,678 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,678
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PhishCops™ Multi-Factor Authentication Website Authentication

  1. 1. PhishCops™ Multi-Factor Authentication Website Authentication Click to continue This communication © 2006 Sestus Data Corporation. All Rights Reserved. THE CONTENTS OF THIS COMMUNICATION ARE PROTECTED UNDER COPYRIGHT AND/OR PATENT. Some elements, technologies, processes, and/or information contained in this communication are confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission of this information. You may not, directly or indirectly, use, disclose, distribute, print, or copy any part of this communication if you are not the intended recipient. Requires: Microsoft PowerPoint ® 2003 Return to Website
  2. 2. Powerpoint Requirements Click to continue This Presentation This presentation was developed using Microsoft Powerpoint 2003 ® . If you are using an earlier version of Microsoft Powerpoint ®, c ertain visual effects may be unavailable.   If you require a earlier (Microsoft Powerpoint 95 ®) version of this presentation, a web-based version of this presentation, or would like to have this presentation on CD, please contact us at (800) 788-1927, or email us at [email_address] . Microsoft PowerPoint ® 2003 Return to Website
  3. 3. The FDIC and FFIEC made TWO Recommendations Click to continue The FDIC’s Findings On December 14, 2004, the U.S. Federal Deposit Insurance Corporation (FDIC) published a study presenting their findings on how the financial industry and its regulators could mitigate the risks associated with phishing and identity theft. In this report, the FDIC identified TWO root causes for the problem of online identity theft 1 :   1) Authentication methods are insufficiently strong . 2) The internet lacks email and website authentication capabilities. 1. Source: “ Putting an End to Account Hijacking Identity Theft ”, FDIC, December 14, 2004. 2. Source: “ Authentication in an Internet Banking Environment (Updated Guidance Letter)”, FFIEC, October 12, 2005. The FFIEC’s Recommendations On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued an updated guidance letter for banks and financial institutions which echoed the FDIC’s findings and made TWO corresponding recommendations: 2 :   1) Implement strong multi-factor authentication. 2) “authenticate their websites to customers BEFORE collecting sensitive information” and “assess the adequacy of such authentication techniques in light of new or changing risks such as phishing”. Return to Website
  4. 4. Other Authentication Methods Other Authentication Methods To understand how PhishCops™ works, it is necessary to understand how it differs from other types of authentication. All Other authentication methods fall under one of 3 categories: Knowledge Based, Object Based, and ID Based…   Click to continue ID-Based ("who you ARE") methods are the strongest of the three authentication methods, and are characterized by uniqueness to one person. Biometrics, such as a fingerprint, eye scan, voiceprint, or signature fall under this category. Vulnerabilities : I f a biometric is compromised, it can not be as easily replaced. Hardware limitations also make the use of this authentication unaffordable to many and difficult to implement en-masse. Knowledge-Based ("what you KNOW") methods are the most common (and the weakest) of the three authentication methods and are characterized by secrecy or obscurity. This is the most widely used method and includes the memorized Login ID, password, selectable image, personal question challenge / response, etc. Vulnerabilities : People can be tricked into divulging logins, passwords, and the answers to personal questions. Images can be copied and re-used. Object-Based ("what you HAVE") methods are the most technically complex of the three authentication methods and are characterized by physical possession. Physical keys, hardware tokens, etc. fall into this category. Vulnerabilities : Objects can be lost. Users can be tricked into disclosing the object’s returned values. The objects are costly and unpopular with consumers. Return to Website
  5. 5. Other Authentication Vendors Click to continue Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Knowledge-based Vendors PhishCops ™, however, uses mathematic authentication algorithms developed by the National Institute of Standards & Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce 3 These algorithms are the current standard used by all branches of the U.S. federal government. PhishCops™ is the ONLY multi-factor authentication solution vendor using government-approved authentication algorithms in a multi-factor authentication solution. 3. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL). Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Many vendors have rushed to bring “image-based” or similar shared-secret solutions to market (a “knowledge-based” approach). In an attempt to satisfy “multi-factor” authentication requirements, some have added a “device ID” to the customer’s computer, but if no device ID can be retrieved from the customer’s computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a “knowledge-based” approach). Bottom line: If the customer (or the phisher) can supply the right credentials, and/or answer the questions correctly, these solutions will let them into the account. Return to Website
  6. 6. Other Authentication Vendors Click to continue Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. 2005 Homeland Security Award Semi-Finalist As a result of our innovative and groundbreaking use of these government-approved authentication algorithms, the U.S. government named PhishCops ™ a semi-finalist for the 2005 Homeland Security Award. PhishCops™ was the only multi-factor authentication solution named to this award. Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Knowledge-based Vendors Many vendors have rushed to bring “image-based” or similar shared-secret solutions to market (a “knowledge-based” approach). In an attempt to satisfy “multi-factor” authentication requirements, some have added a “device ID” to the customer’s computer, but if no device ID can be retrieved from the customer’s computer, they simply fall back on asking the customer (or the phisher) to supply answers to personal questions (again, a “knowledge-based” approach). If the customer (or the phisher) can supply the right credentials, or answer the questions correctly, these solutions will let them into the account. Return to Website
  7. 7. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Knowledge-based Vendors These solutions, however, authenticate the website AFTER the customer has divulged their website login ID or other sensitive information. PhishCops ™, follows the FFIEC’s recommendation and authenticates websites to customers BEFORE the customer has divulged any website login ID or other sensitive information. In their Guidance Letter, the FFIEC urged financial institutions to: “ authenticate their web sites to the customer BEFORE collecting sensitive information ” Return to Website
  8. 8. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Knowledge-based Vendors Object-based Vendors Vasco RSA As a result, some hardware token vendors are latching on to knowledge-based solution vendors in an attempt to keep their aging technologies viable in a changing world. = Passmark = Cyota PhishCops ™, however, was specifically developed for the modern challenges of online identity theft. Sestus Data Corporation developed PhishCops™ from the ground up, working with internet "backbone" companies and government regulators, merging thoroughly tested unbreakable (and government-approved) authentication algorithms with modern web-based technologies to create the most powerful and user-friendly multi-factor authentication solution in the world. Verisign TriCipher Object based vendors (hardware solution providers) have struggled to adapt outdated technology to meet the modern problems of online identity theft. Unfortunately, while possessing a token or other physical piece of hardware may help identify a user to the website, they are incapable of authenticating the website to the user. Return to Website
  9. 9. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Object-based Vendors Vasco RSA = Passmark = Cyota PhishCops ™ Virtual Tokens exist “virtually” and cannot be lost or stolen. As a result, customers experience no account “down-time”. Verisign TriCipher Objects such as hardware tokens, smart cards, and other devices can be lost, stolen, or forgotten. Until they are retrieved or restored, the customer is unable to access their online account. Knowledge-based Vendors Return to Website
  10. 10. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Object-based Vendors Vasco RSA = Passmark = Cyota The PhishCops ™ Virtual Token Device can only be accessed by their owners, and only following a valid request from a genuine website, eliminating the “Nordea Bank” possibility of “man-in-the-middle” type attacks. 4. Source: “Scandinavian Attack Against Two-Factor Authentication” Schneier on Security. October 25, 2005 Verisign TriCipher Knowledge-based Vendors Many organizations mistakenly believe hardware tokens, smartcards, and similar devices are invulnerable to phishing and other forms of online identity theft. Nordea Bank’s recent experience shows the error of this thinking. In Nordea Bank’s widely publicized phishing scare, phishers simply acted as the “go-between”, or “man-in-the-middle” between the bank’s customers and the legitimate website, and accessed the victim’s accounts using token data solicited from unsuspecting customers 4 . Return to Website
  11. 11. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Object-based Vendors Vasco RSA = Passmark = Cyota PhishCops™ users, however, ARE more secure. PhishCops ™ also provides unbreakable security at a fraction of the cost of object-based authentication devices. Finally, PhishCops ™ utilizes user-friendly technology familiar to every internet user. 5. Source: The Washington Post, August 28, 2005 Verisign TriCipher Knowledge-based Vendors Hardware based approaches are among the most costly solutions. In addition to being costly, they are unpopular with users. The Washington Post reported on a study conducted by Gartner Research that concluded: “ devices like the RSA token are unpopular with consumers. What's more, they might not be offering the right kind of protection… These tokens mainly offer a "placebo effect" to users who want to feel more secure.“ 5 Return to Website
  12. 12. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Object-based Vendors Vasco RSA = Passmark = Cyota We agree. Physical tokens and similar hardware devices are stealable. PhishCops ™ is not. For its patent-pending “virtual” token based approach, InfoWorld Magazine awarded PhishCops™ its highest honor, the Infoworld 100 Award. Of the 100 organizations honored for their groundbreaking technological achievements, PhishCops™ was the only multi-factor authentication solution so honored. 6. Source: International Biometric Industry Association Letter to the NIST.March 15, 2004 Verisign TriCipher Knowledge-based Vendors Regarding hardware tokens, smartcards, and similar device-based authentication, the International Biometric Industry Association (IBIA) recently reported in a strongly-worded letter of concern to the National Institute of Standards and Technology: “IBIA does NOT agree that combining a token with a password offers “good” two-factor authentication… [why?] …passwords and tokens are eminently stealable .“ 6 Return to Website
  13. 13. Other Authentication Vendors Click to continue Passmark Sitekey Cyota eStamp PostX Anakam Cloudmark Cavion Digital Resolve Secure Computing Soltrus 41st Parameter Other Authentication Vendors All other authentication products fall under one of these 3 authentication methods. Object-based Vendors Vasco RSA = Passmark = Cyota Verisign TriCipher ID (Biometric) Based Vendors PhishCops ™ includes biometric notification features that does not require hardware. This feature is patent-pending and the first of its kind in the world. By integrating biometrics into our process, PhishCops™ can deliver unbreakable mathematic authentication in a form easily understandable by human beings. Knowledge-based Vendors Biometric authentication is recognized as the strongest authentication method, but biometrics can only authenticate customers to the website. Biometrics cannot authenticate the website to the customer as recommended by the FFIEC. In addition, biometric authentication is the costliest approach and hardware limitations prevent its general use. Return to Website
  14. 14. Problems reported with other solutions… Click to continue Bank of America Reports Implementation Problems with Passmark Sitekey… PCWorld 8 Bank of America spokesperson, Betty Riess “declined to comment” on whether or not the BofA's Sitekey system would even meet FFIEC requirements. 9. Source: Information Week, “Phishing Attacks Show Sixfold Increase This Year” June 13, 2005 Cloudmark, Cyota, PassMark Security, PostX, None Offer a Complete Answer to the Problem… Information Week 9 “There are a number of anti-phishing products available from companies such as Cloudmark, Cyota, PassMark Security, PostX, and others, but none offer a complete answer to the problem.…They don't confirm if a web site is legitimate". 8. Source: PCWorld, “Bank of America Delays Security Update” October 21, 2005 Passmark Sitekey: Answering the Wrong Question… IT Management News 10 “The SiteKey system fails to address the fundamental problem of phishing because it leaves the customer susceptible to the classic Man in the Middle false-storefront attack.” 10. Source: IT Management News, “PassMark's SiteKey - Answering The Wrong Question ” July 26, 2005 RSA (Cyota) is Entering Markets it has no Experience in… Gartner Group 11 “RSA Security Acquires Cyota, but Relationship Will Need Work…RSA is entering markets it has no experience in” 11. Source: Gartner Group, “RSA Security Acquires Cyota, but Relationship Will Need Work ” January 4, 2006 Other Authentication Vendors Because of their reliance on fundamentally inadequate technology and flawed processes, problems are already being reported by early adopters of other solutions. Return to Website Gartner Groups warns prospective Passmark Sitekey customers to “consider alternative vendors”… Gartner Group 7 “ Consider smaller competitors that offer similar solutions at lower prices.” 7. Source: Gartner Group, “RSA/PassMark Deal” April 27, 2006
  15. 15. Strong multi-factor authentication Both the FDIC and the FFIEC recommended implementing “strong” multi-factor authentication methods. The strongest authentication methods available are mathematic algorithms developed by the National Institute of Standards & Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce 12 . These algorithms are the current standard used by all branches of the U.S. federal government. PhishCops ™ uses these unbreakable government-approved algorithms to accomplish all of its critical processes. First, PhishCops™ uses these algorithms to authenticate a website for the user in such a way that it is mathematically invulnerable to fraud or abuse. Next, P hishCops™ uses these algorithms to produce a “virtual” token which the user uses to identify themselves to the website, which token value also cannot be mathematically predicted. For a more thorough technical review of the PhishCops™ process, we invite you to refer to our technical whitepaper. Click to continue 12. Source: “Source: Processing Standards Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL). Return to Website
  16. 16. The PhishCops ™ Process The Process Explained PhishCops™ uses unbreakable mathematic authentication algorithms in a patent-pending approach that employs elements of public-key & private-key cryptography. PhishCops™ does not resort to blacklisted databases, obscure filtering, questionable public records, replicatable images, or other non-standard approaches. PhishCops™ Authentication is real authentication and is invulnerable to fraud or abuse. If the website is authentic, the user's "virtual" token generator is presented for their use. If the website is counterfeit, the generator is unavailable and a warning is presented to the user. There is no way for a phisher to compromise the process. In addition, unlike other authentication solutions, users are able to authenticate the website BEFORE divulging any website login or other confidential account information. Click to continue Return to Website
  17. 17. The PhishCops ™ Process The Process Explained First, the user types their anonymous PhishCops ™ User ID into a simple textbox on the webpage. Click to continue “ WILDMAN345” IMPORTANT: This “PhishCops™ User ID” is NOT the user’s website account login or password. If the website is a phishing website, the user will not have compromised any account login credentials. This User ID is simply an anonymous identifier which the user created during the enrollment process (or had created for them by the website owner). It acts as sort of a “virtual token device serial number”, telling the authentic website which “virtual token device” to retrieve from PhishCops.com (or from the authenticating website if they are hosting the solution). Return to Website
  18. 18. The PhishCops ™ Process The Process Explained The website performs the necessary processing to produce a “digital signature”. This signature is produced using mathematic authentication scripts previously supplied to the website by PhishCops ™. The website uses this produced “signature” to request the user’s virtual token device from PhishCops.com (or from the financial services website if they are hosting the authentication solution). Click to continue 325f8a61c85aef21fc8dba14a250420a3754e13ebef833da615637f210793c5d IMPORTANT: Only an authentic website can produce a valid “digital signature”. If the signature is invalid, authentication stops. Return to Website
  19. 19. The PhishCops ™ Process The Process Explained Since the digital signature is valid, the requested “virtual” token device is returned to the user. Click to continue IMPORTANT: Since ONLY a genuine website can produce a valid digital signature, a phishing website cannot present their victims with their virtual token device. This also means users cannot be tricked into divulging their token values to phishers and there is no device which can be lost or stolen. Return to Website
  20. 20. The PhishCops ™ Process The Process Explained The token is presented in a ‘locked’ state. The user/owner enters their 4-digit Token PIN to unlock their token in much the same way they would unlock a physical token device. This produces a valid token value which they then enter to the requesting website. Click to continue 1234 744012 Authentication is now complete. The website has been authenticated to the user because only a valid website can produce the user’s token device. The user has been authenticated to the website because only they can retrieve a valid token value from their virtual token device. Return to Website
  21. 21. The PhishCops ™ Process The Process Summary All the user has to do to use PhishCops ™ is request their virtual token device, unlock the device, and return its secure token to the website. Simple and easy. Click to continue The User: 1) enters “ WILDMAN345 ” (to request their virtual token device from the website) 2) enters “ 1234 ” (to unlock their virtual token device and generate a token) 3) returns the secure token “ 744012 ” to the website. Return to Website
  22. 22. Click to continue Other… This represents, in the simplest terms, the basic PhishCops ™ process. This presentation did not describe how PhishCops™ prevents “man in the middle” phishing attacks through our “Restricted Access” feature, how we protect user’s privacy in the event of a data breach, how we notify users that the authentication was successful through our patent-pending biometric notification feature, and many other security features of PhishCops™. Obviously, much more time will be required to explain these and other elements in detail, however we invite you to refer to the technical whitepaper on our website for a more thorough discussion. The PhishCops ™ Process Return to Website
  23. 23. Architecture Click to continue <ul><li>Architecture OPERATING SYSTEM REQUIREMENTS None. Entirely web-based. </li></ul><ul><li>SOFTWARE & HARDWARE REQUIREMENTS None. Entirely web-based using traditional HTML and server-side scripting. </li></ul><ul><li>STAFFING & SUPPORT REQUIREMENTS If the website already employs someone to maintain their website, they already have all the technical support staffing they need to support PhishCops™. </li></ul><ul><li>USER REQUIREMENTS: None. If the user can get to the internet, they can use PhishCops™. </li></ul>Return to Website
  24. 24. Architecture Click to continue Architecture Since PhishCops ™ is an entirely web-based process, interoperability is no longer a concern. Unlike other solutions which must accommodate different operating system environments, hardware constraints, and user computer configurations, PhishCops™ relies entirely on traditional html and server-side scripting. ALL websites in the world can implement PhishCops™. ALL Internet users in the world can use PhishCops™. Since PhishCops ™ uses only traditional html and server-side scripting, it can be accessed from any device with browser capabilities, including PDAs, PCs, web-effective phones, etc. Processing constraints are extremely low on the part of the hosting website. The website server performs no processing which may be different than that which the website currently performs. The solution is also infinitely scalable to accommodate future growth. Return to Website
  25. 25. Sestus Data Corporation Click to continue Sestus Data Corporation Company Background PhishCops™ is solely owned by Sestus Data Corporation. Headquartered in Phoenix, Arizona, Sestus Data Corporation has created innovative solutions to internet challenges for more than 10 years. Sestus Data Corporation is entirely self-funded and maintains development and support staff in both the United States and Canada. The PhishCops™ Project Development of PhishCops™ began in 2004 in response to the growing problem of internet account hijacking and identity theft. PhishCops™ is copyrighted, patent pending, and is protected by both U.S. and international laws. Industry Recognition PhishCops™ was recently rated #1 among multi-factor authentication solutions for ease of implementation and overall low-cost of ownership, and it was the only multi-factor authentication solution to receive InfoWorld's highest honor, the InfoWorld 100 Award. Within the past 30 days, we have facilitated 3528 live demonstrations and 286 companies have contacted us for additional information or to begin a free 14-day trial implementation.  Government Praise PhishCops™ uses unbreakable mathematic authentication algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce. For its use of these unbreakable authentication algorithms in a revolutionary new approach to internet security, in 2005 the U.S. government named PhishCops™ a semi-finalist for the Homeland Security Award, the only multi-factor authentication solution ever named to this award. Return to Website
  26. 26. Thank You Contact Information: Sestus Data Corporation 10030 W. McDowell Rd. Suite 150-508 Avondale, AZ 85323 USA Tel: (800) 788-1927 Fax: (800) 741-9048 Email: [email_address] End of Presentation Return to Website

×