Headline
News: Virtual Token™ authentication
in the Press
Headline
News: Virtual Token™ authentication in
the Press The
following is a collection
of recent news stories
regarding Virtual Token™ authentication.
"authentication
methods that required
the most effort by members,
such as installing software
toolbars, configuring
browser certificates,
or registering questions
and secret images, were
reported to be the most
difficult to support
and contributed to the
greatest loss of online
member activity. Those
methods that involved
the least effort by
members, such as Virtual Token™ authentication,
rated the best."
Multi-Factor Fallout: The Plusses And Minuses
Of "Security By
The Regs" "We
assumed everyone knew
that challenge-response
systems do not meet
the regulatory definition
of MFA," Willis
explained. "By
rejecting true MFA in
favor of these less
costly approaches, financial
institutions have, instead,
actually made the situation
much worse. Through
the widespread use of
challenge-response,
consumers are being
conditioned to disclose
their confidential personal
information, such as
maiden names and high-school
names, on a scale never
before seen. "It
doesn't take a rocket
scientist to understand
why this is unpopular
with consumers,"
Willis continued, adding
that he's seeing "unusually
high" interest
in Virtual Tokens™ from organizations
that are currently depending
on C-R."
"The
C-R paradigm will be
short-lived, agreed
Rick Rhoads, senior
vice president, eServices,
at the $13.5-billion
State Employees CU (SECU)
in Raleigh, N.C..."
Unlike
most existing Internet
banking security tools-which
are wearing thin under
today's man-in-the middle
attacks and invisible
malware- Virtual Token™ authentication doesn't
rely on "mother's-maiden-name"
challenge questions
or familiar images,
according to $314-million
First Florida CU and
$197-million Envision
CU, which recently launched
Virtual Tokens™. "Originally,
we had signed with another
vendor that used challenge
questions as an authentication
factor," said Tim
Brown, chief technology
officer at First Florida
in Jacksonville, Fla.,
which went live with
Virtual Tokens™ in April.
"But then we realized
we didn't want to force
our members to give
out any personal information
that could be phished
in the future,"
Brown said."
"Virtual Tokens™
stand up against current
threats, said Shea Lambert,
director of IT for United
Solutions Company, the
Tallahassee, Fla.-based
CUSO that provides Virtual Tokens™.
"Other products
can't protect your members
from man-in-the-middle
attacks and hostile
proxies," asserted
Lambert. "Virtual Tokens™
can. Even with a stolen
account number and password,
a thief can't get into
an account."
"Giant
management and technology
consultancy BearingPoint,
Inc., of McLean, Va.,
recently told Credit
Union Journal it would
switch to Virtual Tokens™."
Vulnerability
of Passmark Sitekey
at Bank of America Reported "Virtual Tokens™
represent the
next-generation in online
security, replacing
vulnerable logins and
passwords, expensive
hardware tokens, difficult-to-manage
software, and vulnerable
“challenge-question”
approaches, with an
unbreakable, government-approved,
mathematic multi-factor
authentication approach."
Bank
of America and Passmark
SiteKey: Trouble in
Paradise? "There
is one multi-factor
authentication solution
that does not solicit
personal information
from customers, that
uses government-approved
authentication algorithms
instead of vulnerable
images and shared secrets,
and which does not require
“tinkering” to keep
it one step ahead of
phishers. Virtual Tokens™
by Sestus..."
Dramatic
Breakthrough in Out-of-Band
Authentication "On
May 22, 2006, Sestus announced
the release of its long
awaited Virtual Tokens™ SAFE
out-of-band authentication
solution. Virtual Tokens™ is the world’s
first SMS Authentication
Facilitation Engine
capable of solving the
problem of altered transactions. Virtual Tokens™ SAFE is built on
the patent-pending Virtual Token™
technology and represents
a drastic paradigm shift
in out-of-band authentication.
It is destined to radically
change the dynamics
of the war against online
identity theft."
2-Factor
Authentication: Will
Financial Institutions
Really be More Secure?
"Even more encouraging
for business owners
is the fact that, in
a recent survey of competitive
solutions reported on
Yahoo News, Virtual Token™ authentication
was rated #1 among two-factor
authentication solutions,
offering the lowest
total cost of ownership
with the fastest implementation
time and minimal support
requirements."
Financial
Institutions Confused
About FFIEC Regulations "Virtual Token™ authentication
authentication methods
also appear to be stronger
than those used by most
hardware-based token
vendors. The National
Institute of Standards
and Technology, a government
standards body, has
recently called for
all regulatory agencies
and commercial security
firms to migrate their
technologies away from
the aging SHA-1 OATH
standard used by most
hardware-based token
vendors, to the newer
SHA-256 standard (which
is used by Virtual Token™ authentication)
by 2010."
FFIEC
& Tokens: Hardware
Tokens Do Not Mitigate
Phishing "Virtual Token™ authentication
by Sestus
satisfies both of the
FFIEC’s recommendations
using a "virtual",
or hardware-free two-factor
token processor, with
invulnerable website
authentication, in a
single integrated solution...
Virtual Token™ authentication was designed
from its inception in
accordance with FDIC
and FFIEC regulatory
requirements and the
U.S. government recently
named Virtual Token™ authentication a semi-finalist
for the 2005 Homeland
Security Award."
Phishing,
Account Hijacking Myths
Exposed "In
fact, of all the anti-phishing
solutions recently announced
in the press, the only
one that actually employs
an approved strong authentication
method to authenticate
the website itself is
Virtual Tokens™ by Sestus. Virtual Tokens™
use algorithms approved
by the U.S. Dept of
Commerce for use in
authenticating sensitive
data and applies these
algorithms to proactively
authenticate websites
using a 100% web-based
approach. It does not
rely on any database
of ‘blacklisted’ phishing
websites, filtering
rules, additional login
process layers, or on
potentially fraudulent
‘whois’ or IP records."
