Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

Financial institutions (including fund groups) are potentially subject to an array of cyber-related threats from a variety of actors, including hackers, identity thieves, state-sponsored actors, and organized crime groups. But not all of these actors present the same threat level with respect to authentication issues. For fund groups concerned with the potential for transactional fraud, one significant threat is from identity thieves who, acting alone or with the assistance of larger groups, may target fund shareholders. For financial institutions more generally, concerns have also been voiced about other actors, including organized crime groups, who may mount broader attacks that exploit vulnerabilities in authentication systems.¹

The threat environment for fund groups has changed not only as a result of the emergence of malevolent external actors, but also for more benign reasons. The continued evolution in the nature and scope of shareholder services, and in the channels of communication used by shareholders, may increase or otherwise alter fund groups’ risk exposures with respect to authentication issues. For example, some fund groups have expanded the range of shareholder services that they provide online or over the phone and/or have expanded available channels of communication (e.g., through the development of mobile apps). Meanwhile, shareholder behavior continues to shift, as shareholders increasingly adopt online access, use mobile apps, and move toward omnibus accounts.

These general changes in the threat environment highlight the need for fund groups to engage in periodic re-assessments of the risks they face with regard to shareholder authentication. Periodic re-assessments may also be warranted by specific events. For example, a vulnerability exposed in 2014—the “Heartbleed” flaw in Internet encryption—caused some fund groups to focus immediate attention on designated authentication issues. According to press reports and fund group websites, at least one fund group at that time advised its customers to change their potentially compromised passwords and to take other steps to protect their accounts,² while a number of fund groups thought it appropriate to advise that their websites and services were not affected by Heartbleed.³

1. See, e.g., FFIEC, Supplement to Authentication in an Internet Banking Environment (June 22, 2011), https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20%28FFIEC%20Formated%29.pdf (describing changes in the threat landscape since 2005).
2. See American Funds urges password change to counter ‘Heartbleed’ bug, Reuters.com (Apr. 16, 2014), http://www.reuters.com/article/2014/04/16/cybersecurity-heartbleed-funds-idUSL2N0N81DC20140416 (reporting that one fund group was advising shareholders to change their passwords and security questions and to delete their browsing history and cookies in the wake of the disclosure of the Heartbleed bug); Joe Morris, American Funds Warns of Heartbleed Risk, Ignites.com (Apr. 17, 2014), http://ignites.com/c/860784/77724.
3. See, e.g., Fidelity: Sites Safe from Heartbleed Bug, Ignites.com (Apr. 10, 2014), http://ignites.com/c/857834/77314.