Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

Fund groups typically take strong steps to ensure that online transaction systems are protected, both from external and internal threats, through appropriate network security measures. Moreover, these online transaction systems are generally segregated from other computer systems through the use of firewalls and/or DMZs (i.e., firewall-protected servers that are set up in the “demilitarized zone” outside the perimeter of a corporate network). A full discussion of relevant network security measures for online transaction systems is beyond the scope of this study, but has been described in greater detail in ICI Mutual’s prior risk management studies on computer security, identity theft, and digital age risks.

Fund groups also take steps to protect authentication-related information that is stored on online transaction systems. While storing passwords in plain text creates an obvious vulnerability, merely encrypting them, as was the case in Adobe’s 2013 data breach (in which over 150 million records were breached), still leaves a significant vulnerability.¹ (Because encryption is designed to be a reversible operation, a fraudster obtaining a list of encrypted passwords would likely be able to recover at least some of those passwords.) To address this vulnerability, fund groups tend to store passwords that have been “salted” (i.e., additional characters are added to the passwords) and then “hashed” with an algorithm that is designed to be irreversible. Salting and hashing passwords (preferably with a slow hashing algorithm, thus increasing the amount of time needed for a successful brute force attack) makes it significantly more difficult for a fraudster to recover passwords.²

1. See Steve Ragan, Adobe confirms stolen passwords were encrypted, not hashed, CSOONLINE.COM (Nov. 4, 2013), http://www.csoonline.com/article/2134124/network-security/adobe-confirms-stolen-passwords-were-encrypted-not-hashed.html; Alex Hern, Did your Adobe password leak? Now you and 150m others can check, THE GUARDIAN (Nov. 7, 2013), http://www.theguardian.com/technology/2013/nov/07/adobe-password-leak-can-check.
2. Storing Passwords - The Wrong, Better and Even Better Way, WEBLINKS (June 21, 2009), https://wblinks.com/notes/storing-passwords-the-wrong-better-and-even-better-way/.