Technological Solutions
Fund groups may adopt a variety of technological measures, both positive and negative, to authenticate each of the various elements of a shareholder transaction: (1) the person (i.e., the shareholder); (2) the device that he or she is using to effect the transaction; (3) the details of the transaction at issue; and (4) the fund group itself.
Fund groups have tended to focus primarily on the first of these elements—i.e., authenticating the person. This has typically been accomplished through Single-Factor Authentication measures based on shareholder knowledge. Less commonly, fund groups have begun to employ other types of authentication measures, such as those based on hardware or software tokens or on Biometrics or behavioral patterns. Moreover, once fund groups have authenticated the person, they often take steps designed to protect the integrity of a properly authenticated session so as to provide assurance that the person on the other side of the transaction continues to be the properly authenticated person. In this regard, fund groups may, for example, terminate a session after some period of inactivity.
Separate and apart from authenticating the person, some fund groups also seek to authenticate the device (e.g., a telephone, computer, or mobile device) that is being used to effect a given transaction. Here, the focus is on whether the particular device has previously been used by the shareholder. Thus, for example, in telephone transactions, a fund group might use caller ID to determine the originating telephone number and compare that number to numbers used by the shareholder in prior transactions. In online transactions, there are a variety of means (e.g., through the use of “cookies” or by examining the configuration of the device used) by which a fund group might ascertain that the device being used is the same device previously used by the shareholder.
Fund groups may also seek to authenticate the transaction itself (i.e., the details of the transaction), by seeking to establish that a given transaction is consistent with previous transactions made by the same shareholder, and therefore more likely to be a legitimate transaction. Authentication of transactions, whether after the fact or in real time, tends to help reduce the incidence of fraudulent transactions, without having a significant adverse impact on ease of use or shareholder convenience.
Many fund groups also take steps to ensure that shareholders are able to authenticate the fund groups themselves (i.e., to confirm the identity and validity of the shareholders’ online connections to the fund groups). Often, this form of “mutual authentication” is accomplished through digital certificates signed by a trusted certifying authority or through the use of security images.