Limitations of Authentication
Authentication measures have their limitations. Some of the authentication measures in common use by fund groups have become less effective over time. In particular, the single-factor username/password combination historically (and still commonly) used by fund groups to authenticate shareholders may, for various reasons, offer less absolute protection against fraud than it has in the past. A username/password combination (as well as other personal information) can be at risk of being lost or misappropriated (e.g., in the event of large-scale data breaches). Even absent misappropriation, fraudsters have become quicker and more sophisticated at cracking ever stronger passwords (including those with numbers, special characters, and a mix of capitalization).
Similarly, the information underlying Knowledge-Based Authentication questions (e.g., a user’s mother’s maiden name or the name of a childhood pet) may be lost or misappropriated in large-scale data breaches. Even absent misappropriation, such questions may offer less absolute protection than in the past; with the rise of social media, such underlying knowledge-based information has tended to become more broadly available and accessible to fraudsters.
Authentication measures are subject to more general limitations as well. For example, the strength of a password—or, indeed, of stronger authentication measures—may be irrelevant if a fraudster compromises the systems of a financial institution and then causes such systems to transfer money or initiate transactions. Password strength is likewise irrelevant if a fraudster is otherwise able to circumvent the need for the password. For example, in a Man-in-the-Middle Attack, a fraudster may “hijack” a session in which a user has already been authenticated by an organization. Because the fraudster is impersonating both the user (to the organization) and the organization (to the user), neither party may be aware that the session has been hijacked.