Banks can do better at protecting their customers from the risk of identity fraud, a new report from Javelin Strategy Research finds.

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over the telephone or re-set a password.

All banks in the report used some version of the Social Security number as a means of authenticating the customer, Javelin found. The pervasive use of Social Security numbers was surprising, given the importance of Social Security numbers as a tool for identity theft, said Phil Blank, managing director of security, risk and fraud at Javelin.

Customers must provide their Social Security number when opening a bank account, he said, but it shouldn’t be used routinely for other purposes, because telling people to keep their number private but habitually asking for it sends the wrong message. “This is something the financial institutions really need to do some work on,” he said. “The consumer should not be trained that it’s O.K. to give up your Social Security number.”

Even partial numbers should be avoided, the report said, because as they have become more widely used, they have become a common target for phishing. “Along with the mother’s maiden name, a truncated version of the S.S.N. is not an effective means of identifying the consumer,” the report says.

The average score of banks in the report was 56 out of a possible total of 100 points, based on criteria that included steps to prevent, detect and resolve fraud.

Banks should also improve their ability to send alerts automatically to customers when crucial changes are made to an account, Mr. Blank said. Nearly three-fourths of the banks in the analysis offered alerts for a change of address, but just 20 percent let customers set up an alert in the event another registered user is added to the account — even though that technique is one way criminals can gain access to bank accounts. “That’s one of the basic ways account takeovers happen,” he said.

Banks can be proactive with their behind-the-scenes behavior analysis, which helps them detect unusual patterns that might be cause for suspicion and alert the consumer. But the option for automatic alerts is important, he said, because “no one knows your financial habits better than you do.”

On the plus side, 40 percent of the banks in the report offered free browser security software, Javelin found.

Have you recently been asked for your Social Security number when contacting your bank? Does that concern you?

Article source: http://feeds.nytimes.com/click.phdo?i=6d3353f192406743f9d32898c92b9214