Banks Rely Too Heavily On Social Security Numbers, Report Finds

[Jake Kouns <jkouns () opensecurityfoundation org>]

Banks Rely Too Heavily On Social Security Numbers, Report Finds

http://bucks.blogs.nytimes.com/2011/12/06/banks-rely-too-heavily-on-social-security-numbers-report-finds/

Banks can do better at protecting their customers from the risk of
identity fraud, a new report from Javelin Strategy & Research finds.

The firm’s annual Banking Identity Safety Scorecard looked at the
consumer-security practices of 25 large banks and credit unions. It
found that far too many still rely on customers’ Social Security
numbers for authentication purposes — for instance, to verify a
customer’s identity when he or she wants to speak to a bank
representative over the telephone or re-set a password.

All banks in the report used some version of the Social Security
number as a means of authenticating the customer, Javelin found. The
pervasive use of Social Security numbers was surprising, given the
importance of Social Security numbers as a tool for identity theft,
said Phil Blank, managing director of security, risk and fraud at
Javelin.

Customers must provide their Social Security number when opening a
bank account, he said, but it shouldn’t be used routinely for other
purposes, because telling people to keep their number private but
habitually asking for it sends the wrong message. “This is something
the financial institutions really need to do some work on,” he said.
“The consumer should not be trained that it’s O.K. to give up your
Social Security number.”

Even partial numbers should be avoided, the report said, because as
they have become more widely used, they have become a common target
for phishing. “Along with the mother’s maiden name, a truncated
version of the S.S.N. is not an effective means of identifying the
consumer,” the report says.

The average score of banks in the report was 56 out of a possible
total of 100 points, based on criteria that included steps to prevent,
detect and resolve fraud.

Banks should also improve their ability to send alerts automatically
to customers when crucial changes are made to an account, Mr. Blank
said. Nearly three-fourths of the banks in the analysis offered alerts
for a change of address, but just 20 percent let customers set up an
alert in the event another registered user is added to the account —
even though that technique is one way criminals can gain access to
bank accounts. “That’s one of the basic ways account takeovers
happen,” he said.

Banks can be proactive with their behind-the-scenes behavior analysis,
which helps them detect unusual patterns that might be cause for
suspicion and alert the consumer. But the option for automatic alerts
is important, he said, because “no one knows your financial habits
better than you do.”

On the plus side, 40 percent of the banks in the report offered free
browser security software, Javelin found.

Have you recently been asked for your Social Security number when
contacting your bank? Does that concern you?
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/