Credit card companies could make customers' accounts and identities more secure with a few simple steps.
That's what consulting firm Javelin Strategy & Research said in a study released Tuesday that looks at the policies banks use to protect customer data.
Javelin gave Bank of America Corp. its highest score for safety among the top U.S. card issuers, 87 out of 100 points. Bank of America is the third largest U.S. card issuer, based on how much is spent on their cards.
The biggest card issuer, American Express, was ranked seventh for safety with 66 points. The second largest, JPMorgan Chase, was ranked sixth with 67 points.
The study gave a maximum 45 points for prevention efforts, 35 points for detecting fraud and 20 for resolving problems once they were discovered. The average score for the 23 card issuers examined was 59.
The study found that card companies do a good job resolving fraud problems once they occur _ averaging 18 out of 20 points. But they fall short on prevention, averaging just 24 of the 45 points, and detection, averaging 17 of 35.
"The most troubling area is prevention," said Phil Blank, Javelin's managing director of security, risk and fraud and a co-author of the study. "Prevention, frankly, is the area that has the biggest payback, not only for the financial institution, but for the consumer as well."
Account fraud totals about $37 billion annually, the study said.
The study looked only at the security efforts employed by banks that are visible to the customer, but acknowledged that a great deal of money is spent behind the scenes.
Blank said banks can do things like create text message alerts that would contact a card holder when large purchases are made, for example, or when purchases are made without the card present, such as through a telephone or Internet order.
A system that requires the card holder to approve such a purchase could drastically cut down on fraud, particularly since transactions where the card isn't presented are among the most common problems, he said.
Another big issue: banks should stop asking customers to provide their Social Security numbers as a routine form of identification. Social Security numbers are one of the prime targets for fraudsters, he said. "We're training the consumer that it's OK to give up their Social Security numbers."
It also makes sense for banks to limit online access to accounts if customers don't have updated anti-virus software on computers and mobile devices, he said. In Europe, online access is more restricted, Blank said, but banks in the U.S. are reluctant to take such steps.
"Time and time again our research shows that the consumer wants to be involved and wants to be at the center of security," Blank said.
There are also steps that consumers can take to protect themselves, he said, including updating anti-virus software and carefully reviewing statements for unexpected charges. Even a $1 charge could be a signal that a crook has an account number and is testing the card holder to see if they notice anything unexpected.
Consumers who have been notified by their card companies that their accounts were part of a data breach should be especially cautious, Blank said. Separate research from Javelin has found that being part of a breach makes an individual six times more likely to be the victim of fraud or identity theft.
When hackers can get consumer information through attacks like the recent breach at Citibank, they can then use what they have to mine more data from the Web about those individuals. That makes it easier to send targeted emails to individuals that mimic messages from the bank _ a process known as "spear phishing," which takes the bogus email efforts known as "phishing" to the next level by incorporating personal information. "The attacks that we're seeing now are much, much more sophisticated than the attacks we were seeing in the past," Blank said.