Todd R. Weiss, Computerworld
What's in your wallet may not be the most secure, antifraud credit card available.
A new study of credit cards from 25 of the largest issuers found that many still fall short of protecting users from fraud.
The report, released by Javelin Strategy & Research, a Pleasanton, Calif.-based financial services research firm, found that while almost all card issuers do well in helping their customers after fraud or theft occurs, many need to upgrade their identity fraud detection tools.
Among the key deficiencies:
-- 56 percent of the 25 card issuers surveyed continue to require full Social Security numbers to help identify their customers, whether by phone, online or by mail. "This is a risky practice that unnecessarily increases the customer's exposure to identity fraud," the report states.
-- Consumers are not allowed to set transaction limits or block certain types of transactions using their credit cards, such as restricting card use to purchases only made with U.S. vendors, according to the study. In fact, only 24 percent of the surveyed card issuers allow consumers to set so-called user-defined limits and/or prohibitions (UDLAPs) on their accounts to help prevent unauthorized use, the study concluded.
-- While more card issuers now offer consumers e-mail or telephone "transaction alerts" to advise them of account activity, the number of participating card companies is still small -- about 8 percent.
Not all of the news is bad, however.
Customers do appear to be safer logging into their accounts online than they have been in the past, because of the widespread use of multifactor log-in processes, which require a username, password, identifying information such as photograph placed by the user and a correct answer for a challenge question, according to the study. More than 80 percent of the surveyed card issuers are now using authentication processes with a multifactor approach.
The Javelin report rated the card issuers using three criteria: prevention, detection and resolution. The top safety scorecard honor went to Bank of America's Visa Platinum card, which received 69 out of a possible 80 points, earning high marks for prevention techniques. The American Express Blue card finished second with 66 points, winning high ratings for detection protections for cardholders.
Two card issuers tied for third place with 64 points each -- the Discover Platinum Card and First National Bank Omaha's Platinum Edition Visa Card.
Rachel Kim, a Javelin risk and fraud analyst who wrote the study, said credit card security continues to evolve. "We're seeing that issuers are always going to be doing a great job in resolution," she said. "But detection is where they need to amp up their efforts."
The continued use of easy-to-steal and easy-to-obtain Social Security numbers as identification criteria by credit card issuers is "pretty scary," Kim said. "They don't have any need to use the entire Social Security number. They can just use the last four digits. It's just something they have been doing for so long. I am sure that over the next few years we will see a decrease in usage."
Another step that more card issuers need to take is to provide an alert system for customers to quickly determine if a credit card is being used without authorization or if personal information, including passwords or addresses, is being changed fraudulently. "We definitely see a need for more issuers to offer alerts for changes in personal information," Kim said. "You should definitely be sent an e-mail alert if your password is changed."
She also called on card issuers to provide additional UDLAP options for customers.
This was the third annual Javelin report on card security, but changes in methodology this year don't allow easy comparisons to past reports, Kim said.
The Javelin study was conducted anonymously using a "mystery shopper" approach between April 15 and June 15 of this year through interviews by Javelin researchers with card issuer customer service representatives and through reviews of card issuer Web sites.
The card issuers surveyed by Javelin for the report were: Advanta, American Express, Bank of America, BB&T, RBS National, Capital One, Citibank, Commerce Bank, Discover, Fifth Third Bank, FNB Omaha, GE, Washington Mutual, Wells Fargo HSBC, National City Bank, Navy Federal Credit Union, Nordstrom Bank, JPMorgan Chase, State Farm Bank, SunTrust Banks, Target, US Bancorp, USAA and Wachovia.
Although Barclays is a top 25 issuer, the researchers were unable to complete the interviews because of the absence of call centers. As a result, Barclays was removed from the list of surveyed issuers, with SunTrust Banks Inc. taking its place, according to Javelin.