Banks rated for ID theft

SAN FRANCISCO--Looking for a bank that protects well against identity theft? Bank of America, JP Morgan Chase and Washington Mutual are your best bets, according to a new report.

Out of 24 of the top financial institutions in the U.S., these three banks scored best in a test of their ability to prevent, detect and resolve ID theft, Javelin Strategy & Research said in its annual Banking Identity Safety Scorecard, released Tuesday. KeyBank and Marshall & Ilsley Bank also receive honorable mentions in the report.

Most banks do especially well in resolving identity fraud, such as dealing with disputed transactions on accounts, James Van Dyke, president of Javelin Strategy & Research, said in a presentation at American Banker's 3rd Annual Identity Theft and Fraud Symposium here.

"Prevention and detection are really the next frontier," Van Dyke said. "Financial institutions focus much more on resolving problems after they occur rather than stopping them up front."

Last year, identity theft for the third straight year topped the list of fraud complaints reported to the Federal Trade Commission. Consumers filed more than 255,000 identity theft reports to the FTC in 2005, accounting for more than a third of all complaints the agency received.

Together the 24 banks covered by the Javelin Strategy & Research report cover about 60 percent of the U.S. banking market. The study probed 26 customer-facing capabilities and features of banks, online as well as offline. Mystery callers, for example, phoned banks to try out the customer service representatives, Van Dyke said.

ID theft prevention had the most weight in evaluation. Bank of America's high standing was helped by its introduction of SiteKey, image and text checks that let people know they are on an authentic Bank of America Web site and also verify the identity of the customer. Other financial institutions are expected to introduce similar features soon, Van Dyke said.

"Only Bank of America had two-factor authentication" when we compiled the study results a few weeks ago, he said. "Of course we're going to see a land grab," he added. That's mostly because the Federal Financial Institutions Examination Council last October recommended that banks introduce multiple-factor authentication by the end of 2006.

One way to improve prevention and detection is through alerts. Banks could let customers set up e-mail or cell phone text message alerts, for example, Javelin Strategy & Research said. Another way could be to promote online account monitoring and advanced protection against phishing scams that seek to trick people into giving up account details, the research firm said.

The report covered the following banks: AmSouth, Bank of America, Bank of New York, BB&T, Citibank, E*Trade, Fifth Third Bank, HSBC, JP Morgan Chase, KeyBank, M&T Bank, Marshall & Ilsley Bank, National City Bank, Navy FCU, NetBank, PNC Bank, Regions Bank, Sovereign Bank, SunTrust, Union Bank of California, US Bank, Wachovia, Washington Mutual, and Wells Fargo.

[Gerald Quaglia]

Worthless story

Since you didn't name the banks nor include a link to the list.

[Sunflare98]

Totally agree

I agree - if you're going to make a new article about something - give the proof behind it. Otherwise, it's purely speculation like the worthless blogs on this site.

[becareful]

Typical Bank Breast-beating

From personal experience I can attest that Bank of America is one of the worse groups to deal with in cause of ID theft. I could not believe how poorly they handled everything even after being notified by account holder and law enforcement. I was amazed they continued to allow funds to be withdrawn fraudulantly and took their sweet time in replacing the money even after verifying it was fraudulent taken.
They totally stink in customer service and resolving problems they create. I am still out $190.00 that they paid out in error.

[gbonawitz]

man in the middle attack

Wouldn't SiteKey still be subject to Man-in-the-middle attacks?

[aabcdefghij987654321]

Keyloggers are more apt to be a problem

than a man-in-the-middle attack. It's generally easier these days to compromise a system and install loggers and other software to capture the user's information as they enter it. The man in the middle attack takes more work.

[yhwang2000]

about MIM attacks

Yes, the Sitekey will not resolve the problem of the Man-in-the-Middle attack. The fraudulent web site can get the image from the network and resend to the customer to personate the bank site. To solve MIM attack, we need two-way strong authentication scheme. Anyone could contact me if interested.(yhwang2000@gmail.com)

[Microbreak]

US Bank Offers Text Message Alerts

Or you can opt for email notification if that's what you'd prefer.

[ml_ess]

Setting a standard

It's great to hear (FOR ONCE!) that these financial organizations are actually doing something to protect their customers. Usually, especially on sites like CNet, all we hear about is security breaches and identity theft stories.

So now other financial firms need to up their security measures in order to compete with these giants. At the same time, there are things that we, as consumers, can do to secure our information... like being careful about the info we give out over the phone and email (<a class="jive-link-external" href="http://www.essentialsecurity.com/news.htm?id=44" target="_newWindow">http://www.essentialsecurity.com/news.htm?id=44</a>).

[Des Alba]

Bank of America IS REALLY GOOD!

I have been banking with them for years. The logon ID verification procedures with the key questions can be trying at times when you are in a hurry. One way to overcome that is to dedicate only ONE PC for access to the bank's network so that their security system can recognize you. This isn't an option if you choose to use numerous different PCs at different locations to do your banking. I wish all my financial dealings were this well protected as those with Bank of America.

[wbenton]

There's much more to the story

If they rate banks ONLY on whether they use two-factor authentication or not... you're going to get unreliable results.

There's much more than just two-factor authentication.

And is this just over the internet? Then what about those who don't offer any internet online banking.

I wonder who put you guys up to this... they really suckered you in good on this one.

ALL banks follow ANSI standards. And most of those ANSI standards are based around FIPS standards.

I smell a rat somewhere in the crowd!!!

Walt

[jypeterson]

BofA -- My vote!

I actually had my debit card number/pin compromised through a recent nationwide hacking of wireless terminals at merchant locations. My number was used to try an purchase items in Russia, and BofA automatically blocked all charges over $50 within minutes of that attempt. The charge never went through, and I had to recieve a new card, but I never lost any money from my account.

Banks have more to lose that costomers as they guarantee the replacement of monies stolen out of bank accounts. They should come up with new technologies to ensure the protection of consumer identity. It is their image and money on the line.

[mveronica]

Do it right and get a life long customer...

I totally agree with you. Businesses need to take into account the reputation they're setting for themselves and how rewarding it will be to setup security measures that really do protect their customers. In your case specifically jypeterson, now they have a life long customer. I too have noticed BofA action towards trying to make banking more safe. Other banks should learn from them or atleast read this article:

<a class="jive-link-external" href="http://www.essentialsecurity.com/news_business.htm?id=136" target="_newWindow">http://www.essentialsecurity.com/news_business.htm?id=136</a>

[mveronica]

How to get a life long customer

Exactly

[mveronica]

How to get a life long customer....cont'd

Companies need to start realizing that their reputation is on the line when they don't start ensuring the security of their customers. Other banks should take a lesson from B of A, or atleast take the time to read this article:

<a class="jive-link-external" href="http://www.essentialsecurity.com/news_business.htm?id=136" target="_newWindow">http://www.essentialsecurity.com/news_business.htm?id=136</a>