Hackers are getting smarter when it comes to stealing your personal account information. The recent data breach at Citi — which turned out to affect some 80 percent more customers than initially reported and led to $2.7 million in unauthorized charges to cardholders’ accounts — is just one example.
Even worse, evidence suggests that while cyber-thieves are getting bolder and more technologically savvy, major card-issuing banks are failing to keep up. That sobering conclusion was reached in a new study conducted by Javelin Strategy & Research. Javelin looked at the online security practices of the 23 biggest credit card issuers and graded them on a 100-point scale. The average result was only 59. “The good news is issuers are dong a better job overall of resolution, but that’s the easiest thing to do. Prevention is the hardest to do but it’s got the biggest payback,” says Phil Blank, head security and risk analyst at Javelin and author of the study.
(PHOTOS: The Movies’ Most Evil Computer Villains)
Blank says that while banks have some fraud prevention measures in place, they’re simply not keeping up with the growing sophistication and innovation employed by thieves. He says Javelin has “very strong stats” showing that for a full year after your personal information is compromised, you’re more likely to be a victim of fraud. “We’re entering into a new era of data protection, where your name, bank and email address are valuable, because fraudsters use that information to do a phishing attack or create an account.” This is the kind of information that was taken in the Citi incident, which Blank says indicates that major banks aren’t yet waking up to the fact that they need to safeguard even relatively innocuous information.
The Javelin study shows that issuers also fall short of the mark when it comes to fraud detection. Although Blank says detection criteria in this year’s study changed very little, banks still mustered only an average 17 out of 35 possible points. Luckily, issuing banks do a better job at resolution — that is, eliminating fraudulent charges from your account and issuing you a new card if the number’s been compromised. Unfortunately, just being reimbursed if somebody else uses your credit card account won’t do anything to protect you from any future attempts at identity fraud if a cyber-thief got their hands on your personal information.
Among the few issuers that went above and beyond, Bank of America is ranked tops in both prevention and detection. It’s also a top scorer in the resolution category, a designation it shares with three other issuers: BB&T Bank, Cabela’s WFB (a store-branded card issued by Wells Fargo) and Discover. Overall, BofA scored 87 out of a possible 10o points. Discover, U.S. Bank, USAA and Capital One round out the top five.
Banks should want their security to be top-notch, so it’s puzzling why this mission has fallen by the wayside. Aside from the fact that poor protection against fraud and identity theft means issuers spend more making customers whole for fraudulent charges, 18 percent of fraud victims switch credit card companies or banks after the incident.
Javelin’s Blank says consumers should be proactive when it comes to security. If you access your credit card statements and pay your bills online, do these four things: 1.) Get — and update regularly — anti-virus and “man in the browser” protection; 2.) Make sure you’re using the latest version of your preferred web browser; 3.) Stay up to date on your operating system’s security updates and patches; 4.) Consider setting up text or email alerts that will let you know when a transaction over a certain dollar amount or outside a particular geographic region is made.