What’s in your wallet may not be the most secure, antifraud credit card available. A new study of credit cards from 25 of the largest issuers found that many still fall short of protecting users from fraud. In July CIO UK reported that there has been a sharp rise in most types of financial fraud in the first half of 2007

The report, released by Javelin Strategy & Research, a financial services research firm, found that while almost all card issuers do well in helping their customers after fraud or theft occurs, many need to upgrade their identity fraud detection tools.

Among the key deficiencies:

  • 56% of the 25 card issuers surveyed continue to require full Social Security numbers to help identify their customers, whether by phone, online or by mail. “This is a risky practise that unnecessarily increases the customer’s exposure to identity fraud,” the report states.
  • Consumers are not allowed to set transaction limits or block certain types of transactions using their credit cards, such as restricting card use to purchases only made with US vendors, according to the study. In fact, only 24% of the surveyed card issuers allow consumers to set so-called user-defined limits and/or prohibitions (UDLAPs) on their accounts to help prevent unauthorised use, the study concluded.
  • While more card issuers now offer consumers email or telephone “transaction alerts” to advise them of account activity, the number of participating card companies is still small – about 8%.
Not all of the news is bad, however.

Customers do appear to be safer logging into their accounts online than they have been in the past, because of the widespread use of multifactor log-in processes, which require a username, password, identifying information such as photograph placed by the user and a correct answer for a challenge question, according to the study. More than 80% of the surveyed card issuers are now using authentication processes with a multifactor approach.

The Javelin report rated the card issuers using three criteria: prevention, detection and resolution. The top safety scorecard honour went to Bank of America’s Visa Platinum card, which received 69 out of a possible 80 points, earning high marks for prevention techniques. The American Express Blue card finished second with 66 points, winning high ratings for detection protections for cardholders.

Two card issuers tied for third place with 64 points each – the Discover Platinum Card and First National Bank Omaha’s Platinum Edition Visa Card.

Rachel Kim, a Javelin risk and fraud analyst who wrote the study, said credit card security continues to evolve. “We’re seeing that issuers are always going to be doing a great job in resolution,” she said. “But detection is where they need to amp up their efforts.”

The continued use of easy-to-steal and easy-to-obtain Social Security numbers as identification criteria by credit card issuers is “pretty scary,” Kim said. “They don’t have any need to use the entire Social Security number. They can just use the last four digits. It's just something they have been doing for so long. I am sure that over the next few years we will see a decrease in usage.”

Another step that more card issuers need to take is to provide an alert system for customers to quickly determine if a credit card is being used without authorisation or if personal information, including passwords or addresses, is being changed fraudulently. “We definitely see a need for more issuers to offer alerts for changes in personal information,” Kim said. “You should definitely be sent an email alert if your password is changed.”

She also called on card issuers to provide additional UDLAP options for customers.

This was the third annual Javelin report on card security, but changes in methodology this year don't allow easy comparisons to past reports, Kim said.

The Javelin study was conducted anonymously using a “mystery shopper” approach between April 15 and June 15 of this year through interviews by Javelin researchers with card issuer customer service representatives and through reviews of card issuer websites.

The card issuers surveyed by Javelin for the report were: Advanta, American Express, Bank of America, BB&T, RBS National, Capital One, Citibank, Commerce Bank, Discover, Fifth Third Bank, FNB Omaha, GE, Washington Mutual, Wells Fargo HSBC, National City Bank, Navy Federal Credit Union, Nordstrom Bank, JPMorgan Chase, State Farm Bank, SunTrust Banks, Target, US Bancorp, USAA and Wachovia.

Although Barclays is a top 25 issuer, the researchers were unable to complete the interviews because of the absence of call centres. As a result, Barclays was removed from the list of surveyed issuers, with SunTrust Banks taking its place, according to Javelin.