Customers’ Account Data Often Vulnerable

Major financial institutions routinely give out confidential customer account information to callers, using security procedures that authorities say are vulnerable to abuse by fraud artists.

Regulators and law enforcement officials warned three years ago that identity thieves and information brokers were tricking clerks into giving them access to individuals’ financial information.

They urged banks to require customers to use passwords or codes instead of Social Security numbers, mothers’ maiden names and other widely available personal data to identify themselves when calling.

But a review of policies at banks, mutual funds and credit card firms shows that major companies frequently do not require passwords or codes, despite the warnings, because of the expense involved and because officials fear customers will find them inconvenient.

Telephone clerks at Chase Bank in New York, for instance, shared checking account balances, transaction records and, in some cases, account numbers with callers who provided only a name, Social Security number and mother’s maiden name to verify their identities.

Mutual funds, such as Vanguard, Janus and Fidelity, also sometimes ask for just names, Social Security numbers, addresses and similar details of callers before turning over transaction histories and account balances, company officials said.

One identity thief from Tennessee last year persuaded telephone clerks at banks and credit card companies, including American Express, to share financial information about top executives of Coca-Cola, Lehman Bros. and other prominent business executives.

He used those details to buy hundreds of thousands of dollars’ worth of diamonds and Rolex watches before being caught and pleading guilty.

A Justice Department official recently described identity theft as one of the nation’s fastest-growing white-collar crimes.

A privacy consultant who helped write security guidelines for the American Bankers Assn. estimates that at least half of the country’s banks take inadequate steps to authenticate caller identities.

Congress and law enforcement officials are struggling over what they can do to better protect individuals from identity theft. Several proposed bills would limit the sale and use of Social Security numbers. Law enforcement authorities have stepped up identity-fraud investigations.

But some regulators and security specialists said financial companies bear responsibility for doing a better job. Although banks and credit card companies generally cover the costs of identity theft, victims often must deal with bad credit reports and debt collectors.

Julie Williams, chief counsel at the Comptroller of the Currency in Washington, said the use of passwords would “substantially reduce the risk of identity theft.” She said she believes companies are obligated to use them under new financial-services regulations.

*

Since January, American Express has been urging new customers to choose a password or code that will verify who they are when calling for account information. Spokeswoman Judy Tenzer said the policy was begun because of growing concerns about identity fraud.