Bank of America and JP Morgan Chase are being blasted by consumer watchdogs over some of their phone-based authentication policies. The controversy broke out when a Boston-based consumer advocate publicized what he saw as a big flaw with the procedures of these banks in their phone-based banking services.

Basically, if you call one of these two banks from your home phone, the authentication process is expedited, requiring just the last four numbers of a card account, which appears on receipts from stores. Then you have access to the account. Capital One, Citi and American Express require the entire credit card number to be entered. The trick for would-be fraudsters is to make the system think that the call is being made by a home phone number, a relatively easy spoof.

It's unclear how this is playing at Bank of America and JP Morgan Chase. They both issued fairly bland statements about how seriously they take all security threats. But the internal discussion will likely be more substantive. A lot of other consumer advocates and journalists have piled on a bit, so we may see some changes. It would make sense to switch now to requiring the full credit card number, as all the media and publicity have provided  a how-to for amateur criminals, who might be emboldened to try some shenanigans.

For more:
- here's an article from MSNBC

Related articles:
Time is ripe for biometric security solutions  
Google's two-factor authentication bodes well for clouds?