Banks are putting their customers at risk by using standard security questions, such as mother's maiden name, to confirm identities online or over the phone, according to Symantec.
Although most UK financial institutions have introduced security features such as one-time passwords and card readers for online customers, the telephone banking system is still open to abuse, says the vendor.
Symantec points to the recent publication of the 1911 Census online as an example of the wealth of personal information now available on the Internet that can be used by criminals to find answers to potential security questions.
"All you need to steal someone's identity can be obtained simply by looking at the Census data," says Guy Bunker, chief scientist, Symantec. "Bank and credit card companies use information such as mother's maiden name as a standard security question but it's no longer enough. They have to start to look at other ways to be able to prove you are who you say you are."
The firm says banks must start asking questions that only the customer can answer and that don't appear on social networking sites. It also advises them to ask for individual characters such as the first, third and fifth letter of passwords, to make the criminals' jobs more difficult.
Despite the rise of Internet and mobile banking in recent years, millions of Brits still bank over the phone. According to payments association Apacs, 15.4 million people used telephone banking in 2006.