Leader: We have passwords, so why don't banks?

We've long taken for granted the processes in place when contacting our banks. We hand over account numbers, passwords, postcode, mother's maiden name and any number of other identifiers to prove who we are.

But who is on the other end of the line?

This isn't a diatribe about the integrity of call centre staff, that's a whole other issue, this is more about taking for granted that the person on the other end of the line is from the bank they claim to be.

If we call them, via a number on a bank statement or a number published on their website, then that's all well and good, but increasingly our banks have taken to contacting us and it's a situation which is causing great concern.

Banks need to be aware of the role they play in providing a consistent voice in the battle against phishing. Of course, they must also contact customers if they see any reason for alarm but this is why we believe they should adopt some of the security measures they have foisted upon us for so long.

With phishing a major worry for bank customers, unsolicited contact from their bank instantly raises suspicion. Egg and LloydsTSB, for example, have taken to contacting customers out of the blue via text or automated voice message, requesting the customer call a given number.

Upon calling customers will be asked for some degree of personal information - although the banks are quick to point out not enough information to complete a phishing scam. But how easy would it be for a scammer to replicate such a strategy, just pushing a little further the kind of information they require? Some companies now favour a method of asking for random characters from a password or log-in. It would only take a couple of calls asking for different 'random' characters before the scammer had pieced it all together.

The security dialogue should be two-way, challenge and response - 'I'll show you mine if you show me yours'.

Before you give them your mother's maiden name you should be able to check they are indeed sitting in front of a screen which has such details on it. They should have information which only they and you should know is used for such authentication and they should prove they know it.

Customers should tell banks that if ever they contact them out of the blue they will need to use 'code word X' to confirm they are indeed their bank.

It's not a silver bullet to eliminate fraud, but it's an extra level of authentication which has now become necessary. Banks used to be unchallenged and upheld as institutions of authority. The prevalence of phishing scams now mean no business, least of all the banks, are free from suspicion.

While banks have previously reimbursed customers stung by phishing attacks there are murmurings afoot about their intention not to reimburse customers who haven't taken appropriate measures to protect themselves. Essentially a lack of common sense could cost you dear. So it's only fair that customers be allowed to demand more reciprocity from their bank.

Simply saying 'this is your bank...' isn't even worth the time it takes to say it. Now they must prove it.