The answers to security questions used by UK banks to allow consumers to access their online accounts if they don't have a password, are too easy to obtain, says Symantec.
The security firm claims information such as a mother's maiden name or post code can be easily discovered by cyber criminals by simple web searches.
Guy Bunker, chief scientist at Symantec told Vnunet :"All you need to steal someone's identity can be obtained simply by looking at the Census data".
Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security products
"They [banks and credit card companies] have to look at other ways to prove that you are who you say you are."
Bunker suggests banks should request individual characters from a predefined pass-phrase, or similar random information.
"Banks must start asking questions that no one else can find the information for. First pet's name or favourite film would be fine, as long as the answers to these aren't published on a social networking site. The ideal scenario would be for people to choose their own questions."
"Confidence in the banking system in the UK is at an all-time low. It is time banks took responsibility for ensuring the security of their customers online and over the phone," added Bunker.