Thieves often acquire Social Security numbers, street addresses, mothers' maiden names and other basic personal information through e-mail phishing excursions, breaches of nonfinancial institutions such as hospitals and universities, and even simple Internet searches. Yet many financial institutions require little more than such types of information to access accounts via telephone or branch-banking channels. "There's a whole lot of information fraudsters can use to defraud financial institutions," says George Tubin, an analyst at TowerGroup, an independent research arm of MasterCard Advisers, in a recent report. Tubin tells CardLine he gained full access to his own account at a large financial institution, which he would not name, through its interactive voice-response system using only his Social Security number, address and date of birth. Many institutions also use technology to check the area codes of callers and Internet protocol addresses of computers through which purported accountholders access their financial information. But card issuers and other financial institutions should use more layers of security to protect accounts, Tubin says. For example, if someone has called an automated voice-response system to check a demand deposit account balance several times over a period of a few days then tries to make a large purchase from an electronics store using a debit card tied to that account, the issuer could send a confirmation text message to the accountholder's mobile phone. The accountholder then would have to respond before the issuer authorizes the purchase. If an accountholder has changed contact information, such as phone numbers or mailing and e-mail addresses, issuers may want to call the previous phone number on file for the accountholder to confirm the changes are legitimate, Tubin adds.