I’ve experienced a couple of times, an organisation has called me, but they require me verify who I am with security questions.
Most recently, this was my credit card company who left a voice message with a number to call re: possible fraud on my account.
The obvious security risk here, is that it could be a scammer, who is then going to use those details gain access to my account.
In these scenarios, having a modicum of security conscientiousness, what I do is acknowledge the call, request a ticket number if there is one, and look their phone number up on the website, and call back that way.
In my credit card example – the number they’d given me wasn’t listed, so I called their general helpline and requested to be transferred.
I think from a end user/consumer’s point of view, this is the right protocol.
The question is – what should the organisations themselves be doing to encourage good security? It seems like a very bad habit to teach their customers – to reveal identifying information to people who call them.