Except that a few weeks ago, I got a phone call

- from a number with no results on Kagi search

- claiming to be the online banking support of my bank

- asking me to read them a code sent to me via SMS

and when I refused to do that, they blocked my login credentials for online banking and sent me a sternly worded (paper) letter that my account could not be upgraded automatically for their software system migration because I had refused to engage with their support agent.

I then had to create a new login in their app, call the phone number on their letter and read that guy the SMS code and, to my surprise, that was the only !!! authentication needed to activate the new login credentials that I had just created.

(BTW, this was one of the top 100 largest banks worldwide)

It's almost like some companies are training you to fall for scams.

EDIT: This specific instance was Deutsche, but Chase has the exact same horrible habit of calling and then asking for an OTP code.

I've gotten calls from my bank before, where they tried to get me to authenticate after I answered the phone. I said "look, you called me, I'd be crazy to just answer the phone and give out personal info." They refused to provide any info that I could have used to validate that they were legit (like telling me something about my account number, when my account was created, etc.). They said I had to authenticate with them before they would tell me anything.

Sometimes the rep is understanding, and acknowledges that he would have the same reaction, but other times it's like they don't realize they're asking their customers to do something Very Stupid™.

Which bank was this? Please name them so I can avoid doing business

My old insurance company (Cigna) used to call me and demand information to verify it was me. I eventually figured out it was a thing to try to convince me into getting cheaper cancer treatment so they could save money.

Ye. I called my bank to unblock my Mastercard after they blocked it due to Blizzard charging 10USD or something for Star Craft. I just told them my name and they unblocked it.

On another occasion the bank called me regarding my house insurance and asked me to identify myself with their dongle.

Like, there is a wonder I have any money at all in my account. But then again, giving away plastic cards with a magic number on that you gave to strangers for them to withdraw an amount of their choosing from your account was the norm for decades ...

Maybe the wisdom is "Security through no security"?

I had this happen with fucking Google.

I called them about my Fitbit warranty and the rep needed to verify my account and wanted me to give him the code from SMS that explicitly said in the SMS not to give it to anyone!

No my account did not get hacked afterwards. Yes it was a legit service rep because afterwards he was able to pull up info on my previous warranty claim.

I had to call Chase about an issue with my credit card. I called them and knew I was talking to a legit agent. At least as sure as one can ever be. Still, at one point she asked me to read back the code she texted me. I started to do so then stopped. I explained that the text she sent me specifically states "We will never ask you for this number (over the phone". I refused to read it back since it violated their own stated policy.

She had to do some additional work to resolve my issue but it did get fixed.

My local medical clinic sent me an sms with a link, asking me to change my medical info. I called them to point out how they were training their patients to fall for sms scamms.

At my (very large) bank, they have asked me to read them a code from text that literally said "Do not share this code with anyone over the phone" in the text message next to the code. I'm 100% sure it was my bank asking for the code. I called them from a number I found on their site over HTTPS and verified from another source, they knew my account information. I gave it to them while telling them they need to fix this. This was a few years ago. Nothing bad ever happened. Just bad security practices.

Did the OTP message they sent you state that this code was specifically to authenticate on the phone?

If it did and even included details like the person‘s name, that would make me feel safe. If it’s a generic OTP that could be used to log into my account or reset its password, though…

I know Wells Fargo gets a bad wrap (and rightly so) for some of their behavior, but IME they've always had their stuff together with online access and banking.

Yes, I've also had wells fargo require me to read codes that were emailed back to them, and while this was mitigated by me calling them, it sketched me out every time I had to do it.

They treat you as you deserved to be treated: As a serf. You let them stomp all over you and still come crawling back to plead with them to let you bank with them. Even though there's hundreds of banks you can switch to.

If anything even remotely similar happened to me, I'll instantly close all accounts and move my business to another bank.

They should really send the code in a letter.

I mean just get a new bank at that point. They're telegraphing that they're gonna cause you more inconvenience in the future.

At least, you took the right steps. However, they were stupid to begin with.

The bank's policies and those like it are the root cause of these scams. There are countless things like this where real "legit" behavior is completely indistinguishable or sometimes even worse than scams.

There will always be people that are "wallet inspector" stupid that you can't really shield from scams. But common sense practices and consistent messaging would solve a lot of the problem. There needs to be better accountability for companies that have these insecure practices. The same way they'd be held accountable for a data breach. Oh, wait...

Change banks.

Can you name the bank?