I had a phone call on my answerphone when I got in today. Paraphrasing: 'Hello, it's the credit card centre, please can you ring us on <number I didn't recognise> as soon as possible?' (Essentially they wanted to confirm that my spending today was done by me).
Okay... so I rang. 'Royal bank of Scotland credit cards, can I have your card number, please?' (I have no RBS accounts, but it looks like Tesco use these guys for their card)
'Well, I'm ringing to return of a message left on my answering machine, and I don't recognise the number, so I'm not giving you my card details. There are lots of scams out there'.
'Okay, perhaps if I could have your name?'
They used my name in the message, so no harm done. I told them.
'Can I have the first two numbers in your security code, please?'
I tried explaining that giving a phone number that bore no relation to anything on the card was not a good thing as it encouraged punters to give their card security details to cold callers. This makes it really quite awkward in a world of 'phishing' scams. I suggested that the message should have been 'please phone using the contact number printed on your card'
The guy eventually said 'I can't access any details unless you pass clearance, so I am going to have to terminate this call.'
He was not listening to what I said, and I got the distinct impression that he thought I was being awkward for the sake of it. True, I was being awkward, but this is a fundamental flaw in their security procedures. It may not open up problems immediately, but it is exploitable.
I said to him 'if I ring back using the number on my card, will I get through to the same place' - and he responded 'yes'... so why give out a different number?
I'm not impressed. The financial institutions should have a basic rule that customers should not give out details unless they can be sure that they're talking to the bank. - and here they were positively encouraging me to do so.