A - the bank, asking for some details, is trying to confirm the identity of the customer.
B - the proposed protocol - calling back with a ticket number - is trying to confirm the identity of the caller.
both seem to be trying to solve reasonable problems, but they're not equivalent.
maybe the point [aha! - see reply - also, hi leif, i think i knew you on quora] is that you should not give personal details (A) until the company identity is clear (B). that makes sense. but that means that you need both - you call back and then they ask for personal details (B then A).
[and i am not convinced the original author understood all this.]