A - the bank, asking for some details, is trying to confirm the identity of the customer.
B - the proposed protocol - calling back with a ticket number - is trying to confirm the identity of the caller.
both seem to be trying to solve reasonable problems, but they're not equivalent.
maybe the point [aha! - see reply - also, hi leif, i think i knew you on quora] is that you should not give personal details (A) until the company identity is clear (B). that makes sense. but that means that you need both - you call back and then they ask for personal details (B then A).
[and i am not convinced the original author understood all this.]
The problem is that authenticating the customer is harder than authenticating the bank. If I call my bank, I can pretty well trust (within reason) that I've reached my bank. Once that happens they can authenticate me by asking for my private information, which I am not comfortable with unless I authenticate them first. Calling back with a ticket number doesn't solve both auths, but it does order them in a secure way.