Hacker News new | comments | show | ask | jobs | submit login

isn't this confusing two different problems?

A - the bank, asking for some details, is trying to confirm the identity of the customer.

B - the proposed protocol - calling back with a ticket number - is trying to confirm the identity of the caller.

both seem to be trying to solve reasonable problems, but they're not equivalent.

maybe the point [aha! - see reply - also, hi leif, i think i knew you on quora] is that you should not give personal details (A) until the company identity is clear (B). that makes sense. but that means that you need both - you call back and then they ask for personal details (B then A).

[and i am not convinced the original author understood all this.]

The problem is that authenticating the customer is harder than authenticating the bank. If I call my bank, I can pretty well trust (within reason) that I've reached my bank. Once that happens they can authenticate me by asking for my private information, which I am not comfortable with unless I authenticate them first. Calling back with a ticket number doesn't solve both auths, but it does order them in a secure way.

You edited before I submitted :)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact