On the contrary, that's perfectly valid. They've already partially validated that they're talking to you. The attack scenario of stealing identities by getting banks to call someone while you intercept the phone call isn't plausible.
Back in 2008, Wells Fargo called me up and asked me to verify myself via a similar system. I refused and called the number on the back of my credit card and identified myself to their fraud department that way.
This year, same scenario (suspicious purchases), but this time the fraud department just asks if they are speaking to me and then asks me whether I recently bought two tickets to China and a new car stereo. So learning has occurred.