When I worked at a large bank many years ago, internal calls were verified to be bank employees. It was low tech, but when a bank employee called and asked about a customer we had them verify they were a bank employee by telling them to look up, and tell us what was on a certain page and line of an internal bank book. If their answer matched what we were looking at as well then the conversation continued. The books were changed/printed often.
Military codebooks are used in this way for authenticating over unsecured links. Letters or numbers laid out in a grid-like format, and you make the far side read off a certain cell.
The Pragmatic Programmer website uses this system to allow you to prove that you bought a hard-copy of a book, so they can offer you a discounted ebook.
In my case we had a security code on an internal system that was updated in real-time. So the protocol was:
"Hi I'm an employee calling from [X]"
"OK, can I get the security code?"
(caller gives security code)
Any employee in the company could also request a no-questions-asked reset at any time. I actually had cause hit the big red button once when the call went:
"Hi, this is [employee] calling from [branch]"
"All right, can I get the security code?"
"Oh, (mutters "security code"), it's $foo"
See, that counted as a compromise because someone in the lobby may have overheard her.
A couple other fun stories:
- Once I called a branch and got transferred to someone else. The conversation at the other end:
Him: "Did you give the code already?"
Me: "...are you seriously going to believe me if I say 'Yes'?"
- Apparently there was a phishing attempt where people would call our center opening with:
"Hi this is [person] from the fraud department, before we begin can I get the security code?"
I don't know if it ever worked, but we got several memos warning us not to fall for it.
