Last year I got a call from my mobile phone company asking me to go through securty with them so we could have a chat. Not having any information to indicate that they were in fact my bank, I refused.

Ben Metcalfe made a post about exactly the same issue (which I can't find to link to) a little while back citing exactly the same objections I had a year ago - making people comfortable with giving out their security details to a random caller is paving a big, well lit path for phone phishing.

I pointed this out to my credit card company when they too called asking for my details today. They did at least acknowlege the issue but said that the level of cracking was too low to make it a problem. Not perhaps the most forward approach to security but I can just about see their logic.

I don't know how easy it is to masquerade phone numbers but this approach could be solved very easily by banks issuing customers with a number that they will always call them from (witheld doesn't count).

Everyone has caller ID on their mobile so asking a customer to store the bank's number under - "MBNA Official" would confirm their authenticity when they call. Equally, requiring that the bank produces a password to identify itself (as British Gas workmen do) would also make cracks considerably harder.

This reminds me of a thought that I had a while back. RSS presents an interesting solution to the phishing problem. RSS is essentially a pipe between you and the publishing party. If you encrypt that pipe and add a password then its a closed pipe.

Use a customer-unique URL for the feed (firstdirect.com/customer2343245/secure_messages) and you have standards based route for sending secure information to a customer and an interface (their reader) that alerts them to that message. Whether people can be taught not to expect messages in their email is another matter but it does at least solve the problem of requiring a customer to be pro-active in checking their messages (I can't check mine unless I log in to my account via the webpage).