[CaptainZapp]

Ok, fair enough. Email is an unreliable form of cancellation for a number of reasons. I don't necessarily buy it, but let's accept this for the sake of argument.

But then how exactly is it more secure to accept a cancellation by Random Dude on the phone?

Except to make the customer (especially international customers, which may have to call in the middle of the night and who may incur significant charges) jump through a whole lot of hoops and to make it as difficult as possible to cancel.

To me this reeks like a shit ton of bad faith by the service provider, which has nothing whatsoever to do with security.

[Silhouette]

But then how exactly is it more secure to accept a cancellation by Random Dude on the phone?

I suppose if they had some sort of credentials set up for phone access then that would be a point in its favour. My bank do have well established security procedures for me to contact them by phone, for example.

To be clear, I am not in any way condoning requiring phone cancellation as a technique for making it artificially difficult or frustrating for someone to cancel when they are within their rights to do so. As you say, it stinks of bad faith.

[BlackFly]

Call centers are in general quite atrocious as far as authentication goes. Here is one particular egregious example http://krebsonsecurity.com/2015/12/2016-reality-lazy-authent... I cannot remember where I read it, but there are services in Eastern Europe where you can hire someone to field questions at a call center. A calm detached criminal is going to be more convincing than a flustered person who cannot believe that their identity is being questioned.

In general, there is nothing that you can ask me over a phone that cannot be asked to someone pretending to be me who can get the details in a variety of ways. To static questions there are static answers. If you perform two factor authentication properly, this is actually easier over a website than the phone.

[hvidgaard]

They often have you state particulars of the account details. MS will send you an email with a code that you must tell them.

In any case, one isn't more or less secure than the other. The physological effect of speaking to a phone just makes someone feel one is more safe. I'd say that if you send an email to the address you have on the account details, you can reasonably expect to get the right person to the same degree as you would when calling the phone number on the account.