[Silhouette]

But then how exactly is it more secure to accept a cancellation by Random Dude on the phone?

I suppose if they had some sort of credentials set up for phone access then that would be a point in its favour. My bank do have well established security procedures for me to contact them by phone, for example.

To be clear, I am not in any way condoning requiring phone cancellation as a technique for making it artificially difficult or frustrating for someone to cancel when they are within their rights to do so. As you say, it stinks of bad faith.

[BlackFly]

Call centers are in general quite atrocious as far as authentication goes. Here is one particular egregious example http://krebsonsecurity.com/2015/12/2016-reality-lazy-authent... I cannot remember where I read it, but there are services in Eastern Europe where you can hire someone to field questions at a call center. A calm detached criminal is going to be more convincing than a flustered person who cannot believe that their identity is being questioned.

In general, there is nothing that you can ask me over a phone that cannot be asked to someone pretending to be me who can get the details in a variety of ways. To static questions there are static answers. If you perform two factor authentication properly, this is actually easier over a website than the phone.