[stephenr]

Sounds like a security flaw ripe for social engineering

[ryanlol]

Customer support by itself tends to be a security flaw ripe for social engineering.

[stephenr]

Phone support can be tricky yes, but there are other ways to identify the caller without storing their password in plaintext

[ryanlol]

Callbacks? Users PII? There's really no good ways to do phone verification. You can't use any kind of shared secrets as people forget those.

[stephenr]

My bank uses an automated system to verify a pin (ie the operator transfers you to confirm identity then you come back)

But it also depends on the realm. Before the saas craze, a lot more support was performed in-house meaning you didn't have the same scale of problem.

[ryanlol]

Verify a pin? But that's still something you have to remember, not providing support for users who have forgotten their passwords doesn't tend to be an option.

[stephenr]

As I said, it's for my bank, so it's my card pin - I already need to remember it.

Also as I said - this was much less of an issue when companies maintained IT departments and installed software. It's much easier to verify that Julie on the phone really is Julie when it's an internal support mechanism.