One of my old accounts had a limited number of pieces you could use to authenticate a caller Two pieces were mandatory. Two were picked by the CSR. That usually only left two pieces that people could reasonably be expected to have access to without digging.
I lost count of the number of times people would come through just blurting their information. Four pieces were required, but as mentioned two were mandatory. We could still use the mandatory ones for authentication, but to prevent social engineering, we could not use the other two pieces they just blurted out. Guess what. they could almost never come up with correct answers to the only two other allowed pieces.
“I am sorry sir/ma’am, but since you are unable to pass authorization, I can only give you basic information.”
“I just need to know the last 10 transactions on my account.”
“Unfortunately, that is information specific to your account, not basic information.”
“well, I don’t have the information you requested.”
“The only things I can suggest would be to go to a local location or give us a call back when you have that information. ”
“You mean I just waited 2 hours to get through for nothing?”
“Unfortunately, that is true. This time of year 100 million other people are calling to get information as well.”
Like many things in life, it is best to wait until you are asked for something before you just volunteer information.