Bank wants my Online-banking PIN through the telephone
It is becoming quite commonplace in the US. Many banks and other financial institutions require the caller to provide an identification number that has been set up beforehand to verify they are indeed talking to an authorized user of the account.
They used to ask personal information - social security number, old addresses, security questions, etc. Those have begun to fall out of favor.
The 'telephone PIN' or user PIN, is not the same PIN as your debit or credit card nor online account password. It can also be used as a secondary verification method when logging in online or when retrieving or resetting the online password.
So, no, it is not a sign of phishing necessarily and it is good that you found it suspicious and ended the conversation instead of blindly giving someone your PIN.
In my opinion, you did the right thing. There is no situation in which you should ever be required to give up a PIN either over the phone or in person, with the exception of typing it into the (HTTPS) bank's website to login to your account or on a physical banking terminal such as an ATM.
The entire purpose of a personal-identification-number (PIN) is to be a unique number that you and only you know, allowing you to authenticate yourself.
I would recommend finding a physical banking location where you can go in person and talk to a person about your experience and the issue you were having that lead to you making that phone call.
It is entirely possible the phone number was for the real banking institution and the phone operator was new or inexperienced and made a massive mistake, but there is no good reason for a person to give up a PIN to another person.
Hope it helps!
As there has been some confusion here, I wanted to add another (and hopefully last) answer to consolidate all the information that is flying around.
First of all, what kind of PINs are there in today's banking world?
Cardholder PINs:
This is the PIN that belongs to your debit or credit card. Unsurprisingly, there's also an ISO norm on how to manage PINs like this. So this will be pretty routin to nearly all banks. There are a lot of instances whre you will have to give your cardholder PIN to a machine. That is when you are paying for something or withdrawing money.
No serious bank will ever ask you for that number, if somebody does, it's probably a scam.
PINs for phone banking:
Most banks (that I came across at least) have a separate PIN for phone banking. This is a PIN that you can authenticate yourself with over the phone towards an agent or an automated system (see similar questions here, here and especially here). Take a look at these, they will answer most of the surrounding questions you might have.
PINs for online banking:
This is the PIN that you use for all your online banking needs. To be frank, your PIN for online banking is pretty much a password for logging into your online banking account. Some banks do wonky stuff with your online banking PIN, but most banks don't. What they will do is pretty routine and exactly what you would expect from normal behavior around managing sensitive passwords. Most banks use this PIN only for online banking. BUT some banks do use this PIN for phone banking as well (it was news to me at first too).
What's the big difference here?
A cardholder PIN is used to directly access your funds (while in possession of your card). That makes it much more valuable than the other two. Why? Because with PINs for online and phone banking, you access a system to manage your funds. If these systems are well designed, you will need a second factor to authorize any changes that are made. Be it transferring money, establishing a banker's order or changing your address. So theoretically an adversary has taken a big step towards gaining control of your bank account, when he/she steals one of the latter PINs, but can't really do much, without also having control over whatever supplies your second factor.
So now what?
Different PINs typically authenticate you against different systems. If a bank uses the same PIN for two different systems, that might be not the best way to do it, but it is a way to do things. If you are uncomfortable with this, ask for another form of authentication. Find out, what the bank's typical form of authentication over the phone is. If there is no information on the interwebz, just call again, wait for another agent and see what kind of credentials he/she wants. If you dont trust a human agent, ask for authentication against an automated system.someone could be listening though
Conclusion:
This is not the worst thing in the world. It is not best practice (from my experience). It is not very reassuring. But this does not mean, that all your funds are gone tomorrow.
If this does not fit your threat model, you can always threaten to leave the bank for another company, if they don't change their policy. Tell them why, maybe they'll do something about it. Leave if they don't. This is especially true if they don't have any form of 2FA within their systems.
Phone banking is always a tad insecure, because other humans are involved. And humans tend to make mistakes and in some case can be criminals.
There is a simple solution for that: stop using phone banking.
Important: Most of the solutions that were mentioned in the comments do not solve this problem. Automated systems can be hacked or be exploited, security questions can be recorded etc. If an agent working in a call center that handles phone banking wants to scam you, he/she probably can - if there are no security controls in place.
The good thing is, most banks do not let that happen, because a lot of smart people work there, that rack their brain about these things.
You know why? We're not the first guys and girls that worry about getting scammed.