My bank support just asked me for my online banking credentials

Assuming that you called them on a published number, I'd say that this sounds like it was an interactive Voice Response (IVR) system, which is pretty common in the banking world.

The concept is that the system takes your authentication information before passing you on to a contact centre agent. The benefit of this from a security perspective is that then the agent in the call centre doesn't have to ask you to authenticate yourself, before discussing your account.

If correctly implemented this should be no more insecure than typing your password into a website. There is an automated system processing the voice data and it should store/log this appropriately.

Of course as you point out there is the risk of phone tapping, but then if you assume that your phone line is tapped, any form of phone banking is insecure as they've got to authenticate you somehow to be able to discuss your account with you.

EDIT: To add some more details, rather than leave them scattered around comments that could get cleared.

Basically banks have to authenticate you somehow, no matter which channel (e.g. web, phone, branch) you use to contact them, and there are trade-offs to be considered.

On the one hand having dedicated credentials per channel is useful in that it reduce the risk of compromise, and avoids muddying the message of "don't tell people your web password" but it leaves users with more credentials to manage and in all likelihood a lot of password resets if users only use a specific channel rarely (with all the vulnerabilities that frequent resets attract)

So the option that it appears, from the information provided, that's used here is to combine the credentials for the web and phone channels, and to use an automated IVR system on the phone channel to avoid credentials being given to contact centre agents. The upside here is single set of creds, so user's won't forget them, and the downside is the scenario we see where bank messaging "don't give people your password" leads to problems in using this system.

In terms of the IVR system security, this is essentially like any other system that processes data. It needs to be secured appropriately so that user credentials are not exposed, no different than the web channel.

Obviously a system like hardware (not SMS) 2FA could work well in this scenario as numeric codes are easily passed to IVR systems, but that has it's own tradeoffs in terms of cost and user experience.


Obligatory warning message:

Don't ever give your password to anyone, and don't let this answer influence this kind of behaviour in any way.


Because one can't possibly know all the circumstances in this particular case, a bit of speculation is necessary when giving an answer to this question.

If I understood everything correctly, the case is as follows:

The OP visited the bank's website, looked up the support number and then he/she initiated a call. After giving only his/her banking ID(?) the bot at the end of the line greeted the OP with his/her last name and then asked for the online banking password.

Yes, this could have been a phishing attempt by an attacker. The site you visited could've been altered and another support number could've been set up. After doing all this, the attacker then had to wait until the OP visited the site voluntarily1 and then call the number. The attacker would've also had to set up a telephone bot which is also able to connect the banking ID to the last name of OP2.

This - to me at least - looks like a really big effort to just get the password to an online banking account, which isn't even that valuable when using a typical online banking system. You typically need a second factor to do any kind of transaction of money. It's still a compromising of the bank account, but nothing that can't be fixed.

I highly doubt, that this is a phishing attempt. It just doesn't seem like a good policy to me, especially if it's not clear for users, that their online password is also used for authentication over the phone.

(1) In theory an attacker could fake some kind of emergency which would then lead a user to call the support number.

(2) Unless the OP made a mistake and mentioned his/her last name earlier during the call.


Yes you should take action, report it to your bank, in all likelihood this was a phishing attempt.

This shouldn’t happen and isn’t normal practice.

Your bank will never ask you for your pin number or password.

EDIT: After reading your comments and the clarification (posted after my awnser) that the contact was entirely initiated by you it is possible/probable that this isn't a phishing attempt and is either a very bad policy (as voice id/biometrics should not require a secret password to work) or a request for information supplied to prove identity in this kind of scenario.

Either way I would contact your bank (via some method other than this phone number) and explain your concerns and get clarification from them that this request was legitimate.