That's what's really chilling. To this day I wonder if the customer service person was being intentionally malicious or if the bank's verification protocol was just that bad.

I could totally imagine friends and family just typing in their credentials because they'd just think: (1) it was a bank so it must be safe (2) that they got "transferred" so they're communicating privately with the other bank, and/or (3) that a person surely could not figure out what numbers they entered into the phone.