It's a fine line to balance security but BT have to take protecting customers data seriously, although in most cases of being called back, it's the result of you calling in so it shouldn't be unexpected to be called and asked to verify.

I never do it, including my bank (Nationwide) who called recently to discuss a complaint. Indeed that pushed me to switch to another bank.

As for BT, they generally have a different take by texting a code that you repeat back. Happy with that as I'm not disclosing anything.

I have one golden rule, if an unsolicited caller asks me for personal or financial information or to install software on one of my machines then I hang up and block them, no exceptions and I've yet to find out that I missed an important call.

---

@rbz5416 wrote:

I never do it, including my bank (Nationwide) who called recently to discuss a complaint. Indeed that pushed me to switch to another bank.

As for BT, they generally have a different take by texting a code that you repeat back. Happy with that as I'm not disclosing anything.

---

BT only use the one time PIN code if you have called them.

If you get an unsolicited call "from BT" and they tell you that they will send you a PIN code and you have to repeat it back to them it means they have probably used the "forgotten password" route which generates a PIN number being sent to you. They will have obtained your email address from any number of places. Once you give them that number they have access to your MyBT or email account depending on which one they used.

See link

BT's One time pin process - BT Community

A couple of further observations ...

Firstly,  the  'one-time PIN code'  thing is fine on the assumption that you have a mobile phone ... which my partner doesn't,  and to be honest my one only ever comes out of the drawer once in a blue moon.

Secondly,  the fact that the call may be a follow-up to my having called them  ( 'them'  being any given company,  not just BT )  is neither here nor there.    As an example,  scam calls are easily prolific enough now that a phoney caller  ( pardon the pun )  might well happen to call at a time which happens to coincide with my having contacted my bank.    But even when it's a genuine call from a company in response to my having contacted them first,  the principle still applies:  why should I have to prove my identity to someone calling me?    In fact,  if anything,  that's even more applicable in this scenario  -  if a company is in fact calling me in response to my having contacted them,  then they presumably know in advance exactly who I am  -  that's why they're calling me.    Even if you look at the outside chance that someone else is answering my phone  -  if they're in my house,  it's a pretty fair bet that they know my address,  so that doesn't prove anything;   if they're there with criminal intent  ( even disregarding the chances that they would stop to answer the phone ),  it's equally possible that they might know my e-mail address.    I'd be curious to know from any given company  -  BT or any other  -  exactly how many times they've actually caught someone out with the security questions and prevented some kind of fraudulent or criminal activity from taking place.

---

@Firefox1701 wrote:

A couple of further observations ...

Firstly,  the  'one-time PIN code'  thing is fine on the assumption that you have a mobile phone ... which my partner doesn't,  and to be honest my one only ever comes out of the drawer once in a blue moon. If you do not want texts or have not supplied a mobile number they send the PIN by email to your previously registered email address.

Secondly,  the fact that the call may be a follow-up to my having called them  ( 'them'  being any given company,  not just BT )  is neither here nor there.    As an example,  scam calls are easily prolific enough now that a phoney caller  ( pardon the pun )  might well happen to call at a time which happens to coincide with my having contacted my bank. Unlikely and even if it did happen it would be a very lucky scammer to have picked the correct bank name to use and be able to quote the reason for the call as a follow up to trick you into believing that it was genuine.    But even when it's a genuine call from a company in response to my having contacted them first,  the principle still applies:  why should I have to prove my identity to someone calling me?     In fact,  if anything,  that's even more applicable in this scenario  -  if a company is in fact calling me in response to my having contacted them,  then they presumably know in advance exactly who I am  -  that's why they're calling me.   The reason that you are asked is so that your private information is not given just to anybody who happens to answer your phone. If for instance it was your bank, your doctor or some other company that holds information that you would not want somebody else, even a family member to know, how else would you suggest that the company identify that they are speaking to you.  Even if you look at the outside chance that someone else is answering my phone  -  if they're in my house, perhaps that would be the case in your house but not everybody lives in your house or have the same circumstances as you. I'm pretty sure that there will be many house holds who do have more than one person answering the phone such as multi occupancy flats it's a pretty fair bet that they know my address,  so that doesn't prove anything;   if they're there with criminal intent  ( even disregarding the chances that they would stop to answer the phone ),  it's equally possible that they might know my e-mail address. It is not always your address, post code or email address that is asked for  I'd be curious to know from any given company  -  BT or any other  -  exactly how many times they've actually caught someone out with the security questions and prevented some kind of fraudulent or criminal activity from taking place. That is an imponderable question. People, with no criminal intention, can and do forget security questions and as such they do not get access until a further security check has been completed.

In any event the best advice it to be vigilant and if you are in any doubt or you are not wanting to deal with callers on the phone you should ask them what the call is about and that you will call the company back using a phone number that you know is a safe number and not one supplied by the caller.

---

Wow!    I feel like that should have concluded with the words:  'the defence rests'!

But if that's what this has turned into  -  which it wasn't meant to:

'If you do not want texts or have not supplied a mobile number they send the PIN by email to your previously registered email address.'    Great.    As long as I happen to be in front of my computer at the time,  fair enough.

'... it would be a very lucky scammer to have picked the correct bank name to use and be able to quote the reason for the call as a follow up to trick you into believing that it was genuine.'    Sorry,  but no.    First of all,  we've had scammers call here claiming to be from four different major banks;   by the sheer law of numbers,  they will get it right sometimes.    Other people on this forum have told that exact story.    And the whole point is that they usually don't quote the reason for the call until you've answered their questions.    This,  not to mention the fact that it is by no means only banks that I'm talking about;   energy providers,  telephone / internet service providers,  the list goes on.    If you believe that the coincidence of timing is unlikely,  I would suggest that you're luckier than many of the other contributors to this forum  -  it being the case that scam calls are one of the most frequently-discussed topics on here.

'The reason that you are asked etc.'    For a start,  if the  'one-time PIN'  solution is so effective,  then why don't other companies,  including banks,  use it also?    Although I personally tend to eschew mobile phones,  I recognise that I'm in the minority,  and this presumably works for most people without there being a need to divulge any personal information to what is for all intents and purposes a completely anonymous caller.

'It is not always your address, post code or email address that is asked for ...'    No;   but if,  as you suggest,  it was another family member or co-occupant,  it's still entirely possible that they may know the answers to the security questions.    Not guaranteed,  I grant you;   but possible  -  which in itself means that for a company to stand on the principle that it will only continue the conversation if you answer security questions to which other members of your household may know the answer,  is meaningless.

'I'd be curious to know from any given company  -  BT or any other  -  exactly how many times they've actually caught someone out with the security questions and prevented some kind of fraudulent or criminal activity from taking place.'   /   That is an imponderable question.    People, with no criminal intention, can and do forget security questions and as such they do not get access until a further security check has been completed.    Thank you for making my point for me.    I suggest that it isn't so much the case that the question is imponderable;   rather,  that the companies involved would not choose to ponder the inadequacies of a system they've had in place for so long.    Instead,  precisely because they do not question their own system,  people who,  as you rightly say,  have no criminal intention and are legitimately entitled to be having a conversation with the company in question,  are prevented from doing so through no fault of their own.

'In any event the best advice it to be vigilant and if you are in any doubt or you are not wanting to deal with callers on the phone you should ask them what the call is about and that you will call the company back using a phone number that you know is a safe number and not one supplied by the caller.'    Refer back to my original post.    It is precisely the fact of being vigilant  -  as everyone rightly should be  -  that creates the problem.    Yes,  you can call the company back using a known safe number;   it will very likely be an 08 or 03 number or similar,  it will almost certainly go through a recorded menu  ( or a tree of them in many cases  -  up to seven is not uncommon ), you may well have to listen to music for an indeterminate period of time,  and if you do succeed in getting through to the correct department,  the chances of actually speaking to the same human being who called you in the first place are minimal  -  far more likely,  you will speak to someone who has no prior knowledge of you or your circumstances and who will have to look the case up from scratch.    Yes,  you can take this course of action if you have nothing better to do with your time ... should you have to?

My argument is that in this day and age,  when institutionalised scamming has existed for at least the last couple of decades or so and is now more rife than ever,  the onus is upon the corporate sector to come up with better alternatives than this,  not on the already-beleaguered members of the public who have their hands more than full enough dealing with scammers in the first place  -  again,  as witness countless posts on this very forum.

I thought this was a discussion where you asked for "thoughts and observations, anyone?"

Obviously I was wrong! 

I don't have an argument but you obviously do and would appear to only want comments that suit you narrative so I'll leave you to it.

I have to say that your blow-by-blow dissection of the previous post did not immediately strike me as having come from someone who  'did not have an argument'.    However,  contrary to what you suggest,  creating or sustaining an argument was never my aim,  and I do welcome any and all contributions,  whether they subscribe to my point of view or not  -  in fact I would be very interested to see whether the majority of people do or don't agree with me.