Part of the emerging generation of fintech startups, the new digital-only banks—colloquially known as the challenger banks by the financial technology "in" crowd—appear to be approaching consumer banking very differently than the existing major main street banks. The question is, how deep does that commitment go?

Trying to get a feel for them then, it's sort of interesting to see some of the same security anti-patterns developing in the challenger banks that exist in the traditional big banks. For instance, one of them just phoned me and asked me to provide personal information for "security verification" before they'd discuss what they were calling me about.

Providing information to someone cold calling you isn't something you should be prepared to do—no matter whether you're expecting the call, or who they say they're calling from. It also shouldn't be something a company asks their customers to do, at least not if they have a solid security culture.

This security anti-pattern is one of the most irritating consumer-facing security problems that large institutions like banks suffer from, as it has the potential—as a pattern—to assist fraudsters attempting to extort data from customers to commit identity fraud. If you're used to handing over your identity in the opening seconds of a phone call, you're far more likely to hand it over to the wrong person.

Unfortunately there really is no way to mutually, and securely, authenticate using a single-channel medium like a phone call. However the digital-only challenger banks have an easy way around this problem, they have an app, and a second channel.

One possible solution then would be to send a push notification "The person you're talking to on the phone is really from your bank" once the the phone call has begun. This is a perfectly reasonable way to prove that the caller is legitimate, after all, making their own app do something while they're talking to you is a decent first-cut at a second channel proof of authenticity.