So, I call $company. The automated system guides me through the hoops, in particular, asking for my "secure credentials", normally "the last four". Then it connects me to a representative.
And the first thing the representative says is: "What are your last four"?
I just identified myself to your automated system.
It authenticated me.
Why do *you* need to hear it again?
If this is a part of the $company's protocol, it's redundant.
If this is an unscrupulous employee harvesting personally identifiable information, it's a vulnerability.
The problem is, you cannot distinguish between the two. So either way, we're screwed.