The 3-step tax security dance
I guess this is a type of 2-factor authentication. Today I got a call from Canada Revenue Agency. No, not that call from some sweatshop scam operator. Before he could talk he needed to verify some info. So I asked how I could verify him. He suggested I go to the website, find general business inquiries number, call that, confirm that his name/number were working my file.
So I did. PS, the CRA hold music is not that good. CRA general inquiries confirmed he was real and on my file, so I called him back, and gave the confirmation.
Now, this was a bit of a circuitous conversation flow. Its actually more or less identical to the steps you take for each https page load (you talk to the site, you talk to the cert authority, then back to site). Now, the cert authority we speed up by OCSP, stapling, pre-cached trust chain, etc.
In hindsight I didn't need to do this (since the Q they needed to identify me were public information). But, its nice to know the system works.
PS, they were verifying that the banking information for deposit had not been changed by some scammer. So double bonus.
Have you ever tried this dance? You get called, and you get them to confirm who they are first? Socially awkward.