A pin is not a password, so technically, the support rep can’t do a whole lot with it outside of organization’s walls.
They might not actually see it, and instead just type it and see a yay or nay response.
Granted, the rep could call in from the outside and authenticate using the information and pin you gave over the phone, but it’s more traceable and the call is recorded, so there’s a higher probability of actually being caught than from using a random computer on an open WiFi connection to access the account using the account’s password.
It is very interesting to see the varied methods of password storing and retrieval. There doesn’t seem to be an industry standard even when it comes to banking. I’m really surprised that so many have indicated that it is considered OK for a first letter to be passed. Isn’t that what the secret question is for? The giant password and user info. hacks that popped up these past few months should have everyone on heightened alert when it comes to protecting your sensitive information. Unless some standard of security is implemented across retail and banking systems then more thefts of sensitive information will only continue.
That is an excellent point and, perhaps, an opportunity for someone [here?] to introduce a “Technology Solution” to this problem. We know that as time goes on the problem will only grow larger and more unruly.
My online banking requires you to register five pieces of information (such as first school, memorable name, etc.), and logging in requires sort code, account number and one of these items, picked at random. (That’s for my personal account. My business account requires a one-time passcode generated with an electronic gizmo.) For telephone banking, none of the five items is used; instead, a four-digit PIN is required. For the automated system, you enter sort code, account number and PIN; if you then want to speak to an actual person, they will again ask for sort code and account number, then two random digits from your PIN - meaning they don’t have access to the entire PIN and can’t use it later.