Yeah, I noticed that as I was writing the comment but I was too invested to backtrack at that point lol

Amex actually once did the same to me several years ago when trying to verify my identity while talking to them.

I refused on a couple phone calls. I forget whether in the end I gave it to them or not, the details are hazy. I do remember I left feedback.

To my knowledge, Amex actually stopped that practice since then. Because as you note with the citi experience, it is bad.

Amex asked me, via text, to call a number they provided to verify a potentially fraudulent charge and the first thing the number you call asks for is your full credit card number, all digits, not last four, all of them. The line doesn't even identify them as being from amex (not that you should trust it).

I called the fraud line on the back of the card (which was different than the number in the text) and they confirmed it was authentic but man, everything about that is straight up phishing.

TD Bank is also one that's horrible. Their online banking portal is myonlineaccount.net which is straight up a domain you'd use for phishing.

My mortgage got sold to M&T Bank whose web presence is at www3.mtb.com. I love that for them. I wonder what happened to their cert/HSTS setup on www ;)

But then what do you think the code is for if you can't confirm your identity with it when you call them? This is how it is supposed to work!

I generally use it to log in to my account as 2FA or when shopping online when some merchants also implement a payment process that taps into Citi's, when it also requests it as 2FA. Meaning I'm using it myself in some software rather than handing it over to someone else (even if by using software I'm also technically giving it to someone else)