Recently my friend called their bank (via a normal phone call) to perform an operation with her account and she had to type her password during the call. Everything worked fine, the operation was done successfully.
Note: the password she used was the same for accessing the bank app in her smartphone.
What are the risks in doing this? Is this common practice for banks?
Intuitively I can think of another option that seems much more secure: the bank employee would press a button in the bank system that would cause a confirmation dialog to open within her bank app, and then she would open her app and press OK, thereby confirming the operation without giving the password via the phone call (and still proving she knows the correct password, since she was able to open the app).
