there are countermeasures. any competent org (agree with you -- probably not the majority of them) have auditing, so accesses are logged. back in the 90s we had this at my university ... it's an age-old practice. you as user would never know it.
i would bet that most of the places you are thinking about (banks, credit card, and so on) where you get on the phone with a rep, with a phone entry system ahead of the agent, the agent can only access that specific data during the call, the access is logged, and any other access (some other account) is flagged for review. by calling in you are granting access. most users simply don't care about privacy and extra hurdles are just asking for complaints. limiting access to specific accounts during live calls is a fair compromise and a tight control.
xero (they suck, so this is not an endorsement) requires you to give the rep access explicitly, as an option, when requesting tech support. of course i have zero doubt that senior reps can get access anyway (which would be audited), so the explicit control is more about signalling comfort to you about their security measures.
after google had the SRE stalker incident they implemented very tight access controls to user data.
i walked into a verizon store the other day to buy a hotspot. the rep could not get access to any info whatsoever (even billing status) until i acknowledged a message on my phone. it's clear they only had access to my specific data (ie, they don't get to enter any phone number and get access) for that specific interaction.
i would bet that most of the places you are thinking about (banks, credit card, and so on) where you get on the phone with a rep, with a phone entry system ahead of the agent, the agent can only access that specific data during the call, the access is logged, and any other access (some other account) is flagged for review. by calling in you are granting access. most users simply don't care about privacy and extra hurdles are just asking for complaints. limiting access to specific accounts during live calls is a fair compromise and a tight control.
xero (they suck, so this is not an endorsement) requires you to give the rep access explicitly, as an option, when requesting tech support. of course i have zero doubt that senior reps can get access anyway (which would be audited), so the explicit control is more about signalling comfort to you about their security measures.
after google had the SRE stalker incident they implemented very tight access controls to user data.
i walked into a verizon store the other day to buy a hotspot. the rep could not get access to any info whatsoever (even billing status) until i acknowledged a message on my phone. it's clear they only had access to my specific data (ie, they don't get to enter any phone number and get access) for that specific interaction.