> If someone on the phone

Not "someone". Me. They happily secure phone actions by both a password and 2FA just like online access. After that point you can do literally anything else with the account, including close it or get a copy of the card details.

Thwarting the verified owner of the account is not fraud prevention.

On the subject of thwarting and card details, though, neither CapitalOne's website nor mobile app will show my card number nor will they let me create temporary card numbers _after_ I've authenticated with a strong password and 2FA whenever I happen to be outside of the country. It just says "Oops, something went wrong". It took me weeks to figure out the first time that it was because I wasn't on a US network.

Both your and the parent's points are valid. Identity verification is a hard problem that the major legacy banks have a big problem with.

Their processes are both extremely annoying and can fail and lock out the legitimate account owner (the reason many of you have had trouble replacing cards abroad is because "shipping to a previously known address" is itself a security measure) while at the same time being vulnerable to a targeted attack from someone with knowledge of how the process works.

I've had replacement credit cards sent to me overnight fedex at least five, maybe more times. Usually involved < 5 minute phone call to Amex/Chase/Wellsfargo whoever. United States, Canada, UAE and Singapore (twice).

There must be some safeguards beyond the various identity questions they asked me - but I don't know what they were.

I think it'd be fair for them to say "no, we can't send it to any address but your home address", but that their fallback is to say they'll send it to where you are and then to send it to your home address instead is itself a security hole (albeit a smaller one).