The software could not let the call centre drone get to do things if the customer doesn't get the password right.
If the customer's forgotten the password it could go on to other security questions, again not letting the drone go on to later screens unless the customer gets most or all of them right.
And it should certainly not allow repeated spamming of the call centre.
If there is some doubt about the customer then the drone should be able to play back previous calls to the call centre to compare voices, check if the caller is calling from their own home or mobile, and so on.
There are certainly ways to tighten up things.
Biting the hand that feeds IT
