It's easy to think that, IMHO. Pre-arranging a challenge, recognizing by voice, performing a call-back to a widely publicized/trusted phone number... I really doubt anything like that occurred.
And even if there was authentication, now it's time for authorization. The only authorized recipient of a password is the exact same entity with which you established the password.
