Two fundamental failures
[1] "In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks."
"Identity verification" should include additional out of band challenge/response information that only the helpdesk and the legitimate party have access to (e.g. to ask when the caller signed up to the service).
[2] "UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset."
No phoned in request for a credentials reset should ever be provided without an additional out of band verification step (e.g. a call back to the user's register phone number with a verification code).
Obviously neither of these is 100% assured as they could be circumvented in principle, but together they come pretty close in the majority of cases.
The big snag here (which is commonplace unfortunately) is that we're still using decades-old (and in some cases, faulty) criteria for identification and authentication, despite the threats having escalated hugely since then. Many people (and organisations) still confuse identifiers and authenticators -- hence a common assumption that biometrics are authenticators, and password creation rules remain as flawed as ever. Most signifcantly though, there's clearly a serious lack of understanding of the basic principles of identity verification which needs to be addressed by much better training. That's obviously a long-term fix, but in the short term there's absolutely no reason why out of band one-time key generation should not be universally adopted as one of the Ms in MFA -- dongles supporting this have been around for decades.