There are legal requirements of banks carrying enough PII on a person to reliably unwind an auth attack (and also to send the cops after them if they are the ones who commit fraud).
This would be one solution. But it would require Google to hold significantly more PII, explicitly, on every Gmail user than they do right now (and make the process of opening a Gmail account take a bit of time, like it does at a bank). This is one of the better suggestions I've heard, though it would threaten the integrity of the existing 1.5 billion accounts unless Google grandfathered them into a "low-identification" status.
This doesn’t seem that hard. Charge for support if they have to (eg charge per minute or call).
In terms of working out if a call is an attack, far juicier targets such as banks are able to manage, I think they can work it out.