[ch]

Yes but just being logged in isn't evidence enough.

Someone might have lifted his account password and logged into the website with it impersonating him on the chat, and so it only makes sense to then confirm identity by challenging for that password over the same chat where he is being impersonated... hey wait a second!

[kdot]

He wasn't logged in, if he was logged into the account he could have done what he wanted no problems, the reps don't have your web password. Your chat/call in password is different, it's analogous to asking for your SSN to do an account change.