So NFOrce reset the server's root password for him, giving him complete access to the server
Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!
No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.
Usually ISPs have contact information, like phone number, home adress, passport scan etc which can easily be used to verify a person. When combined with PGP, whis should be almost 100% safe.