Caller identification (Caller ID) is one of the most trusted ways of identifying who is calling and is commonly used to effectively filtering incoming calls. Telecommunication networks are designed in such a way that the Caller ID is usually delivered to the called device by the telecommunication operators. With a traditional phone system, it is hard to spoof Caller ID. But with the advent of IP Telephony, a caller can easily spoof Caller ID using techniques and tools freely available on the Internet. More importantly, the caller can be anywhere in the world where Internet Protocol (IP) connectivity is available to perform these operations.
In addition, when someone calls a number and leaves a message to call back, the recipient commonly believes the message and callback number associated with the message. Hackers can exploit this trusted call back behavior for their scams using called ID spoofing and geographic independence.
One such attack recently termed as “Vishing” (Voice variant of well known web/email phishing) has serious consequences to the financial and banking industry. A hacker sitting in a foreign country with freely available tools, such as asterisk PBX, can launch thousands or millions of automated calls. By spoofing Caller ID, the attacker pretends to be the bank or financial institution to solicit confidential information that could lead to theft of the target's financial assets. Similarly, the attacker can leave thousands or millions of messages to callers to call back a number different from the legitimate bank's numbers. Since banks have hundreds of numbers to provide various services, the customer is led to believe that the number is legitimate. The attacker can, with freely available tools, impersonate the bank's caller center and can collect confidential information. In addition, the attacker can act like a man-in-the-middle (MITM) between the customer and bank in order to easily obtain confidential information of the target.
As a result, Caller ID does not necessarily reveal the true identity of a caller. Moreover, in today's world of self-service and virtual customer service, it is becoming increasingly more difficult to associate Caller ID with the caller and calling number with the called party. There is, therefore, a need for a system, method and apparatus for authenticating calls.