Caller ID, as traditionally provided by the switched circuit Public Switched Telephone Network (PSTN), was reasonably secure. However, the introduction of Voice over Internet Protocol (VoIP) has made it relatively simple to change caller ID so that a real identity of a calling party is concealed. Changing caller ID name is referred to as “caller spoofing”, and it is generally done for fraudulent purposes.
In the VoIP domain, caller spoofing is so simple that there are web sites dedicated to permitting anyone to place calls using any caller ID they desire. Examples of such web sites can be found at telespoof.com and spooftel.com. Since it is now possible to originate calls from a VoIP network that are terminated in the PSTN, caller ID can no longer be trusted as a reliable caller authentication system. Spoofing only the displayable Caller ID Name part of Caller ID is even easier, because this can be arbitrarily chosen by the caller either during caller subscription or on a call-by-call basis in VoIP and this cannot be controlled by currently adopted authentication mechanisms, even those available in IP Telephony. Furthermore, even if caller ID name could be authenticated using prior art methods, certain “legitimate” names may be maliciously selected to resemble authentic trusted names, and this creates another opportunity for phishing attacks.
Identity theft has also become a serious problem nearly everywhere. The United States Justice Department estimated in 2002 that up to 700,000 people in the United States were victimized by identity thieves. More recent analyses place the estimates much higher. A recent report on identity theft warned that there is likely to be “mass victimization” of consumers within the next two years.
Caller spoofing provides a new way to perpetrate Identity Theft using a new variation of the old computer phishing attack. In this new variation, instead of using web pages, the identity thief calls the victim, and claims to be calling from a financial institution, for example. The identity thief impersonates an employee of the financial institution and asks for account information and passwords. If the identity thief spoofs the Caller name to appear as if the call is actually originating from the financial institution's telephone system, then there is a higher probability that the thief will succeed in obtaining the information they desire.
It is therefore highly desirable to provide a caller authentication system that is not susceptible to caller name spoofing.