Operators of large customer engagement channels are on alert that they are at risk if they rely on legacy PSTN proxy-based defense methods such as ANI Spoof Detection, Caller ID validation, and Device ID authentication to validate the efficacy of an inbound call or a connected device since these proxy methods are no longer effective detection and prevention tools and are easily compromised.

By way of background, VoIP (Voice over Internet Protocol) offers several advantages over the traditional Public Switched Telephone Network (PSTN) for consumers and businesses alike, and with low cost as a key driver, together with dramatically improved VoIP call quality and increased availability and access to fast broadband, it is little surprise that VoIP is now the preferred method for telephony for both consumers and businesses. 

However, Hackers and cyber criminals were also quick to spot the opportunity to use VoIP as a very effective attack vector to avoid detection by the traditional methods of validating the efficacy of a landline or mobile call placed over the PSTN into a call center (agent handled), the IVR or to an IVA. With high volumes of calls being placed by legitimate users over VoIP, it’s easy for hackers to masquerade as legitimate callers and hide their tracks.

So, is Caller ID reliable?

Caller ID is a widely deployed technology that displays the caller’s phone number or name on the recipient’s device, providing information about the incoming call. While Caller ID can be helpful in identifying legitimate callers, it is important to recognize that it is not reliable and is vulnerable to hacker attacks.

There are several factors that can affect the accuracy and reliability of Caller ID information:

• ANI Spoofing: ANI spoofing is a technique where the caller manipulates the Caller ID information displayed to the recipient. With readily available technology, it is relatively easy for malicious individuals to change the Caller ID to display a different number or a familiar number to deceive the recipient.

• VoIP and Internet-Based Calls: Voice over Internet Protocol (VoIP) allows calls to be made over the Internet, and Caller ID information can be altered more easily in these cases. Hackers and scammers often leverage VoIP services to manipulate Caller ID, making it appear as if the call is originating from a different number or location.

• Legitimate Call Routing: In some cases, legitimate calls can have inaccurate Caller ID information due to call routing complexities. For example, calls may be routed through different networks or carriers, which can cause the displayed Caller ID to be different from the caller’s actual number.

• Caller ID Name Manipulation: Caller ID can display not only the phone number but also the caller’s name. However, this information can also be manipulated or falsely presented, leading to inaccurate identification.

• Third-Party Spoofing Services: Some services or applications allow individuals to change their Caller ID for legitimate purposes, such as privacy protection or call routing. However, these same services can be misused by scammers and spammers to falsify their Caller ID information.

Due to these multiple limitations and vulnerabilities, Caller ID cannot be relied upon as a definitive indicator of a caller’s identity or intentions. 

Is Device ID reliable?

A Device ID is intended to provide a unique identifier for a specific device, which can help in distinguishing it from others. There are many deployments of solutions that rely on Device ID as a form of “invisible” authentication of the legitimacy of a connected device.

However, Device IDs can be manipulated or spoofed by hackers or malicious actors. While Device IDs are designed to provide a unique identifier for a device, certain techniques and vulnerabilities can be exploited to alter or mimic Device IDs, such as:

• Device ID Spoofing: Hackers may attempt to modify or falsify the Device ID of a device to impersonate another device or evade detection. They can employ various methods to manipulate the Device ID, such as modifying system files, using specialized software or tools, or exploiting vulnerabilities in the operating system or device firmware.

• Emulation or Virtualization: Hackers can use device emulators or virtualization software to create virtual instances of devices. These virtual instances can have manipulated Device IDs, making them appear as different devices to the systems or applications that rely on Device ID for identification or authentication.

• Platform Vulnerabilities: Vulnerabilities in the platform or operating system can sometimes allow hackers to manipulate Device IDs. Exploiting security flaws or weaknesses in the device’s software stack can enable unauthorized access or modification of Device ID information.

• Man-in-the-Middle Attacks: In certain scenarios, hackers positioned as intermediaries between a device and a server can intercept and manipulate the communication to alter the Device ID data exchanged between them. This can allow them to modify or spoof the Device ID information.

• Manipulation and Spoofing: It’s important to note that, like any identifier, Device IDs can be manipulated, spoofed, or changed by malicious actors. Techniques such as device ID spoofing or emulators can be employed to alter or mimic Device IDs, potentially compromising their reliability for certain applications.

Device IDs can no longer be relied upon for unique device identification and tracking purposes within a specific system or network. 

What other attack vectors does VoIP present to hackers?

It’s important to note that the use of VoIP by hackers is not limited to ANI spoofing, Caller ID manipulation, and Device ID impersonation alone. VoIP offers various other advantages for cybercriminals, such as the ability to easily automate mass calling, launch phishing attacks, or conduct voice phishing (vishing) campaigns. Organizations and individuals need to implement robust security measures, including call analytics, threat intelligence, and awareness training, to mitigate the risks associated with VoIP-based attacks.

• Geographic Flexibility: 

VoIP enables hackers to select phone numbers from different geographical regions, even if they are physically located elsewhere. This geographic flexibility allows them to spoof numbers that may be more trusted or familiar to the intended targets, increasing the chances of successful social engineering or phishing attacks.

• Encryption and Secure Communication: 

VoIP services support encryption capabilities, allowing hackers to secure their communication channels. Encryption can make it difficult for ANI spoofing detection systems to analyze call content or detect suspicious activity, providing an additional layer of protection for the hacker’s activities.

• Global Accessibility: 

VoIP services are accessible from anywhere with an internet connection. Hackers can leverage this global accessibility to launch attacks from different locations, making it harder for ANI spoofing detection systems to pinpoint their exact origin or track their activities effectively.

• Anonymity and Disposable Accounts: 

VoIP services may allow users to create anonymous or disposable accounts with minimal verification requirements. Hackers can take advantage of these features to create temporary accounts for malicious activities, making it harder for ANI spoofing detection systems to trace back the source of the spoofed calls.

Operators of large customer engagement channels should be put on alert that they are at risk if they rely on legacy PSTN proxy-based defense methods such as ANI Spoof Detection, Caller ID validation, and Device ID authentication to validate the efficacy of an inbound call or a connected device since these proxy methods are no longer effective detection and prevention tools and are easily compromised. 

Due to multiple limitations and vulnerabilities, neither Caller ID, ANI Spoofing Detection, or Device ID can be relied upon as a definitive indicator of a caller’s identity or intentions. Hackers and cybercriminals will always use the path of least resistance, and knowing that they can easily penetrate these legacy prevention defenses will only increase the volume and types of attacks.

It is crucial for organizations to move to the latest defense capabilities, including advanced generative AI deepfake detection and next-generation omnichannel voice biometrics, in order to ensure that they can protect their reputations and their customers. 

Validsoft’s advanced generative AI deepfake detector solution, Voice Verity™, and Next Generation Omnichannel voice biometrics offer the solutions that organizations need today in order to ensure that their defenses are able to detect and prevent the latest attack vectors in the Call Center on the IVR and the IVA. 

Unlike legacy solutions that attempt to authenticate metadata associated with a call rather than the actual caller, ValidSoft authenticates the caller on three criteria: is the caller live and not a recording; is the caller human and not a machine and is the caller who they say they are and not an impostor or impersonator? We’re here as a trusted partner to ensure that institutions, enterprises, and government organizations can handle calls to Agents on the IVR and IVA with integrity and trust.