The Problem

One of the largest challenges facing users in the digital world is proving they are who they purport to be. This continues to be one of the biggest hurdles yet to be solved that relates specifically to identity related trust concerns. This issue impacts everyone in the path of a communication session, which includes originating and terminating service providers, the Internet service provider's interconnect carriers / providers, government and end users (individuals and enterprises). The most fundamental aspect of this challenge is building on a globally usable, well-managed "name convention" that is highly automated, accessible and accepted by all parties in a communication channel. Current initiatives in this space, particularly using PKI systems, have fallen short of their objectives due to the following issues: (i) lack of a globally known and unique identifier, (ii) lack of network, protocol and application independence, (iii) user validation and privacy concerns, (iv) issues with back office support systems to manage / audit the life-time usage of certificates, (v) complexity of use, and (vi) the cost to implement. ICS leverages the ubiquity of a telephone number with its patented and patent-pending security solution to create a unifying platform of trust. Telephone numbers have long been an acceptable means of identity in a "hard wired" world. However, "trust by wire" does not work in the open environment of the Internet where a dedicated line between users cannot be established, leaving identity highly elusive, thereby elevating security considerations. Specific risks result:
  • "Toll Fraud". The act of spoofing the identity of VoIP service providers to surreptitiously route calls through other legitimate Internet phone companies, saddling them with the expense of carrying the traffic.
  • "Vhishing". The VoIP telephony version of email phishing. In such attacks, the "vhisher" calls via VoIP, spoofing the originating phone number so that the recipient's caller ID displays the name and number of a reputable organization, such as a bank, store, or government agency, generally in an attempt to obtain valuable personal information of the called party.
  • "Swatting". So named because such attacks often elicit the response of armed police SWAT teams. In these attacks, instigators originate VoIP calls that allow the caller to spoof their identity and location to 911 operators, making it seem to emergency responders as if the attacker who is reporting a false scene of mayhem and carnage is in a location often far removed from their true whereabouts.
  • "Spoofing Caller ID". Using VoIP phones or softphones, attackers can place calls from anywhere they can get an Internet connection, while simultaneously spoofing their Caller ID to avoid detection. Often, such callers are also able to use means of encryption that would allow them to avoid the lawful intercept regulations stipulated by CALEA, thereby keeping their communications private from law enforcement authorities.
  • "Smishing". The text message version of email phishing. In such attacks, the "smisher" sends a text message often purportedly from a financial institution requiring immediate attention. In responding, the called party is asked to provide valuable personal information.
"Trust by authentication" is the only means by which to establish a validated identity, which is essential to support a host of applications, from a telephone call to high-value financial transactions. It is at the heart of ACerted Trust, which addresses all the risks discussed above.