Hypothetical fwdout Risk

A fair amount of a priori knowledge is needed to execute this, including knowledge of which PSTN end-point you are using to exit the IP network, so it may not be possible in practice. Besides, I’d have to use fwdout to confirm, and that’s just too much work. fwdout is only an enabler in this scenario. It increases an existing risk because it invalidates an assumption about telephone numbers.

Businesses use a customer’s telephone number as identifying information, and customer service desks often tie Caller ID information to the customer database. For most businesses this is not an issue; they do not need to have verifiably reliable knowledge of their calling customer: it’s merely a convenience. Banks, on the other hand, do. Most are aware enough that Caller ID is not sufficient proof that the person on the other end of the line is the person who pays the bills, nor may it be the person in their account records, and so they ask for further identifying information.

If I call from a number not in their records as mine, I’m asked for two or more pieces of information. If I call from home, they only ask for one. If I speak to a customer service representative, they’ll accept mother’s maiden name alone.

This is entirely understandable. They are trying to be helpful. I may be forgetful and still need to transfer my money over the phone to an undisclosed location in Barbados, so they’ll bend over backwards to help me.

Here’s the problem. They presume that I am the only one who knows certain information. And yet that information has been shared widely enough that their presumption is false. They may have consciously accepted the risk, and covered my assets through the purchase of insurance; but then again, they may not have.