obviously someone can
especially in a relational database - even a script kiddie could query the database with a simple sql query
So it does not require two more steps to identify the caller as he claimed?