March 3rd, 2006

I see you.

Don't trust Caller ID too much

Bruce Schneier reports on Caller ID Spoofing.

I knew it was possible to do, but I didn't know it had gotten so easy to do. The security implications for companies that use CID as a verification system are major. I know several of my credit card companies use it to activate new cards, without asking for any other credentials - no PIN, nada. Steal a new card, spoof the CID, and you have an active card. If you have any kind of access system that can use CID with an optional PIN - use the PIN.