Bruce Schneier has recently written an interesting piece in his blog about Caller ID. In it, he writes about an AP article that details the failings of Caller ID. He asks a VERY good question. Namely,

Q: What’s worse than a bad authentication system?
A: A bad authentication system that people have learned to trust.

This is why it is imperative that when building a system used for authentication, it must be secure. The more widely utilized the system is to be, it becomes that much more important.

The article goes through real-life examples of forged caller ID information, including a congressman who was targeted by having his phone appear as the caller ID, a SWAT team operation in response to a call from a spoofed phone number, breaking into voicemail boxes that automatically authenticate based on the caller ID, and even how caller ID spoofing played a role in the 2004 “hack” of Paris Hilton’s cell phone.

More interestingly, the article touches on how the last scenario, an example of “pretexting”, is a textbook example of social engineering. With the caller appearing to be the legitimate user, the target is lulled into a lowered sense of security. It’s been used to obtain all sorts of information, but most recently, has come under fire as shady operators make pretext calls to wireless carriers to obtain copies of cell phone bills, including calls placed and received.