VoIP Caller ID: an invite for hackers?

That's 3com's NBX V3000 VoIP switch on the left, and a switch based on open-source Asterisk on the right.

I made that canvass as a result of reading a post by Paul Ryan, the ITXtreme columnist for InfoWorld magazine.

Paul's April post "Outlaw Caller ID," got me to thinking how foolish it is for some enterprises to base their VoIP phone call and transfer authentication on a number that shows up via VoIP caller ID.

"It is a trivial task to change your caller ID these days to be any arbitrary value that you want," Paul writes. "With the advent of widespread VOIP providers that actually let you do this explicitly, even the script kiddies can do this. Those savvier folks can either reprogram their phone switch (with VOIP switches like the NBX V3000 from 3com at less than $2k these days), or program their Asterisk switch (open source -- free) to present any caller ID you want to."

Paul suggests that as far as VoIP (and cell) caller authentication is concerned, "merely use caller ID as a suggested number that you might call back on." 

Passwords certainly aren't airtight, but they are far more secure and far less arbitrary.