Credit Card Activation a security risk

You may have received a credit card with a sticker on it asking you to activate your card by calling a special number for your home phone.

The credit card verification system uses caller ID or ANI to check the number you’re calling from and checks to see if that’s the home number they have on record for you. The idea is that only the legitimate cardholder can call from their home phone. I mean you have to be inside my house to call from my home number, right?

I use a VoIP system as my home phone. Any calls I make are transmitted over the internet before they make it onto the regular telephone system. I’ve got a regular phone number—in fact it’s the same number I’ve had for five years, even before I used VoIP. My phone number shows up in caller ID, just like a "regular" phone. The difference is, for normal landlines, the caller ID information is set at the local phone office. For my VoIP system, the number is set in my phone system—a little box that sits on a shelf in my house.

That means I could change my caller ID to show any number I wanted. I can show mine. I could show yours. I could show up as anybody.

A bad guy that intercepts a new credit card only needs to know your home phone number to use a similar system. And it’s not hard to get someone’s home phone number.

So why are credit card companies using an easily-discovered and easily-spoofed token for authentication?