security by naivety

Some people have really strange security concepts. Telecommunication companies are typically among them. On a German news site there was an article about the fact that one can access answering machines of mobile phones of any customer of many telecommunication companies without a password just by sending a manipulated caller id. Typically the idea is that a customer can access his answering machine without a password when calling from the corresponding mobile phone but has to enter a password when calling from anywhere else. This actually does make some sense but the implementation often seems to be pretty braindead. Did nobody tell them that you should check input parameters you receive from external sources? I mean as long as you can be sure the parameter comes from a controlled source where nobody can manipulate anything this _might_ be acceptable but what they are doing here is even more stupid than deciding about access to an Internet server based on the IP address. No, _this_ concept is as if you _asked_ the client for his IP address and decided based on this information without checking correctness of the information provided. I mean the telecommunication companies should be able to check whether a caller that claims to come from their _own_ network actually does, shouldn't they?