VoIP: It's Security Deja Vu All Over Again

Our report on Voice over IP security hazards should send a chill through any business or consumer relying on the technology.
Our report on Voice over IP security hazards should send a chill through any business or consumer relying on the technology.The owner of two Miami VoIP companies was arrested recently and charged with making more than $1 million by breaking into third-party VoIP services and routing calls through their lines. Prosecutors say Edward Pena was able to collect fees from customers while stealing the infrastructure from other companies. It was the electronic equivalent of eating at a restaurant and sticking somebody else with the check. But the victim companies were stuck paying for some big meal--they were charged more than $300,000 for connectivity to the Internet backbone.

Researchers at security companies describe how attackers might use VoIP to hijack calls made by customers to companies and trick customers into giving up their credit card numbers.

The VoIP Security Alliance warns that VoIP networks are susceptible to denial-of-service attacks the way IP networks are and traditional phone networks aren't. Unencrypted VoIP calls can easily be eavesdropped on. VOIPSA warns about spam over IP telephony (new acronym for your files: SPIT). And VoIP permits callers to easily change their Caller ID information, so criminals can identify themselves as being from legitimate companies and trick consumers into giving out credit card numbers and account numbers.

VOIPSA also provides tips on how to secure your VoIP network.

Security vendor Cloudmark warned in April about a scheme whereby grifters sent e-mail spam asking users to call a bank switchboard. The attackers used a computer and VoIP service to set up a voice line that sounded like the bank's normal voice-operated service.

So far, these attacks have been coming in at a trickle, by onesies and twosies. But longtime Internet users will remember that's how spam, phishing, and e-mail viruses started--a little at a time. Now we get hundreds of spam, phishing messages, and e-mail viruses every day, and these attacks have created huge problems on the Internet a couple of times. As VoIP grows more popular among both consumers and businesses, the threat has the potential to grow as large as e-mail-borne attacks.

Let's take precautions now so that the threat stays small.

What do you think? Are VoIP threats significant? What should we do about them?