News

Securing communications Day One: What's at stake?

Patrick Gray

There's no disputing voice over IP kit is the new standard for voice communications. So it may come as a surprise to learn that many VoIP deployments are hideously insecure, despite most voice technology shipping with advanced security features.

It's the latest technology to fall prey to "open by default" deployment techniques. Like wireless networking a few years ago, many organisations simply do not understand the risks, consultants, vendors and law enforcement agents say.

So what are the risks? Well, thanks to the booming business of online crime, your VoIP deployment has become a prized target for financial fraudsters, keen to use your local dial-in numbers to lend them credibility.

That's right, 'vishing' scams -- similar to phishing scams except the victim is encouraged to dial a number, not click on a link -- have made VoIP call gateways attractive targets.

Instead of registering with Telstra to get a phone number, scammers can simply steal one of yours and divert it anywhere they want. They can also use your call gateway to dial other phones, all over the world, racking up huge bills at your expense.

As it turns out, meshing the secure, transaction-based POTS copper line system to IP-based, loose-as-mother-goose, insecure, packet-based systems may not have been a sensational idea.

But of course it's cheaper, and business is about one thing at the end of the day: the bottom line.

There is, however, good news. Setting up a secure VoIP implementation isn't rocket science. It just takes a bit of knowledge, and most importantly some dedicated attention.

"With the right know-how you can lock down a VoIP implementation better than a [copper line] handset," says Sense of Security's consultant Jason Edelstein. "Unfortunately people often don't get down to the locking down component of it."

Tomorrow: How VoIP gets hacked