Sunday, May 18, 2008

Identity fraud hits net telephony

Woman using voice-over IP
More people are making calls over the net

A new type of identity fraud, which sees hackers tapping into voice-over IP telephony accounts, has been highlighted by a VoIP equipment maker.

Usernames and passwords from voice-over IP (VoIP) phone accounts are selling online for more than stolen credit cards, Newport Networks has found.

The information allows someone to use the telephone service for free.

Net telephony fraud is still in its infancy, with eavesdropping on calls being the most common security flaw.

Capturing accounts

But the move into stealing usernames and passwords which are routinely sent across the network when a call is made, is a worrying new trend thinks Dave Gladwin, vice president of products at Newport Networks.

"It is still at an embryonic stage but as voice adoption increases it becomes more of a problem and needs addressing," said Mr Gladwin.

The details are not sent as plain text but are encoded in such a way as to be "easily captured and unobscured", said Mr Gladwin.

Credit card details have been traded fairly openly online for some time and can be bought for around $12 (£6) each. VoIP account details fetch a slightly higher price, at $17 (£9), according to Mr Gladwin.

The problem is less of a issue for businesses which routinely offer voice-over IP services for their employees because users are tied into a secure corporate network.

But for consumers, relying on public or unsecured home wi-fi networks, there is more of an issue.

"90% of carriers don't offer a secure VoIP service," said Mr Gladwin.

He estimated it would cost around £2/£3 per subscriber for service providers to instigate the additional level of security needed.

"Most of the software out there has the capability of running in secure mode if the service providers would accept it," he said.

VoIP provider Skype said its service, unlike some of its rivals, offered end to end encryption.

"It doesn't matter whether I'm on an open wireless connection, there is no way someone could get hold of my username or password," said Jonathan Christensen, general manager of audio and video at Skype.

He accepts there are security issues facing the industry, especially for providers that use "less robust security mechanisms" but he questions how big a draw a free VoIP account would be for net criminals.

This is a view shared by Jupiter analyst Ian Fogg.

"I have not seen security issues with VoIP as a big issue. This is partly because such services aren't that mainstream and therefore have not been targeted by criminals in the way that e-mail and online banking services have," he said.

No comments: