March 22, 2005

VOIP Insecurity & Caller ID Spoofing Are Enough to Make You SPIT

If you have a perverse desire to increase your anxiety level, then you'll love Wired's report on "Scammers Snag Money on Net Phones". Internet telephony, also known as VOIP (Voice Over Internet Protocol), has some serious security challenges.

I've previously posted about the issues surrounding Caller ID spoofing over regular phone lines. With Internet telephony, the virtual phone lines are subject to hacking just like the rest of the Internet.

If you thought spam was bad for e-mail users, there is potential for a new form of spam for VOIP. It's called SPIT -- SPam over Internet Telephony. According to the FTC Chairman, in theory "unscrupulous telemarketers could use VOIP to blast huge numbers of voice messages to consumers". I immediately thought about the creation of a "Do Not Call" list for VOIP users, but then, what would be the point? Unless one could actually track down the origin of the Spitter (now there's an appropriate appellation if I do say so), it's probably not going to do much good. Look how effective the CAN-SPAM Act hasn't been.

Phishers are also getting into the act via Caller ID spoofing. Some wire-transfer services such as Western Union use Caller ID to verify that someone is calling from their home phone to validate the fund transfer. I was astonished to read that "the company has no other way to verify that transfer requests are valid."

It certainly sounds like there's a huge untapped market for anyone offering a better mousetrap in consumer-friendly identity authentication.

Topic(s):   Privacy & Security
Posted by Jeff Beard
Comments

THANKS for the kind words!

TCS (Mon)

Posted by: YankeeMon at March 31, 2005 05:30 PM

Well, as the article pointed out, the Spitter would broadcast "voice messages". So think of your VOIP voicemail as the equivalent of your e-mail inbox for spam messages.

I'm surmising the origin of those messages can be spoofed.

Posted by: Jeff Beard at March 22, 2005 08:59 AM

How hard would it be to track someone spitting you, given that you could probably keep them online and talking?

Posted by: bryan at March 22, 2005 02:17 AM