March 22, 2005
VOIP Insecurity & Caller ID Spoofing Are Enough to Make You SPIT
If you have a perverse desire to increase your anxiety level, then you'll love Wired's report on "Scammers Snag Money on Net Phones". Internet telephony, also known as VOIP (Voice Over Internet Protocol), has some serious security challenges.
I've previously posted about the issues surrounding Caller ID spoofing over regular phone lines. With Internet telephony, the virtual phone lines are subject to hacking just like the rest of the Internet.
If you thought spam was bad for e-mail users, there is potential for a new form of spam for VOIP. It's called SPIT -- SPam over Internet Telephony. According to the FTC Chairman, in theory "unscrupulous telemarketers could use VOIP to blast huge numbers of voice messages to consumers". I immediately thought about the creation of a "Do Not Call" list for VOIP users, but then, what would be the point? Unless one could actually track down the origin of the Spitter (now there's an appropriate appellation if I do say so), it's probably not going to do much good. Look how effective the CAN-SPAM Act hasn't been.
Phishers are also getting into the act via Caller ID spoofing. Some wire-transfer services such as Western Union use Caller ID to verify that someone is calling from their home phone to validate the fund transfer. I was astonished to read that "the company has no other way to verify that transfer requests are valid."
It certainly sounds like there's a huge untapped market for anyone offering a better mousetrap in consumer-friendly identity authentication.
Topic(s): Privacy & Security
Posted by Jeff Beard