VoIP Security

By | August 15, 2006

With VoIP, opportunities for people to use phone services without permission can also result from inadequate network security, the connection of devices to a network without permission, and the infection of IP phones and softphones by software that modifies their behaviour.

Because the number of a phone is often defined when the user logs in, stolen user identification details can be used to charge calls to someone else’s account.

How to stop it: Basic security measures are essential – limiting access to premises and closely guarding log on details. Antivirus and other systems should also be used to defend IP phone systems against attack and stop ‘malware’ being installed.

Telephone fraud

The goal: To make money by manipulating phone usage and/or billing systems.

How it works: As with conventional phone systems, opportunities exist for fraudsters to make money by calling premium-rate services. The principal difference is that, because VoIP is a computer technology, such services can be dialled automatically.

For example, as a result of accessing a web site or receiving spam, an application could install itself on a softphone that calls premium rate numbers without the user being aware, perhaps outside normal office hours.

Alternatively, devices could be attached to an organisation’s network without permission that then make frequent or prolonged calls to premium-rate numbers. Such devices could be planted by people such as cleaners and maintenance staff who have access to offices out of hours, or could exploit weaknesses in the security of wireless networks.

Fraudsters could also hack into billing systems, adjusting records in their favour.

How to stop it: IP telephony call servers can be configured to reduce the opportunity for dial-through fraud. For example, phones on private networks can be given access only to selected number ranges relevant to the jobs of the users involved. Calls to premium rate and international numbers would normally be barred by default, and the call server can be set to allow phones that have only completed the automatic registration processes that follow connection to a network to access only numbers within the organisation concerned and the emergency services. Generally, an option also exists to disable the auto-register facility completely.

Leave a Reply