Comments on: Phishing with VoIP

By: Vijay

Vijay — Sat, 29 Apr 2006 05:00:55 +0000

At the end of the day, Aswath does make a very good point. There are still things that we haven’t anticipated when it comes to the security of a VoIP based infrastructure. Thanks to guys like Dan of Bluebox, atleast the focus is slowly shifting towards such things and there are efforts made, but at the end of the day, there is still a long way to go.

The question comes down to: Do we have to compromise freedom (outside the walls), to security (being inside the walls of the operators)?

Or Maybe it is just a matter of more companies exploring the ways to make VoIP more secure. Prominent Networks is one such company, apart from the one that is mentioned in the original post.

By: Jay

Jay — Thu, 27 Apr 2006 14:53:04 +0000

Ah, analogies… If it is PSTN or VoIP there is still the possibility of a stolen transport. Cars get lifted for use in crimes. It’s always possible that a stolen cell phone, opened residential NID, simple SIP/IAX voice accouint, PBX, Class 5, soft or otherwise – has been commandeered for nefarious purposes.

Some might argue this highlights that some form of n-phase authentication is required. Cars have keys but thieves still manage to figure out ways to steal them — and even with a great n-phase authentication system like a fancy key fob, car-jacking is still a concern. If a soft-phone is on a PC that is completely compromised by trojan-worm-ilk, where would the n-phase authentication need to be? As well, if it was there, would the user consider this n-phase authentication a hurdle to using the service in the first place?

By: Alec

Alec — Thu, 27 Apr 2006 12:40:26 +0000

I agree with you Aswath. That was the point of my, perhaps unclear, comments about the need for a credentialling and identity system.

By: Aswath

Aswath — Thu, 27 Apr 2006 12:17:17 +0000

Except there is a difference. The owner of Ferrari has to go through the same registration process as the owner of the beat-up station wagon. But that is not the case in VoIP. As a PSTN user, I have a certain level of protection when I call another PSTN number: I could hope to track down A responsible person and can have some legal backing as well. But it seems, the VoIP industry has managed to get the interconnection rights without the associated responsibilities. The caller ID scam is an immediate example. Just like the incumbents use unfair tactics to scare away the VoIP industry, the VoIP industry has not been playing staright.

In this case, the question is how willing a VoIP service provider will be to identify one of their “IN” subscriber? What are my legal rights to get that information? My concerns may well be misplaced, but my perception is that VoIP industry is infantile in the sense that it wants all the rights and none of the responsibilities.