Most don't think about their telephone system when it comes to securing their network, but VoIP is actually a common vector of attack.
Anyone in business knows Voice over Internet Protocol (VoIP) calling. Its low cost and flexibility means that this internet telephony has largely replaced the older wire-based public switched telephone system (PSTN) for most uses. But as the IP (Internet protocol) part of the name indicates, VoIP is an application running on the internet. It suffers the same vulnerabilities as other applications, but VoIP services have been a bit behind in developing security. But first, let's start at the beginning.
What Is a VoIP Phone Service?
As opposed to a traditional phone service, a VoIP phone service delivers phone service through a high-speed internet connection. VoIP service providers typically offer lower rates than regular phone companies, but VoIP services often lack certain services like 911, 411, and phone directory listings. For this reason, some people choose to use VoIP in conjunction with their traditional phone system. VoIP providers usually offer unlimited domestic calling, and in some cases international calls can even be possible with a flat monthly subscription fee.
Not only are VoIP providers less expensive, but VoIP systems also allow for increased functionality. With traditional phone services, in order to make and receive calls, you must have access to that telephone. However, with a VoIP service, phone calls will be automatically sent through your VoIP phone, making it accessible whenever you are connected to a high-speed Internet connection. VoIP makes it possible to receive phone calls wherever there is Internet. This gives companies who use VoIP more flexibility because employees can make and receive calls from anywhere, so long as it has a strong Internet connection. VoIP offers an all-in-one solution for conference and long distance calls. Because, lets be honest, these days everywhere has an Internet connection.
How does a VoIP service work?
VoIP technology takes traditional analog audio signals (what you hear over the phone) and changes them into digital data- meaning the data can be exchanged over the Internet. There are three ways to make phone calls with VoIP: ATA, IP phones, and computer-to-computer.
ATA (analog telephone adapter) is the most common option because it can be used with the traditional phones that are quickly becoming obsolete. The ATA will take the analog signal from the phone and convert it into digital data that can be transmitted over the Internet. Using an ATA is as simple as plugging the phone cable into the ATA instead of into the wall. These VoIP adapters help to easily update traditional phones.
IP Phones look no different than traditional phones, but the difference is they have an RJ-45 Ethernet connector, allowing the phone to connect directly with the router. All other hardware and software required for making Voice over IP calls is already integrated with the phone itself.
With the computer-to-computer option, making VoIP calls requires only the software, a microphone, a sound card, and a high-speed Internet connection. You can even make long-distance calls at no extra cost after paying a flat monthly fee.
While Voice over Internet Protocol services are quickly phasing out traditional phone services, there are still some concerns surrounding the security of VoIP technology. Because long-distance calls still often involve the traditional telephone system, there are a wide range of both interesting business VoIP frauds, as well as those that target telephone service providers (TSPs). The Communications Fraud Control Association (CFCA) attributed $38.1 billion in losses to toll fraud in 2015. Credit card fraud losses in this same period were less than half that amount.
What Are The Security Issues With VoIP?
VoIP services face many security threats, from VoIP spoofing phones that allow scammers to impersonate IRS agents, to ‘vishing’- the VoIP equivalent of phishing.
But the big money is in various forms of toll fraud: the theft of telephone services for use, for resale, or to generate fees somewhere in the telephone system. Although the price of long-distance service through a VoIP provider is significantly cheaper than through PTSN, the cost of added up minutes can cause some damage, especially if they are from fraudulent calls. This fraud falls into two main categories, depending on who the victim is — that is, who bears the cost of the fraud.
Fraud Aimed At Subscribers
Toll fraud used to be limited by the number of phone lines. But with VoIP technology, once one extension has been compromised, extra channels can be replicated to make many simultaneous calls, running up large bills extremely quickly. Hackers often aim these calls at a premium-rate number, the kind used for things like sex chat or psychics, which somewhat surprisingly still exist. Cuba, Somalia, Bosnia, Estonia, and Latvia are particular sources of this fraud.
This type of attack generally happens at night or on a weekend, and a business that does not have the proper monitoring in place can be hit with hundreds of thousands of dollars in bills come Monday morning. There are currently no laws requiring reimbursement by the VoIP service provider for fraud, as there are for credit card fraud, but large carriers do often reimburse for fraudulent use of this kind. This can be a consideration when choosing a VoIP service provider.
Fraud Aimed At Telecom Service Providers
For an international call, VoIP packets are routed through a wide range of intermediaries- whichever is cheapest and most efficient at that instant is chosen for that particular call. And those intermediaries sometimes provide an opportunity for fraudsters to gain access to phone services.
The VoIP packets are exchanged by big TSPs, smaller regional ones, and others. Some countries are lax about doing due diligence on the companies applying to provide telecom services. And, because these long distance phone calls cross a variety of international borders, prosecution is difficult.
A variety of agreements on revenue govern call routing, and many frauds have, as their ultimate goal, ways of manipulating or arbitraging the revenue from these calls. Routing phone calls through your own service earns you a small amount of money on each packet. The podcast Reply All had an interesting episode, The Case of the Phantom Caller, on one such scam that involved routing 8oo calls. Internationally there is arbitrage, bypass fraud, traffic pumping, CNAM revenue pumping...the list of possible frauds is fascinatingly long, and the potential profits large.
Since VoIP telephones are IP-based, for any business phone security should an area of concern for IT network security. There are a number of specific precautions a business should take to minimize the VoIP security risks, in addition to the usual emphasis on passwords and proper procedures.
- Session Initiation Protocol (SIP) is the most common VoIP protocol, and nearly half of all VoIP attacks target SIP. Set up a Session Initiation Protocol firewall to filter out suspicious packets.
- Improve access control. Often too many people have access to the system. Restrict the access to only those who need it by implementing access codes (read: don't share passwords unless necessary). Also, choose specific call forwarding rules, and ensure that the ability to forward is also restricted. Delete unused devices.
- Review call logs regularly to see if fraudulent phone calls are being made. A more advanced system can also use algorithms to detect changes in call patterns, based on historic data, and shut down callers or locations until legitimacy is verified.
It’s Not Just A Phone
Telephones are often treated more cavalierly than other internet-connected devices because they have been part of daily life for so long. Businesses can substantially reduce the risks by recognizing and addressing vulnerabilities in their VoIP service, while taking advantage of its cost savings and flexibility.