Friday, 6 April 2012

VoIP Security Challenges & Opportunities

As VoIP takes over telecommunications, options to deliver security are increasing.  However, security takes many forms from security of your VoIP system to the requirement for encrypted VoIP.

Appropriate Security precautions must be taken before connecting any device to the internet and VoIP systems are not different or more vulnerable than anything else connected to the internet.

Security issues to be aware of include:
·         Fraudulent Calls
·         Interception of calls
·         Vulnerability scans
·         Man-In-The-Middle attacks
·         Denial of Service Attacks
·         SPIT (Spam over Internet Telephony)

Key Security Issues to address:

Hacked IP-PBX / SIP Trunks – Hosted VoIP is better
The barbarians are at the gates, 24/7.  International Revenue Share Fraud (IRSF) is increasing exponentially as there are literally thousands of industrial grade scanners searching for insecure IP-PBX’s around the clock.  If the hackers gain access to an IP-PBX they can run up call costs of thousands of pounds per hour.

For SIP trunking installations the opportunity is to sell VoIP optimised firewalls, secure / encrypted channels or to migrate SIP Trunking customers to Hosted VoIP as well as the opportunity to sell consultancy services to ensure that customers VoIP infrastructure is secure.

While the responsibility of the calls made by a hacker lies with the end user, put simply if you leave the key in your front door you can’t complain if a burglar helps himself, responsible ITSP’s actively monitor their networks to spot fraudulent and unusual calling patterns to limit fraudulent activity and all the pain it causes them, their resellers and the end user.

With Hosted VoIP from a reputable supplier the chance of being hacked is remote and if it did happen the responsibility would rest with the ITSP, so reseller and end user is safe, which is a very tangible benefit for Hosted VoIP.

Credit Card PCI-DSS Requirements
A recent worrying development is that the Payment Card Industry Data Security Standard (PCI DSS) which is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards has recently decreed that any VoIP telephone that is used to take credit card payments must use encrypted VoIP.

The opportunities for margin being to supply handsets that are capable of encryption, using typically SRTP & TLS as well as the additional charges from ITSP’s to handle encrypted calls over SIP Trunks or Hosted VoIP.

Therefore, there are certainly opportunities to sell security based products and services to new & existing customers in response to changes in legislation, i.e. PCI-DSS or to protect against the ever increasing threats from hackers / scanners.

Wednesday, 14 March 2012

VoIP is being used for cold call scamming


Earlier there were the Nigerians, the legends of email scam. But a new wave of fraud has gone offline, using telephones for cold calling, and the hub for this activity is India, the darker recesses of its booming IT sector. The unsolicited phone calls usually come from an apparently toll-free 800 number or one that appears legitimate. Then a voice with a strong Indian accent offers much to the consumer at the other end of the line: federal grants, free virus removal from the computer, salary advances, ways to reduce electricity bills, and other enticements.

These calls have targeted victims in virtually all English-speaking countries in the world, including the United States, Canada, New Zealand, South Africa, England and Australia. There are even reports of such calls reaching residents of Sweden.

If Nigerian 419 scammers dominated global petty fraud the past 25 years, the next quarter-of-a-century appears to belong to conmen using voice over Internet protocol, or VOIP, calling to cheat victims of millions of dollars. India appears to be the epicentre of such fraudulent activity, an offshoot of being the back office capital of the world.

The first major investigation undertaken into this new breed of scammers concluded late February when a US district court brought to a halt a false payday loan operation, which involved nearly 17,000 transactions and collected almost $5 million.

The Washington-based Federal Trade Commission or FTC, which initiated the suit, said the players in this case “collected phantom payday loan ‘debts’ that consumers did not owe. Consumers received millions of collection calls from India. “

A payday loan comprises high-interest borrowings on salaries between pay cheques. In one case that outlined the modus operandi of the operation, “a caller with an Indian accent” reached the wife of a victim named Mark Merola and threatened that her husband would be jailed unless he anted up what he owed in a payday loan. While Merola owed nothing, the callers managed to bully him into parting with $523.87.

“Claiming to be law enforcement, such as a local police department, the ‘Federal Department of Crime and Prevention,’ or simply a ‘federal investigator,’ the callers typically demanded more than $300, and sometimes as much as $2,000,” the FTC said.

In the lawsuit the FTC charged Villa Park, California-based companies American Credit Crunchers LLC and Ebeeze LLC and their owner Varang Thaker.

FTC Staff Attorney Elizabeth Scott said: “We asked the Federal court to shut them down based on evidence that their debt collection activities were fraudulent. The actual calls were from a call center in Ahmedabad, Gujarat.” The VOIP calls have been traced back to a company identified as Zeus Inc., based in that city.

Given the global nature of these scams, the $5 million figure is only a fraction of the true extent of the money stolen. The primary fraud strain in this sector is what is described as the Microsoft anti-virus scam in which computer users receive a call where the caller pretends to have an affiliation to the software behemoth, or a computer technician who offers to fix the victim’s machine’s vulnerabilities remotely, for free. However, since serious problems are always “detected” in these cases, the free fix comes with a price tag for the additional security measures. The average amount of money stolen was $875, according to a survey released by Microsoft last year. That study covered 7,000 consumers across four countries, the United Kingdom, Ireland, the United States and Canada.

Daniel Williams, Call Centre Manager with the Ottawa-based Canadian Anti-Fraud Centre or CAFC, described this as a “massive, massive problem.” He estimated that the majority of the complaints his government agency receives daily is connected to this fraud.

The consumers paid the fraudsters using credit cards, and, Williams pointed out, “In many cases, the credit card charge has been traced back to vendors in India.” In an emailed statement, the Royal Canadian Mounted Police or RCMP said, “In 2011, CAFC received 9,349 Canadian complaints on the anti-virus scam, of those 2,119 are victims with a reported dollar loss of $446,609.” But Canada is just part of a global effort by the scam artists, who have targeted users all over the world.

These calls appear to have originated mainly from Kolkata, allegedly from a company called Comantra, that was earlier a Gold Partner for Microsoft.

In response to a query, a Microsoft spokesman said, “We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member’s business practices. Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status.”

In a blog post, Comantra had refuted the allegations and blamed it on “competitors” masquerading as Comantra employees.

Meanwhile, some calls, particularly to the United Kingdom, also appear to be from Kota in Rajasthan, suggesting that the trend may be spreading in India.

Other variants of phone scams have also involved Americans receiving calls informing them they were eligible for a federal government grant amounting to many thousands of dollars. However, to access those funds, they would need to wire a fee from the closest Western Union branch, to a specified bank account. Western Union is aware of the Indian connection in such transactions.

Original Artical