Free calls - risk free?
VoIP services like Skype offer free calls - here's what to watch out for
IT support company, ihotdesk, is a virtual company. Its support engineers work from home or on client sites all over the UK. There is no central office. Anthony Fryer, the company's operations manager, explains that this is only possible because of advances in communications technology. They are able to link everyone together using a new internet technology called internet telephony or Voice Over Internet Protocol (VOIP). It allows them to route phone calls over the internet without paying BT a penny.
In a recent article, The Economist predicted that internet telephony will eventually eclipse traditional phone services. It made the news recently because auctions giant, eBay, bought Skype, an internet phone company with over 52 million users.
Why all the fuss? Quite simply: free phone calls. Not only between people on the same service using PCs with speakers and microphones, but increasingly to and from conventional telephones with conventional phone numbers.
Great. But the security aspects of this looming revolution are being overlooked.
�Because they run on regular PCs, users run the risk of identity theft.�
First, let's take computer-based systems like Skype. Because they run on regular PCs, users run the risk of identity theft. Imagine that a piece of spyware captures your VOIP password and a hacker starts using your name and "internet phone number" to make calls impersonating you. Ouch!
So, on a basic level, VOIP users need to take extra care of their PC security because more depends on it. This means the usual stuff: strong passwords, anti-virus and anti-spyware programs, firewalls and up-to-date software.
You've probably had a phone call already with a recorded voice saying "you've won a holiday" or something similar. This problem will be multiplied a thousand-fold on VOIP because the calls are free. Criminals can use the same harvesting techniques they use to gather email addresses to pick up VOIP "phone numbers" and then start cold-calling or leaving voice mail. One possible antidote is to set the software to only allow incoming calls from known callers.
These are important but second-tier problems where computer-based VOIP is used to supplement existing phone systems. If it stops working or you need to make a secure call, you can always use your standard landline.
More pressing issues
�Even a power cut or a computer crash could stop your VOIP phone system working.�
However, some systems replace traditional landlines altogether; letting you use normal phones to make the calls but routing them via the internet. Large companies are doing it already, and expect smaller businesses to follow suit. The calls are still free - but there are different and more pressing issues.
First, there is the risk of hacker attacks, viruses and so on interrupting the service or being used for extortion or sabotage. Even a power cut or a computer crash could stop your VOIP phone system working.
Second, there is a question about privacy. There have been interesting discussions about VOIP encryption, for example in this KPMG white paper and in the IT Manager's Journal. The question is whether or not someone can eavesdrop on a VOIP call. In some businesses, client or patient confidentiality is critical and they need legal assurance of confidentiality.
In other words, choosing an internet telephony solution requires consideration of more than just price. Security, reliability, continuity and privacy are all factors.
In Symantec's latest Threat Report, Ollie Whitehouse, a company researcher said: "it's important to put this particular threat in to perspective. While there are currently very few reported attacks directed at VOIP systems, Symantec believes it's only a matter of time before attackers target it more intensely, as this new communication technology gains widespread acceptance and deployment."
For once, we've got a chance to implement proper security for an internet service before it becomes ubiquitous. I'm a big fan of internet telephony but I'm also a big fan of security. My advice is this: find out if it is good for your business and make sure it is going to be safe.