Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VoIP's Security Vulnerabilities

Zonk posted more than 8 years ago | from the is-your-refridgerator-running dept.

117

garzpacho writes "Experts predict that attacks on VoIP systems could be right around the corner, and are calling for preemptive security measures. The BusinessWeek article compares the current state of voice-over-IP to the pre-spam email era and suggests that spammers could be the first to exploit the system. From the article: 'Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers. Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says. Comparable economics apply to VoIP calls, he says. Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites. Those and other attempts at identity theft could spring up via VoIP accounts too, experts say. Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.'"

cancel ×

117 comments

Sorry! There are no comments related to the filter you selected.

You can thank stupid people. (-1, Troll)

gasmonso (929871) | more than 8 years ago | (#15524317)

Honestly I don't blame the spammers... they are just advertising, like the people who send junk snail mail. I do have a roblem though with the idiots who fall for these ads and drive the business. Seriously, how stupid are people. To actually fall for that Nigerian one... my God!

http://religiousfreaks.com/ [religiousfreaks.com]

Re:You can thank stupid people. (5, Funny)

neonprimetime (528653) | more than 8 years ago | (#15524370)

To actually fall for that Nigerian one... my God!

Stop stereotyping the Nigerians! We're taking donations to help fight the stereotyping of Nigerians ... please send donations to my paypal account : HelpTheNigerians ... or just send me your paypal id & password and I'll do the transfer for you.

Re:You can thank stupid people. (0)

Anonymous Coward | more than 8 years ago | (#15524404)

I don't know if I can trust you. Will all the proper modalities be followed?

Re:You can thank stupid people. (1)

waldonova (769039) | more than 8 years ago | (#15525526)

This is fraudulent fraud. Everyone knows that authentic fraud IS SENT IN CAPS TO LET YOU KNOW IT IS REALLY IMPORTANT. I wonder if this means that VoIP fraud will be done with yelling?

Nigerian Slashdot Reader (0)

Anonymous Coward | more than 8 years ago | (#15525915)

I'm Nigerian. It always makes me sad when I read stuff like this. Nigeria isn't the only country that's guilty of this. Can the more informed take this into account when making these posts?

Re:You can thank stupid people. (3, Insightful)

kefoo (254567) | more than 8 years ago | (#15524422)

Never underestimate the power of money to overrule common sense. I saw it every day when I worked as a software engineer.

Re:You can thank stupid people. (1, Funny)

Anonymous Coward | more than 8 years ago | (#15524522)

Never underestimate the power of money to overrule common sense. I saw it every day when I worked as a software engineer.

Anyone who ignores money in a business environment clearly lacks common sense. I saw it every day when I worked with software engineers.

Re:You can thank stupid people. (1)

lowrydr310 (830514) | more than 8 years ago | (#15524520)

Exactly. VoIP phone spamming won't be any different than current telemarketing. Any landline not on the DO-NOT-CALL list gets hammered with spam, despite POTS being more expensive than VoIP.

Within one week of activating a new POTS phone line, I started receiving about three or four calls per night. It got the point where I stopped answering my home phone unless I was expecting a call. I disconnected my answering machine and turned the ringer off for about a month and now the volume of calls have dropped significantly. Now, the only calls I get are from my school asking me to donate money.

Re:You can thank stupid people. (3, Insightful)

arminw (717974) | more than 8 years ago | (#15524859)

......Within one week of activating a new POTS phone line, I started receiving about three or four calls per night. It got the point where I stopped answering my home phone unless I was expecting a call. I disconnected my answering machine .....

Caller ID in combination with an old Mac Classic used as an answering machine has solved our unwanted phone call problems almost perfectly.

The Mac allows the audible, live monitoring of the first 10 seconds of any message coming in within which time we can decide to answer the phone or not. Any number we don't know or not listed is not answered live by us at all unless the caller leaves a message, which is also not answered unless we want to. A large display caller ID shows who is calling. The Mac answers all calls we don't recognize. We have not talked to a single phone solicitor in several years. Something like this should work even better for VOIP, since the computer can contain a list of callers the recipient is willing to talk to. The other calls go into the junk call bin, just as the spam junk e-mail does. The only calls that get answered live are the wanted ones. The do not call list is worthless anyway, but just as the spammers use technology, so, technology can also work against them. Fight fire with fire.

Re:You can thank stupid people. (2, Informative)

jacksonj04 (800021) | more than 8 years ago | (#15525089)

Skype has a nice swathe of privacy options for its voice calls. It also supports filtering for a SkypeIn number if you have one, so it only rings if the person is a 'known number' (ie on your contacts list) and everyone else is shoved to voicemail.

I haven't seen options like this on any other VoIP service with a public phone number, anybody suggest any?

Re:You can thank stupid people. (2, Informative)

GreyPoopon (411036) | more than 8 years ago | (#15525773)

The do not call list is worthless anyway...

Why do you say this? I have personally been VERY happy with the DNC list. Yes, market surveys, charitable organizations and political campaign calls still get through, but they are a very small quantity as compared to the "WASTE YOUR MONEY NOW!!" calls we used to receive. And you can still ask all of the orgs who can legal call you to put you on their DNC list, which keeps them from calling again.

Re:You can thank stupid people. (1)

lowrydr310 (830514) | more than 8 years ago | (#15526863)

Unfortunately all of those four unwanted calls per night were from market surveys, charitable organizations, and political campaign calls.

I've noticed that the radio market surveys are outsourced to India, based on the accent of the three people I spoke to last week.

Re:You can thank stupid people. (1)

Secrity (742221) | more than 8 years ago | (#15527133)

How do you tell the scores of political candidates not to call you any more? The past few weeks have been hell, we have been getting about a half-dozen prerecorded "important messages" every night from political hopefuls. NONE of the messages that I listened through waiting for a do-not-call option had any provisions for telling them not to call again. I didn't keep track of who these people are, and if I did, I would probably vote against them because of their sleazy spamming tactics.

Re:You can thank stupid people. (1)

GreyPoopon (411036) | more than 8 years ago | (#15527579)

How do you tell the scores of political candidates not to call you any more?

Well, the prerecorded messages are fairly easy to deal with... just hang up. You most likely won't get the same message again. And remember that they generally run for a couple months prior to an election. However, if they TRULY bother you, wait until you hear the name of the candidate or the political party, then either contact their campaign manager (email, letter, phone) and tell them if you receive one more phone call, your vote will be decided.

Here's another thought. I'm willing to bet that your political party is registered. By doing so, you'll automatically receive calls from that party. Perhaps you should try registering as "independent" or something. Maybe that will stop calls for the next election.

Re:You can thank stupid people. (3, Insightful)

Stellian (673475) | more than 8 years ago | (#15526024)

VoIP phone spamming won't be any different than current telemarketing.
Wrong !
That's just like saying email spam won't be any different than junk mail.
VoIP spam is a nightmare in the making. A normal telemarketer needs to pay to have access to the phone network, and needs to be a business so it could be held accountable for any wrongdoings. It cannot operate from China or the long distance costs would kill it. There is only so much calls you can initiate per second from a normal telco trunk. You also need a human operator for each call, the costs per call tipically do not allow you to waste them with recorded message.
Enter VoIP Telemarketing: anonymous Viagra kings, enjoying the anonymity and low cost of the Internet calls to make billions of robot calls from zombied machines. In my opinion, it's the worst threat facing VoIP today.

Las Vagas (1)

agent (7471) | more than 8 years ago | (#15524729)

Guy Moron: Hi my names is Barny Rubble, and I am a Doctor. In the off season I like to save the dolphins.

Girl Moron: Hi Barny, my name is Paris Hilton and that Hot.

Guy Moron: Lets say you and I go stick out money in to these machines, and later after you see that I actually have money, maybe I can stick something into you!

Re:You can thank stupid people. (0)

Anonymous Coward | more than 8 years ago | (#15525686)

there is a difference between snail-mail spammers and email spammers. for starters, there is a cost associated with snail mail, so snail-spammers have an interest in actually targetting their market. there are also laws governing snail spam (do not mail lists, etc..) which are generally adhered to when applicable. snail spam usually relys on bulk mail rates, which make it traceable (so you dont get advertisements for anything illegal). no one can track wether you've read snail-spam or not, as they can with email spam (if you open it, click the links, etc...) finally, when was the last time your credit card offer came with a virus attached to it?

FIRST FISH! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15524318)

I AM A FISH!

Leave Grandma alone (1)

neonprimetime (528653) | more than 8 years ago | (#15524321)

"By the time this becomes Grandma's problem, it's too late"

Spam in her voice mail box? Yuck. My poor grandma.

Re:Leave Grandma alone (1)

richdun (672214) | more than 8 years ago | (#15524373)

You're assuming Grandma figures out how to work the new Computer Telephone thingy. I'm all for consumer responsibility, but if companies would quit their marketing mumbo jumbo about every tech-based new idea and try to actually educated the masses as to how the thing works, be up front what it's strengths/weaknesses are, etc. (or if we as tech-based people would help out all those non-techies out there), we'd probably be in better shape. "What, I'm not supposed to just click OK? But everytime you fix my computer you just sit there and click all the OK buttons?!"

I know, I know, common sense != good business.

Re:Leave Grandma alone (1)

neonprimetime (528653) | more than 8 years ago | (#15524394)

but Grandma ... that's why I went to schoool ... to learn which OK buttons are OK to press!

Re:Leave Grandma alone (2, Insightful)

richdun (672214) | more than 8 years ago | (#15524758)

Great point - as ridiculous as it may sound, it's like driving a car. You have to learn how to drive and then take a test to get a license (let's for the sake of argument not get into how effective the testing and licensing process is in ensure that you are actually a good, safe driver). We don't want children doing even menial household chores like operating the gas stove that could incinerate your entire house or the washing machine that could flood your entire basement without proper instruction. Why then do people think they can just go buy a computer, plug it in, and go without reading the manuals (though they could be better), learning how to operate the computer (not Video Professor, something a bit more useful and free), etc. On one hand, you can argue (and well) that it shouldn't require a computer science degree to operate a home PC, but on the hand, shoulds are nice, but what is leads to many problems with consumers and the Internet today.

and ISS will sell you a solution of course (0)

Anonymous Coward | more than 8 years ago | (#15524353)


be afraid be very afraid, unless you buy our new [SOLUTION] (low low prices) to leverage your security response factor into a new paradigm of peace of mind

the internet is just turning into a world full of shills and advertising obsessed leeches, its like reading the yellow pages but an expanded version

Only problem is.. (1)

William Robinson (875390) | more than 8 years ago | (#15524368)

Think of the Viagra ads that flood your e-mail inboxes now....only this time they're on voice mail, too.

this time a sweet female voice will make me buy it... Oh Shit. Where are you taking me today?

Re:Only problem is.. (1)

budgenator (254554) | more than 8 years ago | (#15525595)

with a sweet female voice saying "Hi Ambsoien Levoiitra VALlUqqM fzbrom ojwnly $hz1,2xp1 Xutanax Sorqma Meridpaia VlAdiGRA frmhom orpnly $vw3,3zx3 CzslALlS frlaom onlwly $xw3,7ww5 Prykozac"
You'll need an answering machine with flailing arms that says "Danger Will Robinson, Danger, messaage may be grabbled without a CSS2 compliant user agent, Danger Will Robinson, Danger."

From theoretical to real (3, Insightful)

Billosaur (927319) | more than 8 years ago | (#15524385)

Of course, there is a difference between potential threats and ones VoIP consumers are actually facing today. So far, much of this is theoretical--much like fears of mass viruses on mobile phones and disastrous phishing attacks over instant-message systems (see BusinessWeek.com, 1/5/06, "IM Security Is One Tough Sell"). VoIP attacks remain rare, although Gartner says Skype has made four big patches to vulnerabilities in the last 18 months.

And while it is all just theoretical, you know someone will eventually get their jollies figuring out how to hack VoIP and create a lane for spammers in the process. Going to VoIP removes a lot of the natural barriers that protect us from telemarketting calls now, and creates new vulnerabilities. There will be a lot more Caller ID spoofing; I can even conceive of someone creating malware that would be planted on your system and track the numbers you frequently call, to build spam call trees and more importantly to get ids and numbers you might trust so you would actually answer the calls. The possibilities are staggering.

Re:Real? (1)

asphaltjesus (978804) | more than 8 years ago | (#15524914)

I agree that sip/voip telemarketing is right around the corner.

But the rest of it I just don't understand. How would your doomsday scenario work? A user needs either a soft or hardware sip telephone and probably a voip aware firewall.

If they just use the phone, I'm unclear where the payload comes from. In packets? Maybe, but it would require a PC to use.

Technology isn't always so great. (1)

InsaneProcessor (869563) | more than 8 years ago | (#15524401)

At lease they (engineers and techs) are thinking ahead this time. They need to head this one off at the pass. All of this new technology is great but it is also a means for the wicked to exercise thier craft. I solved the spam problem a long time ago. It's called 'delete'. If they use voice mail, then a text message with then name or number of the caller needs to be read so you can use 'delete'. Better yet, you need an option: if no caller ID - no voice mail allowed.

Re:Technology isn't always so great. (2, Informative)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#15524787)

I solved the spam problem a long time ago. It's called 'delete'.

This solution work for me for a while to. But, after wearing out three keyboards in as many months, I realised that it was just not cost effective.

Re:Technology isn't always so great. (1)

dantheman82 (765429) | more than 8 years ago | (#15525205)

>>I solved the spam problem a long time ago. It's called 'delete'.

>This solution work for me for a while to. But, after wearing out three keyboards in as many months, I realised that
>it was just not cost effective.

Well, then I'd recommend remapping your keyboard settings because it seems your 'o' is worn out, as you misspelled 'to' in "a while to". I was going to recommend message rules filters to save your fingers, but then I realized you should invest in a good spell-checker as you also misspelled "realised". Oh, and the grammar on your first sentence was off, too. And then I saw your home page, and gave up...or "gived up", as it were.

Re:Technology isn't always so great. (2, Funny)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#15525495)

With 'Amerikan' spelling and grammar is how in future I shall write.

Re:Technology isn't always so great. (1)

nuzak (959558) | more than 8 years ago | (#15526209)

> I solved the spam problem a long time ago. It's called 'delete'.

Thanks for deleting your account. Saved those mail admins some work, you sure did.

Anyone else see the irony... (1)

EnderGT (916132) | more than 8 years ago | (#15524405)

in having a Vonage ad under an article about VOIP security risks?

Re:Anyone else see the irony... (-1)

Anonymous Coward | more than 8 years ago | (#15524477)

Slashdot shows ads? ;)

I must sound like a broken record (4, Informative)

Sloppy (14984) | more than 8 years ago | (#15524408)

Yet Again, I say: use public key crypto and a web-of-trust to authenticate that a call is from somebody who has a reputation to lose.

Nothing to lose? Then the call is lowest priority, probably the bit bucket unless you're expecting an unverified call, or you're just bored and feel like risking a talk with a telemarketer.

(Sorry, it's not my fault that so many current topics are related to problems that PK happens to solve. Really, I do know that there is more to life than spreading-the-gospel-of-openpgp.)

Re:I must sound like a broken record (1)

gclef (96311) | more than 8 years ago | (#15525197)

A few thoughts to the contrary:

1) Until someone has called you once before, or you've talked to them in some out-of-band way, you have no way of knowing what your friends/relatives/etc keys are. So, unless everyone who might contact you is quite technical, you will likely *always* be accepting unsigned calls. If you're accepting unsigned calls anyway, why bother setting up the keys?

2) Given peoples propensity to re-build systems (sometimes forced by bit-rot), personal keys will rotate rather often. When someone changes computers, they will either have a new key (ick) or they will they have to carry their personal keys with them (not likely). How about when someone changes jobs? (Will you accept a call from someone you know from one job, who has now moved to another one, but wants to keep in touch?) How will you get these new keys out to the folks who are expecting signed calls? The most likely result here is that you will again be forced to accept unsigned calls, making signed calls pointless.

3) Some/most VoIP spam will be addressed by the VoIP providers, as they do not want to lose customers. Why should the end user deal with the mess and overhead of setting up PKI it if the provider is going to?

PKI has its place, but there are very good reasons why we've been trying and failing get PKI into email for over a decade. Many of the same reasons hold true for VoIP.

Re:I must sound like a broken record (1)

Eivind (15695) | more than 8 years ago | (#15525744)

Until someone has called you once before, or you've talked to them in some out-of-band way, you have no way of knowing what your friends/relatives/etc keys are.

True, unless you use web-of-trust, in which case it's sufficient that they've talked to someone you've talked to etc.

Or unless there's some server you trust enough that you'll take thats servers word for the link between a certain email-adress and a certain public-key, and you know the email-adress of your friends/relatives/etc.

Setting up a server that verifies email, and signs public keys of people who complete the verification is near-trivial. (the near-part being related to being sufficiently paranoid about the secret signing-key.)

Re:I must sound like a broken record (1)

Watson Ladd (955755) | more than 8 years ago | (#15528430)

That's just a UI issue. I installed GnuPG, and an exention for mail. GUI's exist for GnuPG, and then anyone can use it.

Re:I must sound like a broken record (1)

Blakey Rat (99501) | more than 8 years ago | (#15526847)

I think I've found your problem...

Instead of telling people who matter, you're just posting it on Slashdot. No matter how many times you sound like a broken record, you're not going to get anything done here, buddy.

In any case, how do you know about somebody's key before they've called you first? With your system, every time a new person got a VOIP phone, I'd have to go though my "low priority" calls anyway, and your system has solved nothing.

Filter unsolicited international calls (2, Informative)

w33t (978574) | more than 8 years ago | (#15524417)

Am I correct in assuming much of this spam will originate internationally (meaning outside the US and major European countries)?

I would imagine that the "do not call" registry will still apply to VOIP and that national companies will still have to abide by it.

If this is the case, could not a VOIP inbox be set to filter unsollicited international calls to a spam-inbox?

Yes, I understand that there is still the possibility that an unsolicited, international call may be warrented for some or even many - but this seems like at least one way of combating the enevitable deluge of voice advertisement.

Re:Filter unsolicited international calls (1)

petermgreen (876956) | more than 8 years ago | (#15525282)

hmm will the do not call registry apply if the call never touches pots?

and ofc you can always call from out of country while sticking within the same voip provider (generally making the call both free and hard to identify as international)

Re:Filter unsolicited international calls (1)

Lord Ender (156273) | more than 8 years ago | (#15525437)

one word:

proxy

Turing test! (2, Insightful)

jackjeff (955699) | more than 8 years ago | (#15524446)

What is bad about email is that it's not always obvious to know whether some email is spam or not. And there is also the risk of phising.

Obviously it's no concern here. If they have to make it cheap, they'll use no operator and revert to pre-recorded messages. You will know right away if the person is "human" or a "recorded message"... as long as machines fail the Turing test :)

There is nothing new about it. Junk calls existed before VOIP.

Re:Turing test! (1)

sshutt (785646) | more than 8 years ago | (#15524576)

Don't some humans fail the test too?

When they do the compertition don't they have an award for the most computerlike human aswell as most human computer?

Re:Turing test! (1)

Silver Sloth (770927) | more than 8 years ago | (#15524882)

So when you've just been hauled out of the shower, been called away from your favourite tv prog, interrupted in your meal, it will be OK because you'll know as soon as you answer it.

Mobile networks? (1)

15Bit (940730) | more than 8 years ago | (#15524478)

Now i accept that there are security concerns regarding interception, and consequently authentication/identification/billing and a whole host of other stuff. But did the author actually read that line about spammers? Email is an inappropriate analogy - mobile phone networks are a much better guide to the kind of abuses you will see. I don't currently get voice mail messages from His Rt Hon Umbago De ConArtist (could be a good laugh though), but i do get all sorts of "would i like to change my mobile tarif" calls. Why will VoIP be different?

Re:Mobile networks? (1)

macdaddy (38372) | more than 8 years ago | (#15526009)

I thought that sales calls to mobile numbers was illegal? Of course that's what I always tell any salesdroid that calls me on my cell.

Not really (3, Insightful)

Geoffreyerffoeg (729040) | more than 8 years ago | (#15524500)

VoIP is more like the pre-spam IM era than the pre-spam e-mail era. And guess what. We're past the pre-spam IM era and it isn't even close to a problem. I get a spam IM about once every few months, if not rarer, and all it contains is an obfuscated link to some camgirl website or something (I haven't clicked, I'm just guessing).

VoIP, like IM, is a medium that does not lend itself to spam. What can they do, hire telemarketers? You can't very well robot a voice system. And because each system, like IM, is closed within a company, unless that company itself is spamming, they will quickly close down the accounts of anyone who spams because it's easy for them to track.

Re:Not really (1)

drinkypoo (153816) | more than 8 years ago | (#15524953)

I get spam on Y!Messenger, on myspace, on ICQ on the rare occasion that I connect to that network... It's not a problem or anything, outside of occasionally viewing a NSFW profile.

Re:Not really (0)

Anonymous Coward | more than 8 years ago | (#15525018)

You apparently have not used an ICQ transport on jabber lately. I get on the order of 20-30 spam IMs from unique IDs per day most days. It's just that, unfortunately, ICQ transports and jabber clients are too damn stupid to filter properly on external transport contacts yet. Bottom line though, it *is* a problem, it's all the usual suspects, and they're just as persistent there as ever.

Filtering at the client works, yes, but for those that don't have proper filtering (yet) it can be a real nuisance. If anything, it teaches me that VoIP should get filtering out such calls handled *before* it becomes an issue. Even having a centralized service in the mix doesn't matter if the spammers manage to automate things, especially if they're not afraid to compromise machines in order to get their trash across.

Re:Not really (1)

Geoffreyerffoeg (729040) | more than 8 years ago | (#15525255)

You apparently have not used an ICQ transport on jabber lately.

I use AIM, the IM system with the worst reputation, and yet I avoid spam. The few occasions that I've been hit with real spam come from joining a public chat room where half the chatters are lurking bots harvesting screen names - other than that, almost never.

Re:Not really (1)

fossa (212602) | more than 8 years ago | (#15525125)

You can't very well robot a voice system

Hi, this is Super Annoying Incorporated. We sell V14gr/\! Press 1 to buy (forwards to waiting agent), or visit our website at superannoying.com!

Might be easier for annoyed callees to DDOS, and the requirement to have a short URL might be difficult to meet, but it's certainly possible to advertise by an automated system. Stock pumping spams would also be very easily automated.

Re:Not really (1)

Hulfs (588819) | more than 8 years ago | (#15525469)

Hi, this is Super Annoying Incorporated. We sell V14gr/\! Press 1 to buy (forwards to waiting agent), or visit our website at superannoying.com!

While your response is definitely funny, several co-workers and I just got a call a few days ago exactly like this from Comcast in Philadelphia. I consisted of a 2-3 minute recorded message letting us know how Comcastic they were and allowing us to press 1 to hear their new cable offers, or press 2 to hear about their new overpriced VoIP phone service...etc. Sad.

Re:Not really (1)

david.given (6740) | more than 8 years ago | (#15525459)

I get a spam IM about once every few months, if not rarer, and all it contains is an obfuscated link to some camgirl website or something (I haven't clicked, I'm just guessing).

I'll agree that I very rarely get IM spam --- and I subscribe to five different accounts, including ICQ --- but have you visited a Yahoo chat room recently? It's... unfortunate. Rooms will contain 30 bots (usually spamming in 48pt blink red) and, if you're lucky, maybe three actual people. They're practically unusable.

Attacks on VoIP systems? (1)

quoob (791191) | more than 8 years ago | (#15524523)

The attack on VoIP systems started last week -- in the U.S. House of Representatives.

Re:Attacks on VoIP systems? (1)

Watson Ladd (955755) | more than 8 years ago | (#15528441)

And did you call your representive to stop them?No? Neither did I, but I missed the vote by a short margin. We have no one but ourselves to blame.
Get them out of office 2006.

They've got some nerve! (1)

Rob T Firefly (844560) | more than 8 years ago | (#15524530)

and are calling for pre-emptive security measures.
Hey, you! ...Yes, you, with the fancy "pre-emptive security mesures!" DO you know where you are? This is the Internet, darnit, and we just don't do that sort of thing around here! We've got a reputation to protect, after all. Now, get outta here kid, ya bother me.

Filtering (1)

Dachannien (617929) | more than 8 years ago | (#15524538)

Fortunately, VoIP is also more like e-mail than like the traditional phone system in that filtering should be a lot easier. Ever tried to get a traditional phone company to block a phone number from calling you? Some companies will charge you extra for the privilege, while others (especially cell phone companies) will refuse to do so at all. On the other hand, VoIP companies have no excuse - the request is rather obviously implementable in software, perhaps even programmable into the user's phone, and can include whitelisting as an easily-configurable method for call filtering.

(Yes, the same should be true of traditional phone service, but the old Bells have surrounded their inner workings with such a sense of mystery for decades on end that the average Joe is unlikely to realize how easily the service can be implemented.)

Re:Filtering (1)

mungtor (306258) | more than 8 years ago | (#15524788)

Except that VoIP providers are just as unlikely to give you administrative access to your endpoint (your Cisco, Sipura, Telco, or whatever box). So, they would have to set it up for you. And they will (more than likely) be just as unresponsive and unwilling simpy because they don't have the support staff to handle the request.

VoIP prices are too low for any serious support infrastructure to exist as well. If you ever talk with anybody who works for Vonage or any other large VoIP proider in a technical capacity, it's frightening. Most times your average helpdesk drone knows more about IP networks than they do. Then you have a few technically incomptetent people at the top bleeding off the VC money into their salaries.

Re:Filtering (1)

dhasenan (758719) | more than 8 years ago | (#15525023)

There is a method around this. A few, actually.

- The VoIP provider could decide it's enough of a feature to implement, and even devote some GUI space to.
- Hackers could reverse engineer the VoIP provider's protocol and implement their own client, which would almost certainly have that feature.
- The VoIP provider, to cut costs, uses an open source solution that already has a good client with this feature and merely rebrands the client, at most.

Really, requiring a particular VoIP client is much like requiring a particular web browser or a particular model of telephones in order to use the Internet or a telephone service. Still, it'll be a while before people decide they want to keep one predictable interface no matter their VoIP provider--and that will probably happen when Microsoft bundles a client with their OS.

Re:Filtering (1)

Dachannien (617929) | more than 8 years ago | (#15527619)

But with VoIP service, internet access is a given. The VoIP companies can then implement these features and make them customer-configurable with a handy web interface. But you do have a point - when Sprint hires a guy in India to read questions to me off a screen and choose the multiple-choice answer that sounds closest to my response, rather than putting it on the web and letting me navigate through it myself, how can we expect a phone company to let the end user handle anything?

And I'm Okay with That (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#15524551)

E-mail brought us basically free international communication with text and images and attachments. Having to filter spam is a very small price to pay, especially since my off the shelf bayesian filtering (combined with temporary accounts for commercial transactions) lets through one or two "maybes" a year. If I can have basically free voice/video communication around the world, I'll gladly put up with having to secure that as well. Anything off my white-list can go to the "maybe" pile and be routed to voicemail unless I feel like taking random calls. ISPs are already implementing security to prevent spoofing. And I already use voice and video communication without any problems. Really, this is a minor inconvenience that comes with a major advance.

Whitelist Only (2, Interesting)

bahwi (43111) | more than 8 years ago | (#15524561)

I know wish Asterisk it should be possible to set up a database centric version of a whitelist, and only allow those calls in. All others are given infinite rings, or route-to-ex.

Maybe the time is now to start this. If they have your #, they should have your email, IM, and there should be a web address with a captcha that gives 24 hour access or something? Maybe that's what it should do instead of infinite ring, "To access my phone, please go to www.whatever.com and type in the number you are trying to dial, and follow the instructions. Thank You."

Re:Whitelist Only (1)

whitehatlurker (867714) | more than 8 years ago | (#15525321)

Parent says: "[Spam can be sent via] route-to-ex"


Kool. So I route all my voice spam to that bitch? Where do I sign? How much? (Not that I care, I just need to note it down.)

I think this is a little different (1)

algerath (955721) | more than 8 years ago | (#15524562)

from TFA

"VoIP calls are often routed over the public Internet, and details of those transactions can be spied on by outsiders"

It compares voip to email and talks of spam and phishing. Intercepting email is not how spammers get email addresses. They get addresses posted online and lists of addresses gotten from people who have used the addresses to sign up for shit. I have an old email acct. that is loaded with spam because I have had it posted online and signed up for stuff. I also have an acct. that is only used for email to people I know and it gets no spam. Intercepting phone calls to use the info for spamming would be too much effort per spam and ruin the profitability of spamming. Spamming works when you can get a crapload of addresses and send a ton of mail dirt cheap. If spammers had to intercept emails to get addresses to build their lists I don't think it would be a problem.

All of this business about voip security may be valid for corporations but if someone wants to spend the time/effort to listen to me order a pizza they can have at it. I use an old cordless anyway so if you want to sit outside my house with a scanner you can listen too, but I really don't care. If you have nothing better to do than listen to my calls to my mother you need a life.

Algerath

I almost forgot the voip benefit (1)

algerath (955721) | more than 8 years ago | (#15524643)

I have used voip for my home phone for almost two years. I have never gotten a telemarketer or even a wrong number, not once in almost two years. I think this is probably due more to the fact that the number is not listed anywhere. If I don't give it to you it would take a lot of effort to find it.

Algerath

Already a problem (1)

mode747 (933227) | more than 8 years ago | (#15524563)

I already have to delete 7 or 8 unsolicited vendor calls from my voicemail every day.

solved that problem (2, Interesting)

gstovall (22014) | more than 8 years ago | (#15525140)

I solved this problem years ago. I programmed my (VoIP) phone service to respond to all anonymous calls with a message requesting them to put this number on their DO NOT CALL list. Then dropped them immediately into voice mail in case there really WAS something they wanted to say. In the initial voice mails, I heard lots of background noise, and people saying, "Hey! Listen to this!" to their coworkers, but they all got the hint.

Those experts wouldn't happen to work for ATT... (2, Insightful)

mmell (832646) | more than 8 years ago | (#15524601)

would they?

the Nigerian phone call (1)

alphafoo (319930) | more than 8 years ago | (#15524616)

Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.

I'm not saying I would want hundreds of these calls, but I would love to hear at least one of them. I seem to always put a voice to these poorly-worded emails, as I sit wondering how someone could send out tens of millions of copies of a letter without having someone first proofread the text.

I guess if there's money in it, the spammer could hire a good voice to make the call that much more appealing. Would you be so quick to delete the Nigerian vmail if Derek Jacoby were reading it?

Reliability is lower too (5, Informative)

cecom (698048) | more than 8 years ago | (#15524717)

All high-speed Internet providers that I have ever had (Comcast, Yahoo/SBC/AT&T) suffer outages periodically - say, about once every two months for several hours on the average, and this is only the outages that I know about, since I don't use my home computer all the time. Happens at work too - at one time our business DSL was out for two days (thank you "new" AT&T). The electrical power has also been out several times. At the same time I don't remember a single problem with my land line. Note that I live in the San Francisco Bay Area, so this is a relatively high-tech place.

You end up depending on both consumer-grade Internet service and electrical power, neither of which is completely reliable. Which is probably OK, esp if you have your cell phone, so I am not advocating against Vonage.

However it strikes me that people generally do not realize that the Internet connection (as the Internet itself) is not completely reliable. At a trade show a sales person was trying to convince of the benefits of their credit card authorization software, which resides on their own server and is accessible as a web service. The idea is that the consumer pays for a service (e.g. in a hair salon) in advance and then gets to use it for a period of time. Not bad stuff, actually, but that is beside the point. When I told her that I am worried about reliability in case the internet connection is down and the customer will not be able to be authorized for the service they already paid for, she looked at me silly and said: "Ihe Interned connection down ? Does that ever happen?" Duh! It happens!

Re:Reliability is lower too (2, Interesting)

aonic (878715) | more than 8 years ago | (#15525566)

"All high-speed Internet providers that I have ever had (Comcast, Yahoo/SBC/AT&T) suffer outages periodically - say, about once every two months for several hours on the average, and this is only the outages that I know about, since I don't use my home computer all the time. Happens at work too - at one time our business DSL was out for two days (thank you "new" AT&T). The electrical power has also been out several times. At the same time I don't remember a single problem with my land line. Note that I live in the San Francisco Bay Area, so this is a relatively high-tech place."

Note that the San Fransisco Bay Area (I'm from San Jose myself) was one of the first markets with a huge demand for broadband. Our infrastructure is TERRIBLE (partially because of the TCI->AT&T->Comcast mess). On the other hand, in areas that didn't have a giant push for broadband immediately, such as Boulder, CO (where i'm going to school), Comcast was able to, given an extra four or five years, completely revamp its infrastructure. We have almost flawless broadband in CO (a relatively low-tech place, at least in some areas), whereas at my parents house in CA, the internet STILL goes down for an hour or so every other day at around 2am.

The population density also makes a difference, too. DSL in the bay area is terrible because you might have 20 houses multiplexed onto a given local loop where in most cities there would be four or five. The cable network is only able to support somewhere around the lines of 38 megabits per cable head-end, and when you have something like five million people in the south bay alone, each one running at six megabits, that's a lot of cable sub-networks.

Re:Reliability is lower too (1)

cecom (698048) | more than 8 years ago | (#15527195)

Good point, thanks.

It also seems to me that regardless of the infrastructure, consumer Internet connections are not treated with the same importance as phones, yet. So the provider will not jump through hoops to avoid a service interruption. Unless it is their own VOIP service :-) Any idea how reliable Comcast's digital phone is ? I used it only briefly a couple of years ago, but had to give up because the quality was terrible (I have no idea why, I suspect it was a local problem in the building).

Re:Reliability is lower too (0)

Anonymous Coward | more than 8 years ago | (#15527290)

Just wait until your next earthquake, then you'll get to experience all of the above having an "outage".

e-mail is different. (2, Interesting)

just_forget_it (947275) | more than 8 years ago | (#15524762)

E-mail can be presented in a much more convincing manner than voice mail. Spamming on VOIP would be more akin to telemarketing on traditional phones. E-mail spam is sent en masse and is impersonal.

Spam Filtering (1)

ddddan (881066) | more than 8 years ago | (#15524801)

What no one seems to have mentioned is that at least with email you can employ spam filters which do text searches and pattern matches, along with other spam-recognition techniques. It seems impossible that VoIP spam could be filtered this way, thus leading to a glut of voicemail spam which could threaten the viability of VoIP altogether, if the spammers can find a way to do it without being detected.

Re:Spam Filtering (0)

Anonymous Coward | more than 8 years ago | (#15525713)

what about http://rss.slashdot.org/Slashdot/slashdot?m=5966 [slashdot.org] , where "Google Researchers Create TV Audio Analysis System". Doesn't seem like a filter could be too impossible.

Voip Vs Email Spam is very different (1)

romka1 (891990) | more than 8 years ago | (#15524811)

There is a huge difference.
How much is avg email? about 1kb
How much would a prerecorded voice msg be?
You gonna need a lot of bw to send a lot of voice messages and it will take too long...
Targeted phishing could happen on the other hand.

SIP cloning, international calls, huge bills? (1)

Swave An deBwoner (907414) | more than 8 years ago | (#15524822)

Spam via VoIP is an interesting thought, but how about the more immediate threat of someone, say in some remote country, cloning my SIP and using that to make a load of international phone calls? This would run up my bill very quickly, and every VoIP provider I've checked requires that the account be tied to a credit card. My guess is that if this has already happened, it's been hushed by the VoIP provider, which covered the startled customer's bill to avoid bad publicity. And if it hasn't yet happened, I expect that it will. Who will be on the hook?

Spit (Voip Spam) will never attain spam ubiquity (2, Insightful)

OlivierB (709839) | more than 8 years ago | (#15524824)

Yes sending millions of emails is "free", and so is making unlimited VoiP, but Voip is less unlimited than emails, here's why.

When you decide to send an email to a group of people from domains A, B and C, where you have multiple recipients in domains A, B and C you only need to send server A one copy of the message with a list of the recipients it handles. The server then spawns copies of this message to all the mailboxes. Theoretically, you only need to make as many connections are there are domains in your distribution list.
Moreover Spam scales well with bandwith. Meaning a large message will arrive faster with more bandwith, not so much with Voip where you have real-time delivery; i.e. think of Voip as a VCR vs downloading your TV shows as files.

What this means for Spit is that they need to make individual connections for each recipient (although I know of some email like systems, but that's another story). Also they need to connect with each recipient's server or terminal as long as the message is.
What this means is that twice as many recipients will cost you twice as much in time and in bandwith for your spit message.

This fondamental difference is in my opinion a deterrent for any spammer worth his salt willing to reach thousands of recipients.

Spit doesn't scale well, spammers know that and will not pursue this activity as agressively as spamming.

Cat and mouse. Not a new game. (1)

eko33 (982179) | more than 8 years ago | (#15525155)

You know folks, this isn't a completely alien concept. Why do you think residential phone subscribers can sign up for the federally enforced national "no-call list".

Just because it's a new technology doesn't mean it's a new idea. It's a shame that people completely overlook the obvious when dealing with new technologies (see Dot Com Bust [wikipedia.org] .

Obviously we are aware there is a problem..Thank you TFA.. Now.. everyone run to your terminal to enterprise off the enterprising SOBs that are going to be haxoring my shiny new VoIP telephone.

The phishing threat is probably real. (1)

merreborn (853723) | more than 8 years ago | (#15525344)

The current policy at credit card companies is retarded. More than once, I've come home to an answering machine message saying "This is Discover's Anti Fraud unit. We'd like to discuss some recent activity on your card. Please call us at 1-800-555-1212". As soon as you call, they start asking for personal information. ...How the hell am I supposed to know I'm actually talking to Discover? I'd much rather have them send me to a URL (discover.com/fraud) that lists the number, since I at least have *some* indication that it's probably discover that's running discover.com.

Anyway, yeah, this policy opens the door right up to phone phishing. Thanks Discover!

Re:The phishing threat is probably real. (2, Insightful)

studpuppy (624228) | more than 8 years ago | (#15525518)

AMEN! I had the same experience with a different company, and when I called the 800 number their IVR system didn't even bother to indicate that you had called the right company - it just immediately went in to prompting me to enter my credit card number.

I must've hung up a dozen times before deciding to simply #, * and 0 my way through their menu system until it finally dumped me to a human being with whom I could ask a question (or two, or three...) before giving any personal information.

And the kicker is that they initially called me because they thought someone had applied for a card in my name... so I didn't even have a valid CC # to get through their stupid IVR system in the first place.

I left a message for their VP of customer service to suggest that they, perhaps, fix their stupid process and system...

Honestly Officer, it wasn't me.... it was him. He did it. Not me. Can I go home now?

Voice spam is impractical (3, Informative)

Norbert_05 (982191) | more than 8 years ago | (#15525584)

The way SIP works makes voice spam impractical. Basically, a call is set up in two steps. 1) The calling party sends an INVITE message to your provider's PBX / main server / whatever. This would be vonage, or whoever your VOIP provider is. This 'call' connects, and an audio path is established between your provider and the calling party. From the caller's perspective, he has a live, answered, call at this point. 2) your provider sends an INVITE message to your phone. This establishes an audio path from your phone to the carrier. At this stage, the carrier either connects the two audio streams internally, or can use another pair of INVITE messages to direct the audio streams of the two phones to each other. There's no way for the calling party to identify when that second audio stream has been established; from their perspective, the call exists as soon as the provider accepts the initial INVITE message. Obviously, you could start playing audio at that stage, but there's no guarentee someone's actually on the other end of the line. If you're doing a recorded audio play, you're faced with either loosing part of the message, or playing dead air for a while. The only way around this is to dial the direct SIP extension of the customer's phone, but you need know their userext (which is different than their actual phone number) and the IP address of the user's phone, which is highly unlikely since the end user doesn't even have those bits of information (usually) Furthermore, filtering is easy. An INVITE message has to specify a valid IP for the audio stream to be set up. It's trivial to simply block INVITE's from certain IP's in software, if your carrier / phone supports that. Spoofing an IP at this stage is impossible, since that would just prevent the RTP stream from working, and it also makes it easy to figure out who's actually calling you, since you have the IP of the server the audio is coming from. (assuming your provider did the reinvite bit, which virtually all SIP implementations do) That's totally ignoring the much higher bandwidth requirements of transmitting that many audio streams and associated problems with that.

FYI - The Dept of Justice complaints are online (2, Informative)

dyork (200234) | more than 8 years ago | (#15525624)

If you would like to better understand this case, the US Department of Justice has made the information available online: They do make for interesting reading and outline how Edwin Pena put his scam together.

Dan York
Best Practices Chair, VoIP Security Alliance (VOIPSA) [voipsa.org]
Producer & Co-host, Blue Box: The VoIP Security Podcast [blueboxpodcast.com]

Please mod parent up... (1)

Nick Driver (238034) | more than 8 years ago | (#15526287)

...this is very informative.

Separating Hype From Reality (2, Insightful)

carpeweb (949895) | more than 8 years ago | (#15525654)

From TFA:

... but not before the problem has succeeded in wreaking havoc. It happened with e-mail and is happening now with instant messaging and mobile devices ...

From my brain:

Really? Havoc? C'mon! Yes, spam is a problem, but my email has never been close to a state of "havoc" because of it, and filters came along pretty quickly. No, they don't work as well as I would like, but they work.

From TFA:

... Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers ...

From my brain:

OK, this is more of a clarification of where the threat arises. Why is a VOIP user more vulnerable to *receiving* SPIT than a non-VOIP user? According to TFA, it's the technology and economics of *making* VOIP calls that will lead to the problem. (FYI, no SPIT from VOIP yet on my two-year old Vonage account; however, I do get regular and annoying SPIT from Congresswoman Marilyn Musgrave, who I doubt is using VOIP, because it's not in the Bible.) VOIP calls can do the same damage to landline and cellular phones, can't they?

From TFA:

... Added security vulnerabilities could erode the cost savings associated with VoIP systems ...

From my brain:

The cost savings from VOIP, as with many new technologies, are savings in *marginal* costs. Security measures aren't implemented on a per-call basis, so security threats won't affect the marginal cost savings. So, unless the security threats really are grave enough to shut down VOIP systems, I don't see how they can outweigh the cost savings.

From TFA:

... And security companies such as ISS have a financial stake in companies bracing against possible threats. ISS's basic network security now includes VoIP protection. Security software mainstays Symantec (SYMC) and McAfee (MFE) are also said to be working on VoIP security products. Both companies declined to comment for this article ...

From my brain:

They have a financial stake? Really? They probably declined comment because they thought they had done more than enough by writing the article.

Re:Separating Hype From Reality (1)

jabelar (913707) | more than 8 years ago | (#15526000)

>> Really? Havoc? C'mon! Yes, spam is a problem, but my email has never been close to a state >> of "havoc" because of it, and filters came along pretty quickly. No, they don't work as >> well as I would like, but they work. You're just looking at it from end user point of view. Spam is indeed very costly to the Internet in general, and ISPs in particular. It consumes the lion's share of e-mail bandwidth, it requires every incoming e-mail to be parsed, and requires continually updating filters and filtering algorithms.

Re:Separating Hype From Reality (1)

carpeweb (949895) | more than 8 years ago | (#15528237)

mea culpa!

I was, indeed, just looking at it from an end user point of view. I understand the "social" costs as well, but TFA seemed more focused on scaring the bejaysus out of me as an end user, rather than any reasoned analysis of the true ("social") problem.

And ... the hype worked! I ignored the "true" problem! (Unless you agree that part of the true problem is the hype.)

the beauty of VoIP.. (1)

deviceb (958415) | more than 8 years ago | (#15525858)

First all those companies that charge $ for VoIP suck. I'm talking about Skype here. What is nice at this point in the evolution is how only a certain "crowd" are using Skype. This is like the crowd that built free BBSs and other early internet devices before corporate America and every moron were building sites to make a $. I talk to some girl in China for the simple reason that she likes English.. . (she works translating other languages for a company) It's cool to be able to communicate with anybody in the world so freely. -Anyway... it's a very peaceful system at present & I hope the company keeps it so. I'm sure everybody here knows about the free calling to landlines now. If you want to have some fun, go to a site like albinoblacksheep.com or a site with a Howard Stern soundboard. Call your friends house/cell phones (the number comes up 001-234-5678 on caller ID) and go to town with the sound board. -lots of laughs..

Re:the beauty of VoIP.. (0)

Anonymous Coward | more than 8 years ago | (#15526544)

I'm going to test your theory on the weekend with a DA, SM50, DS1, and an old 808. ROFLMAO. I think I'll start by sampling a toilet flushing. Program an autodialer (or resurect my old one) and just dial my friends at random with odd sounding bits and bytes.

Re:the beauty of VoIP.. (1)

deviceb (958415) | more than 8 years ago | (#15526925)

ha... me & my girlfriend have been laughing our arses off with the Arnold Schwarzenegger sound board, "I don't care what happened to your hershey highway!"
People put alot of time into these soundboards, there are some really good ones out there.
The Howard Stern soundboard is broken down into greetings, replies, insults, statements.. It is easy to hold somebody thinking they are on the radio for a bit.
Getting somebody to hold a conversation can be golden. Try a department store or your work. A place that has to be "nice" on the phone ;)
I just setup WiFi in her Cafe & panini. I have the main PC running the PoS system and also Winamp... for streaming music. It's wired through the speakers in the cafe so when somebody is on the phone the whole place can hear ::))

Someone tried this on me... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#15526255)

Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites.

I don't remember this word for word, but this is the gist...

Years ago, someone called me (with an Indian accent) and told me they were from my bank, specifically from the fraud investigation unit of my bank. They told me that some suspect activity with my credit card account had been detected and asked if I had made a purchase of x dollars at y vendor. I told them that I had not, so they said that they needed to confirm that I was the rightful card holder and that my card was in my possesion. To do this, they wanted to know my personal information (name, address, DOB, mothers maiden name, etc) and the details of the card, being number, card holder name as printed on the card, expiry and the special "security" [cough cough] number on the back.

At this stage, alarm sirens suddenly became deafening in my head.

I informed this caller that I could not be sure that they are really from my bank or calling officially and that I would not provide those details to them. I told them that I would however be happy to call my bank (supposedly them) back on a number I know to be genuine and then provide the details if need be. At this stage, the fellow on the other end of the phone sounded like he was becoming annoyed. He insisted that he was from my bank and that calling back would not be required. I insisted and then asked for a call number, so that when I ring back I could get it all done as quickly as possible. He said "ahhhh... 57". I found this odd, since usually the call numbers they give were longer. So I hung up and called my bank on the regular number which I use...

Call number "57" meant nothing to them and they told me that the call numbers they provide are longer. They told me that they had no record in their system showing that they had contacted me or needed to contact me regarding possible fraudulent activity on my credit card. They also told me that there was no record of a purchase of x dollars at y vendor.

Somehow, someone got at least the following personal information about me, to attempt this attack:

What bank my credit card was with.
Card type (VISA, MCRD, AMEX, etc).
My name.
My phone number.

For me, the scariest thing about this is that that info is actually really easy to get. All I need to do is use my credit card with human interaction and at least some of those details will be divulged to a potential criminal. With a face to face transaction, the other person will at least get bank, card type, card number, my name, expiry and security code. They will possibly get much more than that, if I am expected to fill anything out for warrantee details, or marketting, etc. With over the phone purchases, the other person will at least get my card type, card number, name and expiry, which is more than enough to go on a mail order spending spree.

So, do you trust every single schmuck you have ever had to pull your credit card out for?

Now, I wonder how safe it really is for our financial institutions to be outsourcing their staff to very poor countries. It's like "here very poor person, please handle our customers and their personal and financial information while we pay you per week what our customers would get in an hour". Oh yeah, that's a great idea. Somehow I imagine all those savings gained by exploiting very poor people in other countries, will be eaten up and then some by all the added fraud which the financial institutions must eat by law when they can't catch the "criminals".

(I put criminals in quotes not because I don't consider the fraudsters to be criminals, but rather because I consider the financial companies to be the biggest criminals of all).

Re:Someone tried this on me... (1)

Swave An deBwoner (907414) | more than 8 years ago | (#15527696)

The very prolific Anonymous Coward wrote:

Somehow, someone got at least the following personal information about me, to attempt this attack:

What bank my credit card was with.
Card type (VISA, MCRD, AMEX, etc).
My name.
My phone number.


Although they did indeed need your name and phone number (actually, maybe not even those, if they autodialed incrementally or randomly and just didn't bother to use your name, but that would have probably been too big a tipoff to the ripoff).

For bank and card type, all they need to do is say ${some-big-bank} and ${some-widely-used-credit-card}; around here, Citibank VISA would work fine. If you don't happen to have a Citibank VISA card, they just hangup and dial the next mark.

one percent (0)

Anonymous Coward | more than 8 years ago | (#15526379)

One percent is a great response for cold calling. With the low overheads involved a tenth of a percent would be worthwhile.

My first IT job was as an evil spammer programming a cold calling telephone system back in 1990. The PC was setup to phone a suburb at a time. We'd play a message "Hi my name's Joe Bastrd from Allied Carpet Cleaning. We're doing a special offer in your area right now..." and record the response, then one guy would listen to the responses and categorise them. We used to get 2 percent positives, which was worthwhile, even paying peak time business rate for make the calls.

VOIP? Land line? What are those? (0)

Anonymous Coward | more than 8 years ago | (#15526490)

I have a cell phone, no roaming in 2 states and free long distance to anywhere, for $40 per month. Why would I want any kind of land line, especially an IP land line?

Actually, this could be fun (1)

Aram Fingal (576822) | more than 8 years ago | (#15526728)

Now we will have to have awards for the best voice acting in spam VOIP messages.

Response percentages must be wrong (2, Insightful)

Checkered Daemon (20214) | more than 8 years ago | (#15526796)

"Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says."

That's gotta be a misquote or typo, or Ingevaldson is nuts. 1% to 3% is around the accepted minimum for dead tree spam. In an interview with a professional email spammer about a year ago (yeah, I'm too lazy to look it up) she said that she could make a good profit with a 1 in 10,000 response rate! Probably helps explain why I still get penile enlargement spam even though almost everyone on the planet who'd fall for it has undoubtedly already sent in the $50 and gotten the rock and the string.

Compared to IM? (1)

krunk4ever (856261) | more than 8 years ago | (#15528175)

This really depends on how open it is. I mean IM spam hasn't exactly taken off like email spam and people have claimed that IM spam would've gotten really big. And voice spamming requires an actual person on the other side. If you have an automated message, you'd get hung up immediately.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>