Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Voice Over IP Under Threat?

Zonk posted more than 7 years ago | from the keeping-phone-calls-expensive dept.

Security 148

An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "

cancel ×

148 comments

The problem of telephony + the Internet... (4, Funny)

Ingolfke (515826) | more than 7 years ago | (#17473536)

is that people will call you up during your dinner to tell you that you're long lost uncle's oil wealth is available to you in Madagascar or about the wonders of this new herbal male health pill.

Re:The problem of telephony + the Internet... (3, Interesting)

HugePedlar (900427) | more than 7 years ago | (#17473624)

I wonder if VOIP might solve this to some extent. After all, with Asterisk or similar, the home user can set up an "Auto-Attendant", or menu system to filter calls that get through. Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common. I suspect VOIP will make the telemarketers' jobs harder in the end.

Re:The problem of telephony + the Internet... (4, Insightful)

arivanov (12034) | more than 7 years ago | (#17474380)

Exactly.

I have been doing it for a while now (need to clean the code for the AGI plugin and post it). For my incoming phone lines I have scheduled times when the phone does not ring, when it rings only in my office for known callerIDs or when it rings for everyone who has not withheld their callerid. Trivial to do with asterisk+perl-AGI and quite more powerfull compared to the default autoattendant.

The article brands all VOIP to be Skypelike (and vice versa). VOIP is not just PC based systems and this attack currently applies only to PC based systems. In addition to that it is limited to a specific VOIP system. A valid Skype attack is not applicable to Yahoo, MSN, SIP phones, etc.

Things may change in the future when integrated contact management and click-to-dial becomes commonplace. This is not common enough now and can be found only on PHB/Sales laptops so it is not yet an attack vector that is worth mentioning. By the way, this will apply to any phone system that has click to dial, not just VOIP. Now having outlook+voip worm - that is a scary thought...

Re:The problem of telephony + the Internet... (1)

ajs318 (655362) | more than 7 years ago | (#17475664)

or when it rings for everyone who has not withheld their callerid.
You actually answer the phone to ACs?

I uses to pretend to be a recorded message, saying {in a slightly posh accent} "Anonymous calls are not welcome on this line. If your business is important, you may ring back without withholding your number." {still have to on my mobile}. Then I found out about Incoming Call Barring. Sweet! Only bad thing about it is you can't change the message.

Re:The problem of telephony + the Internet... (3, Funny)

tehcyder (746570) | more than 7 years ago | (#17475624)

Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common.
So you'd set up a filter especially to recognise and let through any caller with an Indian accent? That's a fine example of multi-cultural tolerance, it makes such a change from the usual racism on slashdot. Well done sir!

Re:The problem of telephony + the Internet... (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#17473694)

Its YOUR uncle, and now YOU'RE no longer in need of correction.

Re:The problem of telephony + the Internet... (0, Informative)

Anonymous Coward | more than 7 years ago | (#17474028)

Don't you mean "It's"?

Re:The problem of telephony + the Internet... (2, Informative)

florist (657769) | more than 7 years ago | (#17474090)

Its YOUR uncle, and now YOU'RE no longer in need of correction.

It's "it's your uncle" and not "its your uncle", and now you're no longer in need of correction, either. :)

Logical progression (5, Insightful)

CommunistHamster (949406) | more than 7 years ago | (#17473542)

This seems a logical progression of phishing, but it's hardly going to be a large impediment to the adoption of VOIP. Phishing hasn't dissuaded people from using email.

Re:Logical progression (0, Insightful)

Anonymous Coward | more than 7 years ago | (#17473800)

Can someone please explain what the problem is? Perhaps its because im some sort of luddite, but the VOIP system that i have hooks up into the phone line, not into the computer. Who would trust there computer for anything? The only "victums" of this would be the morons that are to lazy to use a actual phone.. are phone numbers hard to remember? phone books hard to use? Most phones already have named calling, why trust your computer when you hear about all those breakins (especially if you are using Windows), its almost asking for trouble?

Re:Logical progression (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17474732)

Perhaps its because im some sort of luddite, but the VOIP system that i have hooks up into the phone line, not into the computer. Who would trust there computer for anything?

What you're failing to understand is that your VoIP system is a computer, just a specialized one. As to who would trust their computer, lots of people. The main problem being a lot of those people are running Windows desktops instead of a specialized computer or a Linux machine or an OS X box or, well really anything but a Windows PC.

The only "victums" of this would be the morons that are to lazy to use a actual phone.. are phone numbers hard to remember?

I don't have a landline anymore and I'm by no means the only person I know who has chosen this route. Yes, phone numbers are hard to remember. They are arbitrary numeric codes and my cell phone has about 150 of them in it. I'm certainly not going memorize all of them. Further, I don't use printed phone books anymore either, rather I use the computer to look up numbers. Thus, a computer is already telling me the number to dial in many cases.

phone books hard to use?

Phone books are slow and out of date. If I type "pizza" into my computer it gives me a list of pizza places arranged by how close they are. When I see the one I want I click on it and the number displays in giant numerals on my screen so I can see it from across the room if I want. Where is my motivation to downgrade?

...why trust your computer when you hear about all those breakins...

Most people don't hear about them or notice when they're compromised or even know anyone who mentions such a thing. Most people assume products have to have a reasonable level of security or they would not be for sale in the store. Most people assume the computer market is a free market and thus what is in the the stores is the best product on the market. I doubt that most people would even think of this unless it made big news or happened to them.

And that's why... (3, Interesting)

AltGrendel (175092) | more than 7 years ago | (#17473554)

...I'm still using copper. I know that this will work itself out, that the technology will improve, etc, etc.. but until it does, I'm going to stay away from it. For me, it doesn't make sense to be an early adopter of VoIP.

But that just my opinion.

Re:And that's why... (1)

j00r0m4nc3r (959816) | more than 7 years ago | (#17473614)

The only reason I have copper is for E911 service and in case of power failure. I use my cellfone for 99.9999% of all calls even at home. I just like having a little redundancy in case of emergency.

Re:And that's why... (1)

powerlord (28156) | more than 7 years ago | (#17474606)

The only reason I have copper is for E911 service and in case of power failure. I use my cellfone for 99.9999% of all calls even at home. I just like having a little redundancy in case of emergency.


Exactly.

Cell Phone for day-to-day calls.
Cable Modem for day-to-day internet use.
POTS for reliability when all else goes to heck.

In the past ten years I've had both Cell and Cable fail and in each case I was able to fall back on POTS to handle my basic needs (and we're talking the center of a major urban metropolis, not some rural area).

One caveat to the above. When I say POTS, I MEAN POTS. Sure I've got a Cordless phone hooked up, but I also have a hardwired phone connected. When the last blackout hit in the Northeast, I know of quite a few people that had to hunt around to get a non-cordless phone. A little planning can do wonders (and is very useful for when my wife has been on the Cordless so long that the charge starts to go on it :) ).

Re:And that's why... (1)

Hijacked Public (999535) | more than 7 years ago | (#17473618)

Not me man, I'm using copper AND VOIP.

Re:And that's why... (2, Funny)

Metaphorically (841874) | more than 7 years ago | (#17473826)

Yes, I'm following the same strategy with email...

Re:And that's why... (1)

misleb (129952) | more than 7 years ago | (#17474612)

Oh, i think we're past the early adopter stage of VoIP. By now it is pretty mature. I've been using VoIP for a couple years. I save a lot of money on my phone bill. What exactly are you waiting for?

The ONLY practical difference between my VoIP service and POTS is that I only have a single port for my POTS phone to plug into. I can't run telephone line everywhere. But that is easily solved by getting a set of cordless phones that all share a common base.

-matthew

Re:And that's why... (1)

BradleyUffner (103496) | more than 7 years ago | (#17475482)

I'm not sure of how your house is setup, but I was able to get around this problem without cordless phones. I unplugged the internal phone wiring at the junction box in my garage, seperating it from the external phone system. Then I plugged the VoiP box's phone port directly into the existing phone jacks. Now any phone plugged into a normal phone jack anywhere in the house works off the VoiP. Of course this only works if you can disconnect your internal wiring from the external phone system.

Re:And that's why... (1)

misleb (129952) | more than 7 years ago | (#17475854)

Yeah, I would have tried that except that I live in an apartment and can't disconnect the the system at the junction box. Also, I'd heard that you are not supposed to run many phones off of one ATA. I assume because of power draw or some such, but I never verified it.

In any case, I prefer cordless phones. So I might as well get a set of them.

-matthew

Re:And that's why... (2, Insightful)

walt-sjc (145127) | more than 7 years ago | (#17474758)

Don't worry, this article is mostly FUD. For one, it assumes that all phones will be vulnerable to the same flaws. They won't - they run MANY different code bases. There is no mono-culture in VoIP like there is with desktop operating systems (well, except for the Skype example - I don't use skype anyway due to the closed/proprietary nature of it.) It also assumes that any security flaws won't be fixed or addressed. Anyone that deals with IP phones knows that new firmware comes out every few months. If you have a Vonage-like VoIP service, new firmware can be pushed out to you automagically. Lastly, I expect that VoIP proxies will becomes a standard feature in SOHO routers in the not-too-distant future to deal with multiple NATed phones and other issues. Probably something like a light version of SER [iptel.org] . Expect them to be able to filter crap out like modern firewalls / web proxies do.

Re:And that's why... (5, Insightful)

walt-sjc (145127) | more than 7 years ago | (#17474794)

Oh yeah - one more thing - who does the author of this article work for? Hmm. Panda. What do they do? Antivirus and security software. Self serving FUD is what this is.

Re:And that's why... (2, Insightful)

radish (98371) | more than 7 years ago | (#17475998)

I still use copper too. The copper in my coax cable which carries my internet traffic, and with it, my VOIP calls. Of course, what this article is talking about is people who use autodialers of one kind or another - which includes cell phones, PBXs with click-to-call, Skype, etc - it's got nothing to do with VOIP as a technology for transmitting the voice data. My VOIP solution uses a perfectly normal phone, not a computer, and so until Uniden and VTech start issuing vulnerability warnings I think I'm OK.

As an AT&T CallVantage customer (1)

gelfling (6534) | more than 7 years ago | (#17473566)

I have to say that using malware on VoIP hopes but cannot assume that VoIP is even functional and stable enough to do that. Maybe other people have a different experience but CallVantage is not ready for primetime and if they want to use it for exploits and malware they'll have to compete with the utter crappiness of the service that works like malware all on its own.

Re:As an AT&T CallVantage customer (1)

Cutie Pi (588366) | more than 7 years ago | (#17474984)

I had a great experience with CallVantage for about 6-months. I actually forgot that we had VoIP most of the time. But then Charter, who handled the cable interet connection, did something and my connection became slow and unreliable. I ended up ditching the cable and going with DSL. I see no reason to pay $30/mo for VoIP when I already have phone service (it comes with the DSL), so I'm looking at Skype now for long distance calls.

Re:As an AT&T CallVantage customer (0)

Anonymous Coward | more than 7 years ago | (#17476300)

That, and the fact that most women I know call their bank from their work phone.

Open VoIP Clients are Safer (2, Insightful)

Doc Ruby (173196) | more than 7 years ago | (#17473582)

Who's got an OSS Flash or Java applet that is a SIP or IAX client? If we keep the VoIP SW on the server (tested and upgraded), and give it access to our network/AV HW only on request in a sandbox, we're pretty safe against viruses. These applets can be signed and distributed easily, unlike OS-installable full apps, or dedicated HW.

Re:Open VoIP Clients are Safer (1)

Hijacked Public (999535) | more than 7 years ago | (#17473708)

I don't know if such a thing exists but you sound like just the right guy to code one up. Shoot me a message when you're done.

Re:Open VoIP Clients are Safer (1)

Cheesey (70139) | more than 7 years ago | (#17474014)

Open VoIP Clients are Safer

Yes they are. And good ones are already available. You can now use OpenWengo [openwengo.org] as an alternative to Skype - it's GPL'ed code and uses a standard protocol (SIP), making it interoperable with most VoIP software. Except Skype.

Skype is a closed-source minefield of terrifying security holes just waiting to be stumbled upon by black hats and exploited for the usual reasons. It's a ready made peer to peer infrastructure that always uses encrypted communications, just waiting to be made into a botnet. Some security holes have already come to light - check this presentation out [blackhat.com] . A decade of security problems with Internet Explorer might seem tame in comparison to the problems that could emerge from Skype.

Re:Open VoIP Clients are Safer (1)

Doc Ruby (173196) | more than 7 years ago | (#17474248)

OpenWengo is an OS-installed app, not an auto-installed downloadable app maintained on the VoIP server. Their Flash applet is closed source.

If the distribution and maintenance process is slowed down by requiring users to install (continuously bugfixed) apps under their OS, the ecosystem will remain riddled with insecurity.

VoIP-Spam is another threat (3, Insightful)

Rastignac (1014569) | more than 7 years ago | (#17473594)

Spams in my inbox is painfull. Spams using VoIP will be very very painfull.
VoIP will be cheap enough for spammers, and easy to handle by spamrobots...

Re:VoIP-Spam is another threat (2, Insightful)

HugePedlar (900427) | more than 7 years ago | (#17473682)

So you set up a menu system: "Press 3 if you're not a spambot". Solved, more or less.

Re:VoIP-Spam is another threat (1)

kfg (145172) | more than 7 years ago | (#17473906)

Spams in my inbox is painfull.

Try using a cigar/lubricant/antibiotic.

KFG

Re:VoIP-Spam is another threat (1)

RazorDaze (570566) | more than 7 years ago | (#17475096)

Seriously...

"Please listen to the pre-recorded message about male enhancement drugs..."?

E-mailed spam has the advantage of hypertext. Easy to send, easy for people glance at, then click the link, and someone gets paid. A VOIP call has none of those benefits. Wouldn't be worth sending.

The whole article reads as a "what if...?" FUD piece on VOIP to scare off the kind of people that don't read slashdot: The sort of article that entices people to seek security snakeoils.

Re:VoIP-Spam is another threat (1)

ajs318 (655362) | more than 7 years ago | (#17476220)

It could be worse than that. If they really wanted to, they could force you to listen to the advert by not giving you a dial tone until the advert finished.

Of course, for a hardware VOIP telephone to require some user action to initiate a firmware upgrade -- not just accepting any random firmware that comes up the line -- would prevent one kind of attack against phone hardware.

Re:VoIP-Spam is another threat (1)

Oriumpor (446718) | more than 7 years ago | (#17475184)

Will be? I already get spanish language telemarketing auto dialer messages on my skype account, luckily I can just "Block" but still. The idiots^H^H^H^H^Hmarketeers are out there and their numbers are growing. It's not really a question in my mind of when, but how bad it's going to get.

Why would this threaten VoIP? (5, Insightful)

Raistlin77 (754120) | more than 7 years ago | (#17473596)

I would say there are likely far more people who use regular landlines and cell phones and don't use VoIP, but that do still maintain phone books on their computers. If they call with their regular phone, the same will occur. Why drag VoIP into the cross-hairs alone?

Re:Why would this threaten VoIP? (1)

Tim C (15259) | more than 7 years ago | (#17474622)

Well, personally I think I'd notice that the number was wrong if I looked it up and it had been changed - I know roughly what it should be, so if it's much different I'll be suspicious or confused, and likely check their website.

On the other hand, if I just fired up my VoIP software and double-clicked the "Bank" entry in a phone list, I may never even suspect that anything's amiss.

No, this isn't VoIP-specific, but I can see how it might be made *easier* if the person uses VoIP.

and? (1)

Kookus (653170) | more than 7 years ago | (#17473598)

Isn't the same type of thing possible for cell phones?
Last I checked, I didn't have my bank's phone number in my address book, seems kind of odd to have something like that anyways.
Do people really call their banks with any regularity to need an entry in their address book?

Re:and? (1)

balsy2001 (941953) | more than 7 years ago | (#17473932)

I haven't called my bank in over a year. I haven't found anything I can't do online yet. I even got a certified cheque to close on a house without talking to anyone.

yeah I remember (0)

Anonymous Coward | more than 7 years ago | (#17474272)

seeing that in my VNC.

Re:and? (1)

Andy Dodd (701) | more than 7 years ago | (#17474278)

While my bank has quite a few online services, it appears that many require a phone call or in-person visit.

Of course, since my bank has a branch office right next to my company's cafeteria, I don't consider this an issue. :)

I don't store numbers in any address book that are on websites I frequently use, this includes all of my banks. (100% of phone calls to the bank are usually the result of a "you can't do this online, call 1-800-xyz-abcd".

Re:and? (2, Insightful)

LurkerXXX (667952) | more than 7 years ago | (#17474064)

It's not at all a bad thing to have in your phone's address book. Say you are on a trip and your wallet gets stolen, etc. You may want to call your bank, credit card company, etc, very quickly to put stops on your accounts.

OMG (1)

jrwr00 (1035020) | more than 7 years ago | (#17473600)

Wow, lets hope there isnt a way where i really dial 712-145-1511 and it really calls 213-215-1111 that would be big shit......as far as i see it, its just editing your speedial

Re:OMG (0)

Anonymous Coward | more than 7 years ago | (#17475248)

I don't get it?

VERY UNLIKELY, see why... (3, Insightful)

crazyjeremy (857410) | more than 7 years ago | (#17473604)

This seems to be a misleading article. Most phishing techniques do not use elaborate setups as suggested. They use very simple techniques. Oddly enough, the article author seems to agree.
Evidently, this would require a large degree of innovation, research and development on the part of the creators of malicious code, and I genuinely doubt that they would bother.
The potential scenerio quoted in the post is so far fetched, it's doubtful anyone will ever pull it off. It involves hacking their voip system, home computer (and address book), a mass-mailing spam which happens to also include the email address of the hacked computer, user intervention (they must read the spam and respond), and the hacker must also have a good enough radio voice to fool the homeowner into thinking he's actually calling his real bank. Don't know about you, but we're not to afraid of this possible Voice over IP threat.

Re:VERY UNLIKELY, see why... (1)

Billosaur (927319) | more than 7 years ago | (#17473832)

The potential scenerio quoted in the post is so far fetched, it's doubtful anyone will ever pull it off. It involves hacking their voip system, home computer (and address book), a mass-mailing spam which happens to also include the email address of the hacked computer, user intervention (they must read the spam and respond), and the hacker must also have a good enough radio voice to fool the homeowner into thinking he's actually calling his real bank.Don't know about you, but we're not to afraid of this possible Voice over IP threat.

Far fetched? Hey, the author thought it up, didn't he? Everything is far fetched (sailing around the world, explaining gravity, travelling into space) until someone actually does it. This technique requires thought and some actual work. So? If there's money in it, someone or some group out there with the wherewithal and time on their hands will try and exploit it, because basically they know your average computer users are sheep, and they have these nifty shears. It's this kind of complicated and non-obvious avenue that will succeed, precisely because it's so hard to fathom.

Re:VERY UNLIKELY, see why... (1)

ischorr (657205) | more than 7 years ago | (#17474192)

Also, that the phisher has figured out WHICH bank this particular person uses, and has set up a phone number/system specifically for that bank. Hearing the message "Thank you for calling THE BANK" might be a tip-off that something's up. ...And all of this without leaving enough of a trail that they'll be caught.

Re:VERY UNLIKELY, see why... (1)

squiggleslash (241428) | more than 7 years ago | (#17474458)

Far fetched? Not really. Difficult to pull off and thus unlikely due to not being the low hanging fruit? That's more like it.

This "technique" is already possible. A mass mailed email worm (or whatever) modifies the user's "hosts" file (C:\WINDOWS\System32\Drivers\etc\hosts) so that www.paypal.com gets pointed to his or her IP address. The usual precautions the victim would engage in wouldn't apply, as the victim would actually be going to the website directly (rather than clicking on a link in an email) and thus would be less likely to notice the lack of SSL as there'd be no reason to believe anything is amiss.

This, so far as I'm aware, hasn't been done yet. Too awkward. The timings have to be just right. The malware will be detected early on, before its achieved mass propagation. While virus hunters will not be able to stop the virus, they will be able to get the IP address shut down.

Though, I guess if you're really keen on getting this technique to work, you could have your malware install a deamon so you can provide the IP address at a later date, once the daemon has reached a sufficiently high installed base.

Easy? No. So, right now, it's not the low hanging fruit. Is it far fetched? I don't think so, all I've done is mix some common malware technologies with the HOSTS file. Installing daemons that receive key instructions at a later date is a common DDoS technique.

Re:VERY UNLIKELY, see why... (1)

walt-sjc (145127) | more than 7 years ago | (#17475330)

Yes it is far fetched. Unlike the world of Windows, there is no monoculture in VoIP. In fact, it's a big jumble of crap right now, with many different competing protocols. With the sole exception of the abortion that is skype (being closed-source, closed protocol, encrypted PTP) you NEVER know what your victim will have for service / equipment. If they have vonage, what phone do they have? Probably just an ATA with a standard phone hooked up, and even then it can be one of 18 different models.

The only way you can do any kind of attack like the FUDish author claims is if you know exactly what your target uses for equipment / service / protocols / etc. Many IP phones don't even have a way of updating the local phonebook via any kind of network protocol, and there are what, 200 different softphones already???

About the only thing VoIP is vulnerable to at this point is voice-spam, and even THAT is a challenge to pull off.

Re:VERY UNLIKELY, see why... (1)

duranaki (776224) | more than 7 years ago | (#17474562)

Phishing attacks work on mass scale anyway, it's not like these people are targeting individuals. They send out millions hoping to get a small percentage of people falling for it. And falling for it in this case requires you to either speak to each person who calls, or setup an automated voice mail system which extracts the details (and would inevitably seem weird and unfamiliar to a user - please enter your bank account number, please enter your atm pin code, please state your mothers maiden name after the tone.)

To me, this is far less effective than sending a virus to edit a users bookmarks to adjust the bookmark to point to a phishing site instead of their bank. In the bookmark case, its likely to at least have the name of the bank because it came from the original bank's web site header.

Re:VERY UNLIKELY, see why... (0)

Anonymous Coward | more than 7 years ago | (#17474852)

OTOH, Just as today's phishers simply save the HTML source of the real bank's website, i can just as easily record the phone menu of a real bank's telephone system.

And true, while the average owner of a home-based Asterisk PBX is more likely to score on the first date than open an email attachment from a stranger, we all aren't as lucky as to live in a house full of people who know what they're doing.

If! But! Maybe! Might! Could! (1)

Macthorpe (960048) | more than 7 years ago | (#17473648)

And if I go out at night, and if I wear all black, and if a car comes towards me with no headlights on then I might get run over.

Seriously though, there were an awful lot of 'if's and 'maybe's in that, and at least one of those steps can be avoided by being at least slightly knowledgable about the internet. It's a matter of education and in that respect people have to help themselves, or other people will help themselves instead.

To all your money.

Re:If! But! Maybe! Might! Could! (0)

Anonymous Coward | more than 7 years ago | (#17474130)

all your monies are belong to us.

Re:If! But! Maybe! Might! Could! (0)

Anonymous Coward | more than 7 years ago | (#17474490)

Never before have I looked forward to nightfall with such anticipation.

Re:If! But! Maybe! Might! Could! (1)

tehcyder (746570) | more than 7 years ago | (#17475784)

And if I go out at night, and if I wear all black, and if a car comes towards me with no headlights on then I might get run over.
A reckless attitude like that is going to get you seriously injured or maybe even killed one day, young man.

Again People Are the Weakness (1)

CastrTroy (595695) | more than 7 years ago | (#17473680)

This is just the same problem as before, only people aren't expecting it. A lot of people fell victim to phishing scams (and many still do), using email, because they are stupid. I guess this is a little more advanced, since people expect certain speed-dial numbers to not change. Granted they could probably just have a system where the bank has a password that they have to tell you, so that you can verify that you are actually talking to the bank. This is probably a good idea anyway, as it would be easy to get a 1-800 number similar to a bank, and wait for people to misdial, and then get their information.

Re:Again People Are the Weakness (1)

syzler (748241) | more than 7 years ago | (#17476138)

Granted they could probably just have a system where the bank has a password that they have to tell you, so that you can verify that you are actually talking to the bank.

That is a good idea. I am planning my man-in-the-middle phishing scam as we speak just in case Banks (or another other telecommunication accessed services) adopt this security measure.

Seriously, this would not work since all the phisher has to do is dial the bank's real number and act as a proxy for you and your bank. Once they start proxing the data between you and the bank they could still record the information. A better idea would be to use TLS/SSL and signed certs in the exchange between your phone and the bank's IVR system much like the visiting HTTPS sites.

Not Unique to VOIP (3, Informative)

mmurphy000 (556983) | more than 7 years ago | (#17473690)

Changing phone numbers in an address book isn't unique to VOIP. A virus could scan Outlook and other common address book systems and change phone numbers, whether VOIP or not. Since most people don't have their bank phone numbers memorized, they'll assume that the address book entry is correct. Even if they use a non-VOIP phone, the phishing attack can work.

Now, a VOIP system might have an integrated address-book/speed-dial system that could also be attacked. But otherwise, I don't see where this is unique to VOIP.

Whaaat? (2, Insightful)

ISoldMyLowIdOnEbay (802697) | more than 7 years ago | (#17473710)

I too, can come up with lots of non-scenarios based on speculation...

What if someone hacks the telephone exchange and redirects all calls to the bank to a new number?

What if I get a letter from my bank saying they have moved, and a phisher builds a new bank at that address, thus allowing them to take all my details?

How would that work? (1)

msblack (191749) | more than 7 years ago | (#17473722)

Someone please explain how a virus can update a Skype user's telephone book? Seems like a poorly-designed software that allows voice telephone messages to modify its database.

Re:How would that work? (0)

Anonymous Coward | more than 7 years ago | (#17473852)

How about buffer overflows, just like a lot of the other attacks...

mind you, as it is distributed over UDP, there is much more chance of dropped packets that make the payload sterile.

Re:How would that work? (1)

LurkerXXX (667952) | more than 7 years ago | (#17474104)

Because we all know, no major software has undiscovered bugs, buffer overflows, yadda, yadda. Linux, Firefox, Apple, Microsoft, never put out patches for newly found security holes because all their software is well-designed.

What color is the sky in your world?

Re:How would that work? (1)

ACMENEWSLLC (940904) | more than 7 years ago | (#17474234)

I have Skype at home. Unlike e-mail, or my home phone, or my cell phone, or SMS on my cell phone, I have not ever received any spam or phishing or telemarketing calls on my Skype account. (I have Skype on my Cell phone.)

Right now, it is my VoIP that is the least prone to these.

I guess the point to all this is how to prevent it pro actively.

Right now, when I sign into my bank they present me with a picture and some text to go with it. This, in theory, means that I am actually on their site and not an elaborate phishing site.

Maybe, when I call them, they should provide some information like that so that I know I am actually talking to the right place.

This information should change at least once a year, if not more often. If someone gets my token info, then I need a way to expire it to detect hacked tokens.

When is the last time you changed your online banking password/token?

Re:How would that work? (1)

Andy Dodd (701) | more than 7 years ago | (#17474314)

"Someone please explain how a virus can update a Skype user's telephone book? Seems like a poorly-designed software that allows voice telephone messages to modify its database."

Easy. The skype user's telephone book is most likely (I don't use Skype so I can't be sure) a file on their PC.

A virus can enter that PC in any of the normal ways that they can propagate and go modify that file. (i.e. it isn't a "VoIP Virus", it's a traditional virus that attacks your address book once you're infected)

Dr. Weird had it right after all (4, Funny)

Sneakernets (1026296) | more than 7 years ago | (#17473754)

"Steve... send the PHONE SPIDERS."

You could just stop using Windows... (1)

Paul Bristow (118584) | more than 7 years ago | (#17473760)

This is the price we pay for a computing monoculture. Don't use Windows, this won't happen. Yes this is Microsoft's fault, BUT, to be fair, this would happen to a certain extent with any computing monoculture. So:
  • Don't use Windows
  • Don't all move to the Mac
  • Don't all use one OS environment - replacing Windows with everyone using the same version of xyz linux wouldn't help that much
  • Don't all use the same CPU (x86)
and all this should go away. When did you last hear of a security breach on Alcatel DECT Phone address books?

Maybe, just maybe, this could get closer with Web Apps making the OS irrelevant, but look back at the list and see how many of those rules we break.

Security in diversity?

Re:You could just stop using Windows... (5, Insightful)

solevita (967690) | more than 7 years ago | (#17474096)

I've seen this argument crop up regularly on /. recently, but that doesn't make it a good one. Why? Well lets extend your argument to its logical conclusion - not only should we all use different operating systems, web browsers, CPU architectures, but we should all also use different file formats, standards and networking protocols.

I'll never get caught by a phising scam because my web browser doesn't support the HTML used on fake-paypal.com and I can't even connect to it anyway because I'm using a brand of TCP/IP used only by myself and a handful of /. geeks.

Call me crazy, but I want to work on something that I can easily share with my colleagues - I want the most open digital environment I can get.

I refuse to accept that lazy/poor programmers can excuse the security holes in their products by claiming that everyone should be aiming for security through obscurity. Lets stop blaming Windows/Internet Explorer users for the insecurity of the products they use. Security through diversity is just renamed security through obscurity; it's no security at all.

Re:You could just stop using Windows... (4, Interesting)

planetmn (724378) | more than 7 years ago | (#17474128)

WTF?

Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft? This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.

I recently received a phishing scam email from somebody purporting to be Wells Fargo Bank. First clue is obvious, I don't have an account with them, but I was curious. So I clicked the link in Firefox. The site comes up, looks similar to the real Wells Fargo site, but has a completely non-legitimate URL. So then I clicked the link in IE7. Guess what, IE7 knew it was a phishing site.

So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user. Stop blaming third parties for what amounts to human error. And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.

And your suggestions are absolutely insane. One thing that computing monoculture brings is a standard implementation. How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours". The reason the PC grew so quickly was the ability to choose between different software and hardware easily, and be sure of compatibility. Sure, niche markets existed, such as the Mac, but the PC was much more extensible and much more desirable.

-dave

Re:You could just stop using Windows... (1)

vaderhelmet (591186) | more than 7 years ago | (#17474304)

Seriously, VoIP != Windows. The author of the article mentions "flash-virus". He's speaking primarily of what we in VoIP call hard sets. Real telephones that you plug into your network (or use 802.11). Most of them have internal phonebooks that could theoretically be overwritten. Frankly, as an administrator of several hundred VoIP hard sets (Cisco 7940, 7960, 7941) run on Asterisk, I think a more likely fear is that someone writes a virus that trashes all my very expensive phones and cripples my business or uses my VoIP phones to make free long distance and international calls, or as voice-spam relays. The users' phonebooks are of little concern to me.

Re:You could just stop using Windows... (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17475822)

Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft?

The attack described relies upon a worm that can compromise desktop systems. Worms are a lot easier to implement if their are a huge number of identical targets with identical holes. Currently that target is Windows.

This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.

You're assuming that improvements to computers can't significantly reduce the risk of the described phishing attack, but that is not the case. Simply by having many different OS's and browsers this type of attack would become a whole lot harder. Further, there is no reason why a given OS should grant a new binary access to read or write to your phonebook without explicit approval from the user with some pretty strongly worded warnings is plain English. In a free market, I'm guessing every desktop OS would include this functionality as soon as it became an issue, but Windows has not done so, despite worms grabbing data from the e-mail address book. The reason for this is, quite simply, it doesn't cost MS a significant amount of money when people are compromised because the vast majority of users don't have realistic options of other OS's (it's not at walmart, kmart or meijer).

So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user.

Do most users have IE7? Is it even available on Win2K? Did IE7 recognize it as a phishing site before a significant number of people had already been there?

Stop blaming third parties for what amounts to human error.

Sure some malware and scams are the result of human error, but a lot of them are also the result of poorly designed software for the environment in which it is operating.

And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.

The previous poster was specifically talking about the scenario in the article. That scenario required that the system was compromised by a worm. Diversity of OS's does reduce the ability of worms to spread and diversity of OS's motivates companies to innovate solutions to out compete others. Those innovations may include ways to stop worms, don't you think? Maybe instead of complaining about people's opinions by trying apply them to a situation they weren't talking about you should consider them in terms of what we're discussing.

How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours".

Who says that would be the case? If other OS's were common the practice of writing portable code that worked on multiple OS's and offering them would be more profitable and thus more common. Further, VM software, like portable Java apps would be more profitable. Your cause and effect is reversed. People offer software only on one platform because there is one dominant OS. When there were multiple competing platforms, even long ago, there was more software offered with cross-platform options.

Re:You could just stop using Windows... (1)

tehcyder (746570) | more than 7 years ago | (#17475874)

I recently received a phishing scam email from somebody purporting to be Wells Fargo Bank. First clue is obvious, I don't have an account with them, but I was curious. So I clicked the link in Firefox.
Fuck me, Sherlock Holmes is posting on slashdot.

Re:You could just stop using Windows... (1)

Tim C (15259) | more than 7 years ago | (#17474770)

You seem to assume that virus writers and other malware producers won't simply follow the market trend as well, and target whatever platforms it makes sense to target.

Right now, the vast majority of people are running some flavour of Windows on x86, so that's what's targetted. It helps that Windows machines are also generally a soft(er) target, used by people with little or on clue as to how to use a PC safely. As and when significant numbers of users move to other platforms, those platforms will also be targetted.

There's money to be made, a fair number of intelligent, talented people more than willing to do what it takes to make it, and no shortage of less talented but just as morally dubious people more than willing to use the tools created by them.

Re:You could just stop using Windows... (1)

soft_guy (534437) | more than 7 years ago | (#17475928)

Yeah, then the hackers will all have to buy Qt licenses.

Scaremongering (2, Interesting)

vaderhelmet (591186) | more than 7 years ago | (#17473778)

This is a concept at best. A virus going through peoples' cell phones (which are far more in use than VoIP sets) to do the same thing is even more viable. This is another 'exploit' that relies on people to be completely oblivious to what their technology is doing. I agree that it is a problem, but it has nothing to do with VoIP. A lot of PHBs are already afraid enough of 'voices in the network' without somebody throwing 'OMFG What if?!' at them.

OMFG, What if someone wrote a virus that relinked your favorites in your browser to point directly at the phishing sites?

Just like VoIP and cell phones and your browser, when you click on a contact or favorite, the vast majority of them show you the underlying value. If you don't recognize that number, end the call. You need to be cognizant of what is happening. It is your fault, not the technologies' fault, if something bad happens due to something like this.

Address (1)

jav1231 (539129) | more than 7 years ago | (#17473830)

I think that this type of attack is still, to a large degree, depending on TCP vulnerabilities. This type of malware is going to be highly dependent upon other things to initiate such attacks. Granted, in the case of Skype or other PC-based applications this will be far easier to accomplish. I'm not sure it's a VoIP issue so much as an issue of we need to be aware of yet another medium for the transport of exploits. VoIP is UDP based. Protection of such voice streams, should malware over VoIP become pervasive, is going to require pattern recognition at the packet level, heretofore a difficult task. The only means of identification of such things is to sniff the segment. Yet, I'm not sure that that is the type of exploit this article is eluding to.

Near future - HAH (1)

JaJ_D (652372) | more than 7 years ago | (#17473846)

...Let's imagine a scenario that could become commonplace in the near future

Or sooner now they have described what to do & /. has noted it (assuming of course script kiddies and crackers can read) and scripted kiddies are reading it....

Jaj

VOIP = Virus Over Internet Protocol (1)

davro (539320) | more than 7 years ago | (#17473912)

Personally i thought the whole VOIP on the internet was under threat from the start.

VOIP running on the internet, just asking for trouble, IMHO.
VOIP Firewalls, are there any decent open-source ones ?.

What about a BotNet? (2, Interesting)

bhsx (458600) | more than 7 years ago | (#17474052)

A serious botnet can have 50k-100k minion boxes out there... Imagine if VOIP hit even 20% penetration, that would obviously be 10k-20k phones that botnet owner has access to. If you were the type of slimeball or, gods forbid, terrorist, what would you do with 20 thousand phones you had access to? Think DDOS on 911? Think maybe just dialing pay phone services like the old auto-dialer spyware? People maybe shouldn't be allowed to run their VOIP systems on just any old machine... Perhaps all those writing VOIP code for Windows systems should just stop and burn all copies of their apps? That doesn't sound too bad :P

Re:What about a BotNet? (1)

cullenfluffyjennings (138377) | more than 7 years ago | (#17474158)


A 911 center typically has a handful of human operators - so what is needed to DOS a typical PSAP is a handful of cell phones and you just have a few people phone in and the 911 center is totally full. You don't need a bot net of voip systems. The reason this does not happen is because there is very little incentive to DOS a 911 center.

Re:What about a BotNet? (1)

powerlord (28156) | more than 7 years ago | (#17474696)

The reason this does not happen is because there is very little incentive to DOS a 911 center.


Not to mention that it is probably a federal offense and would initiate an FBI investigation ... one with more of an incentive to find and prosecute the "bad guy" than going after typical SPAM mailers.

Re:What about a BotNet? (1)

mpapet (761907) | more than 7 years ago | (#17474610)

Ugggh.

I'll keep it brief. As other informative posts have explained, the virii potential of VOIP clients is unlikely.

Say I'm a bad guy and I want to simultaneously call 100,000 machines. I would have to spawn 100,000 connections to a voip server. Your voip server firewall has a threshold for dropping connections from a single IP address doesn't it? If the bad guy is using 100,000 zombies then the problem is not voip is it?

Let's say for a minute that I'm able to connect to a client. *The phone will ring* Now what?

I'm not saying VOIP is perfect or totally secure. Most of the issues that may come up will likely be Windows OS issues. Not specifically VOIP, but Microsoft's desktop OS. If you want to worry. Keep using windows.

Re:What about a BotNet? (1)

bhsx (458600) | more than 7 years ago | (#17475162)

Say I'm a bad guy and I want to simultaneously call 100,000 machines. I would have to spawn 100,000 connections to a voip server. Your voip server firewall has a threshold for dropping connections from a single IP address doesn't it? If the bad guy is using 100,000 zombies then the problem is not voip is it?
You wouldn't have to spawn 100,000 connections to a single voip server, the botnet would already be running on an IRC server somewhere, awaiting orders. I just login to the IRC channel after making a few dozen ssh hops around my bots and through a TOR network somewhere. I send the command and the bots start cycling through commands to hijack the 10 most common VOIP apps and dial whatever number i have the bots set to dial. It wouldn't be that hard. My original post was a bit tongue-in-cheek, but I did mention avoiding the Windows platform for such a thing, again, with some sarcasm in the mix. I agree with you there, but I digress.

Re:What about a BotNet? (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17475038)

A serious botnet can have 50k-100k minion boxes out there... Imagine if VOIP hit even 20% penetration

Unless they're all running the same VoIP client and service, it is pretty hard to grab all those 20%. Another option would be to use a custom VoIP client, if there are free services available for calling out.

If you were the type of slimeball or, gods forbid, terrorist, what would you do with 20 thousand phones you had access to? Think DDOS on 911?

To what end? 911 is for reporting crimes and emergencies. The police very rarely show up in time to stop a crime in progress. In fact I heard a story that in some locations the police wait a period of time after arriving at a shooting incident before going in, in order to give the shooter time to leave and minimize risk. The damage from DoSing 911 would probably just be more fires burn places down instead of being put out in a timely fashion.

People maybe shouldn't be allowed to run their VOIP systems on just any old machine...

The government regulating this would be a huge clusterfuck. They can't even secure their own machines. Micromanaging this won't work. We have a way to insure that machines are relatively secure. It is called "capitalism." Restore the free market to the computer space by breaking up MS and then people will move to solutions that don't result in spurious bills from foreign pay-to-listen sites.

Maybe a FUTURE problem (3, Interesting)

Opportunist (166417) | more than 7 years ago | (#17474098)

Let's face it, who's the prime target for phishing? Joe Average Users. "We" (as in, people who enjoy technology as a pastime more than just a tool) know about such problems, and we know how to deal with them. I still never heard of a 'clued' person to become a phishing target. We certainly don't answer to mails akin to "Hi, I'm your Bank, please send me all your details in reply or your account will be frozen", and we usually routinely check for unwanted BHOs and tasks, and we certainly run up to date AV software (or at least have another reason to assume with some sort of faith that we are not infected).

In short, we know the threat. And we're also the ones who use VOIP predominantly, aside of companies (who better have someone like us as their IT-security person there). Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon.

So personally, I'd rate THAT threat low. At least for now.

Re:Maybe a FUTURE problem (1)

kebes (861706) | more than 7 years ago | (#17475976)

Good post (I agree with you), but you're wrong about one thing:
"Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon."

In some places, cable companies are starting to offer their own VoIP services. It's a great deal because you can get a package (TV + Internet + Long distance Phone) for a reasonable price. So lots of "Auntie Mable" types are starting to sign up for these things, without really knowing (or caring) that it's VoIP.

My mom, for instance, is about to make ths switch (finally upgrading to high-speed and figured the cost savings made sense), but when I told her her phone calls would be routed through the Internet, she didn't know! ... and ultimately if the service is implemented properly, she'll never notice. (Yes they link you up to 911 services, etc.)

VoIP is actually ready for mass consumption.

Stop giving them ideas! (1)

CokeBear (16811) | more than 7 years ago | (#17474126)

Dammit don't you think the phishers read Slashdot too?

I'll take VOIP... (2, Funny)

weeboo0104 (644849) | more than 7 years ago | (#17474298)

viruses over a virus from a public pay phone anyday!

Those shankers hurt!

It's about people... (1)

kkkalf (853313) | more than 7 years ago | (#17474340)

I don't see where this is a threat to VoIP? If I receive an email or a call telling me there is a problem with my bank account, my reaction would be to talk to my bank counselor. I don't know how it is in the US but here in France, each customer has a personal bank counselor to interact with. And I would certainly never give any information to a voice machine. Ultimately, the problem has never been the technology but people's ingenuousness. If somone asks you to give the secret passcode to your account (you know, the one the bank told you never to give to anyone) would you do it? Of course not!
So I really don't think that this could be a threat to VoIP or email, or what else. The ones being tricked by Phishers are people.

Re:It's about people... (1)

cdrguru (88047) | more than 7 years ago | (#17476076)

Ah, personal service.

In the US you are lucky if the automated system has time to talk to you. Normally you get rushed through because the automated system is busy and has more important things to do than talking with a customer with a problem - when the problem is almost certainly the customer's and not the bank's.

Face it, when the ATM machine encouraged banks to charge for teller vists and a couple tried it customer service at a bank was lost and isn't likely to reappear anytime soon. In Arizona they have tellers but many of them are minimum-wage barely-English-speaking folks that can't get a job at McDonalds. If you find a bank with people you can talk to, it has a line outside the door.

fir57 (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#17474552)

obseSsives and the

By Fernando de la Cuadra, Panda Software (1)

DrugCheese (266151) | more than 7 years ago | (#17474572)

This is all hype in my opinion. There probably will be attacks against VOIP banks but they won't be as mentioned. Each VOIP Provider has their own code they use, I don't see how one virus is going to spread through more then the one system it was designed on/for. The attacks will be denial of service attacks most likely.

Let me be the first to state this as a rebus (1)

greenguy (162630) | more than 7 years ago | (#17474614)

Threat?
Voice
IP

An exaggerated and unlikely threat (1)

Zigurd (3528) | more than 7 years ago | (#17474878)

To me, this smells like a security company drumming up business.

First, as with every technology outside the Windows desktop monoculture, viruses are not easy to spread: A variety of CPUs and OSs make it less likely the next machine a virus encounters will be able to run the virus code.

Second, the hypothetical attack depends on a combination of two attacks: A virus plus phishing. That is an uncommonly sophisticated combination. Is there any basis in current experience with attacks that shows this is likely to happen?

Third, the culture and user experience in voice communications is converging with IM: permission based, filtered based on a list of known contacts. VoIP users will talk mainly to people they know - others go to voicemail. Is there any study that shows a virus/trojan/phishing attack could spread in that type of community?

Advice from a security expert... (1)

Efialtis (777851) | more than 7 years ago | (#17474948)

A bank will NEVER ask you for information that they already have. They will only CONFIRM data... Name, Mother's Maiden Name (or some other confirmation - favorite color, first pet's name, city you were born in), and the last 4 of your social or last few of your account number. They will match this information up with what they have, then they will talk to you about your account. They won't have a recording take this information, they won't ask for you PIN (EVER...they will NEVER ask for this information), and they already have your full account number...so they won't ask for that... It only takes a little common sense to avoid being the target or being a victim of identity theft via phishing... ...

Re:Advice from a security expert... (0)

Anonymous Coward | more than 7 years ago | (#17475882)

Erm... you're trying to be funny, right?

'Cause, see, my bank's voice self-service system does indeed ask me for my full account number and PIN. That "V" in VoIP? That stands for Voice. That's what we're all talking about here. Voice, you know, like what you use to communicate on the telephone?

TFA is a FUD-filled piece of crap, of course, as so many have correctly observed.

Security expert, are you?

VOIP Lowers the Entry Barrier Maybe... (1)

DaedalusLogic (449896) | more than 7 years ago | (#17475110)

Having a regular phone line doesn't save you from possible the future of junk calls. The barrier is that people initiating the call up until now have had to spend a lot of money. If they can call a POTS line from overseas and not spend a boatload of cash, they'll call you sooner and more often considering your number is probably listed... Unlike most VOIP providers.

The hypothetical scenario described is extremely weak... I don't know of any people who have their address book that tightly integrated into their VOIP software/service. Even if they did, con-artists are like any other good engineer... lazy... they'll go for the low hanging fruit and defraud grandma by simply talking to her.

Frost 4ist (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17475404)

Example pulled out of thin air (1)

bigpat (158134) | more than 7 years ago | (#17475560)

So you have an email attack based on the idea that people keep the phone number of their bank in their address book? Rather why would I bother if I can always just get it off their website or from my statement? I suppose changing an electronic statement to put the fake number on it is also possible. But how is this really related to VOIP? The problem still remains one of some email attachment taking over your computer and accessing your personal and confidential information that you have stored there. The rest could just as easily be accomplished via the regular phone.

BS (1)

oohshiny (998054) | more than 7 years ago | (#17475616)

Computer viruses are not an unavoidable fact of life. In fact, computer viruses are largely limited to Windows. Maybe computer viruses threaten VoIP on Windows, but other platforms and embedded systems are fine. Really.

fap fap fap (1)

szrachen (913408) | more than 7 years ago | (#17475660)

As someone who uses Vonage, I don't see this ever happening to me and I don't think that this would be a widespread issue. Personally, I only use Vonage as a replacement for POTS. I only really want a telephone number and caller ID but in order to get that, it costs the same amount as buying a big bundle with every option under the sun. So, I switched to Vonage and disconnected my house from the POTS line (as was advised from somewhere to prevent a fire hazard of some sort... still not sure I believe that). They're not going to get any phone numbers out of my regular phones without tracking my actual phone calls.

Anyways, my point is that I see a lot of people (read: non-geeks) using VoIP in the way that I am by using their regular phones interfaced with a VoIP box. Sure, you may have some people using their computers but I would assert that many people would rather not sit at their computer to talk on the phone with someone.

Then we get to the attack method. How would the attacker answer the phone assuming I was using a piece of VoIP software that the attacker would target to look in the address book of that piece of software and I had an entry of "Bank?" "Hello. This is your bank, how may I help you?" I sure as hell wouldn't fall for that and I would also say that the vast majority of people that might fall for a phishing e-mail or something of that sort wouldn't fall for that either. I would assume that you would have actually called the bank before if you put the bank's number in the speed-dial or address book.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...