VoIP to make ID theft easier


25 May 2007

The transition of companies from fixed-line telephony to voice over internet protocol (VoIP) could expose a lot more people to identity fraud, McAfee has warned.

The software security firm also predicted the emergence of voice message and instant messaging (IM) spam, an increase in hackers piggybacking on phone systems and an upsurge in malware directed at mobile phones.

According to Toralv Dirro, research wth McAfee’s Avert Lab, hackers will seek to exploit VoIP systems the same way they exploited traditional phone systems.

“Voice systems have been a target for hackers for as long as hacking’s existed. Back then the main goal of a hacker was to hack into a dial-in PBX that preferably was connected to some free-of-charge service number so they could use that dial-in to forward their calls to other places, where they otherwise would have to pay a lot of money. If a hacker successfully attacks the VoIP server of a company then he could then use that server, which typically is also acting as a gateway to the normal phone net, and initiate free or nearly free voice calls.”

Dirro said hackers could sell access to an illegal call centre where people can make long-distance calls very cheaply. Another possible scam is to use the hacked VoIP server to initiate calls to expensive premium rate numbers. “If they had complete control over the server it would be very easy for them to hide details of those calls. It would only be found with the next phone bill.”

He also warned that identity fraud is simpler to enact on VoIP systems. “It’s much easier to spoof your identity with VoIP. If you are using a normal fixed line it would take a lot of effort to pretend you’re someone else. A crime we’re expecting to see is people pretending to be someone’s bank, luring the victim into giving details or logging into some specific site. With VoIP it’s easier to listen in to a conversation or have a call rerouted to you.”

Dirro warned that voice message spam would also become more common. “Record a spam message once and you can use a VoIP server with access to the mobile phone net to send out those pre-recorded spam message to a large number of people. With VoIP it’s cheap to send that message to other VoIP users.”

It’s only in the past two to four years that companies have begun thinking of moving their entire telephoney over to VoIP so these types of scams are still rare, said Dirro, but McAfee expects there to be a significant increase over the coming years.

The same goes for mobile malware. Presently this is not a huge threat in the West but Dave Marcus, researcher with McAfee Avert Labs, told siliconrepublic.com that it is very prevalent in Japan, where people use their mobile phones for financial transactions.

“It’s been the trend for the past few years that malware writers go where the money is,” he said. “If the data and transactional finance is done through the mobile phone, that’s where the malware is going to go.

“If you spend any time in Japan you’ll already notice mobile malware because they already do their buying and selling through their phones. They can access their bank accounts and all their confidential information through their handheld. As soon as the rest of the world adopts those kinds of buying and selling habits you’ll see malware issues all over the mobile platform.”

By Niall Byrne