Hackers ‘can eavesdrop on 70% of web calls’

Businesses and call centres are rendering customers’ private details a free-for-all by failing to secure their VoIP networks against ‘wiretapping’ hackers…

Scanit (www.scanit.net), a top security company that audits major IT systems, says as many as 7 out of every 10 calls being made over the internet is potentially open to hackers.

Data the company picked up over the web during testing included tone-dial PIN numbers, used to access services like phone banking, confidential corporate deals and information from private conversations that could be used in blackmail.

Scanit found call centres and service providers it tested – responsible for tens of thousands of customer enquiries a day - were streaming unsecured calls around the world because IT staff assumed their networks were already protected.

“Administrators at these places lacked adequate skills and understanding of the security aspects of setting a VoIP network up. They relied on the vendor or system integrator to secure it,” says Scanit engineer Sheran Gunasekera.

In turn, the vendor’s focus was on functionality rather than security, Sheran says, so VoIP systems with no security were deployed.

“Many networks were even running VoIP without encryption,” he adds.

Selling the names, addresses and bank details of telephone banking users is big business, with criminal gangs paying some call centre staff up to £5 per account access log.

In October, a documentary team working for Channel 4’s Dispatches programme filmed middlemen offering to sell packages of British credit-card numbers from call centres in India.

But the latest threat comes from the internet at large, according to Scanit.

Software that can identify unprotected conversations online is freely- available and simple enough for anyone with a web connection and basic network skills to use.

“One program, called WireShark, detects VoIP calls as they traverse a network, while another, Cain & Abel, records them onto a hard drive, like an MP3,” Sheran explains.

Gregory Lebovitz, technical director at US-based security firm, Juniper Networks agrees there's nothing stopping hackers from running riot across VoIP networks.

"No anti-intrusion or firewall currently supports all VoIP protocols and technologies in use today," says Lebovitz, "and if they claim to, they're lying."

US telecom giant, Verizon, recently warned “security should be the Number One concern for anyone contemplating enterprise VoIP deployments”.

Survey results released last week by IT services firm Compuware showed three-quarters of IT directors have concerns about the reliability of VoIP, while only eight per cent said they managed and monitored calls at an individual level.

For a more detailed look at Scanit’s research on this topic, read its White
Paper: VoIP Security - Does it exist?
http://www.scanit.net/whitepapers/