Security: Lack of response from customercare...

Posts: 482 · Posted: Sun Mar 20, 2005 10:51 pm Post subject:

What's the deal, are you in the witness protection program or something? Ordering hits on people? Making drug deals?

You could listen in on all the calls I make all day long and you'd just be bored as hell. And you wouldn't need to capture my packets and reassemble them to do it. Just pull up with a frequency scanner or even a baby monitor and you'll probably pickup my cordless phone pretty quickly. I'd worry about that before I'd worry about someone grabbing my packets.

Posts: 227 · Vonage Forum Master Joined: Dec 10, 2004 Posts: 227

MrMike wrote:

I think you said it best in your original post, you're paranoid. I mean really. If you are THAT worried about someone snooping your phone calls and invading your network and stealing your cc numbers maybe you shouldn't be using computers or credit cards?

In guardrailz defense, some of us get paid to be that paranoid. It doesn't necessarily mean we won't use the technology (hey, we're here aren't we) but it's something we never lose sight of and it's VERY hard to turn off (not that I would ever want to)!

Posts: 6 · New Forum Member Joined: Mar 20, 2005 Posts: 6

So there is no more confusion among cool cocumbers here , no one cares about "yap yap" over the the unsecured phone, you are right. The security concerns are primarily for credit card and personal data transcations via unsecure Voip service.

Things usually don't get better till you demand better. This is from today's top news stories:

Scam Artists Dial for Dollars on Internet Phones

Sun Mar 20, 9:40 AM ET Technology - Reuters
By Andy Sullivan

WASHINGTON (Reuters) - Internet phone services have drawn millions of users looking for rock-bottom rates. Now they're also attracting identity thieves looking to turn stolen credit cards into cash.

Some Internet phone services allow scam artists to make it appear that they are calling from another phone number -- a useful trick that enables them to drain credit accounts and pose as banks or other trusted authorities, online fraud experts say.

"It's like you've handed people an entire phone network," said Lance James, who as chief technology officer of Secure Science Corp. sees such scams on a daily basis.

The emerging scams underline the lower level of security protecting Voice Over Internet Protocol, or Voip, the Internet-calling standard that has upended the telecommunications industry over the past several years.

Traditional phone networks operate over dedicated equipment that is difficult for outsiders to penetrate. Because Voip calls travel over the Internet, they cost much less but are vulnerable to the same security problems that plague e-mail and the Web.

Internet worms that snarl online networks can render Voip lines unusable, and experts at AT&T say Voip conversations can be monitored or altered by outsiders.

Federal Trade Commission Chairman Deborah Platt Majoras recently warned that unscrupulous telemarketers could use Voip to blast huge numbers of voice messages to consumers, a technique known as SPIT, for "spam over Internet telephony."

All of these threats remain largely in the realm of theory. Caller ID spoofing, on the other hand, has emerged over the past six months as a useful tool for identity thieves and other scam artists, according to fraud experts.

PRESIDENT BUSH ON THE LINE

Any reporter would scramble for a ringing phone that reads "White House media line" on its caller ID display.

But it's not the Bush administration on the line -- it's security instructor Ralph Echemendia, calling from a mobile phone on a remote Georgia highway.

"You can see how this sort of thing could be used in a very malicious way," said Echemendia, a security instructor at the Intense School, a technology training company.

Caller ID spoofing is not prohibited by law, but the Federal Communications Commission (news - web sites) requires telemarketers to identify themselves accurately, a spokeswoman said.

Echemendia built his own system to spoof calls, but several free or low-cost services allow even technical novices to falsify caller ID information as well.

Debt collectors and private investigators use Camophone.com's 5-cents-per-call service to trick people into answering the phone, according to messages posted on a discussion board.

Traveling salesmen say the service comes in handy when they want clients to return calls to the main office, rather than their motel room.

James said criminal uses of caller-ID spoofing have become common over the last six months.

Wire-transfer services like Western Union (NYSE:FDC - news) require customers to call from their home phone when they want to transfer money in an effort to deter fraud -- a barrier easily sidestepped by any identity thief using a caller-ID spoofing service.

Fraud rings can now transfer money directly out of stolen credit-card accounts, rather than buying merchandise and reselling it, he said.

Western Union spokeswoman Danielle Periera said the company has no other way to verify that transfer requests are valid.

"We try hard to stay one step ahead of them and recognize that scam artists are sophisticated and often change their schemes," she said.

Criminals can use caller-ID spoofing to listen to other people's voice mail, James said, especially when those accounts are not protected by passwords.

They also have begun to use the technology to make it appear that they are calling from a bank or other financial institution, said Dave Jevans, who chairs the Anti-Phishing Working Group, a banking-industry task force.

That helps them convince consumers to divulge account numbers, passwords and other sensitive information in a scam that echoes the "phishing" e-mails that have become common, he said.

Voip industry pioneer Jeff Pulver, whose Free World Dialup service can be used to spoof calls, said he couldn't prevent abuse of his system.

The problem will likely recede as companies like VeriSign Inc. (Nasdaq:VRSN - news) and NeuStar Inc. develop ways to verify online identities, he said: "We're not there yet, but we're going to get there."

//story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/20050320/tc_nm/columns_pluggedin_dc

Posts: 196 · Posted: Mon Mar 21, 2005 9:35 am Post subject:

I would hope that if someone is forward thinking enough to use Voip service, that they would also be ordering goods or paying bills via the internet as well over RSS encrypted connections. I never give account numbers over the telephone and I simply don't need to.

Again, I think the whole issue is paranoia more than anything else. If you're that paranoid, don't talk on the phone at all.

People who aren't doing something they shouldn't be doing usually don't worry about who might be listening. If you're a government spook, stick with land lines with Dick Tracy super-secret voice encryption technology.

Posts: 2251 · Posted: Mon Mar 21, 2005 10:48 am Post subject:

talkisfree wrote:

Scam Artists Dial for Dollars on Internet Phones

Sun Mar 20, 9:40 AM ET Technology - Reuters
By Andy Sullivan

WASHINGTON (Reuters) - ...

I think this article was written to confuse the masses, incorporating a number of unrelated issues into one. And for that, job well done Mr Sullivan.

Now can you prove out any of your statements?

Where are these "Scam Artists Dial for Dollars on Internet Phones" from the title?

Posts: 73 · Posted: Fri Mar 25, 2005 9:32 am Post subject:

I haven't logged in for a while, but I decided to look back at my post, and was surprised of the activity. Here are some responses to previous posts. Before anyone takes offence, please keep in mind my goal in this thread was, and still is to educate individuals so they can make their own choices. Voip technology is a great thing; however it comes with its own issues, such as lack of encryption, and lack of ability to transfer phone numbers from your present POTS carrier to the Voip carrier.

talkisfree wrote:

GardRails , you have raised valid concerns. Vonage planners will not be smart to ignore security issue if they intend to grow their business.

Before I came across this forum, I searched the whole Vonage help section but found NOTHING on subjects of privacy and encryption for their Voip service. In the age of ID/credit card thefts that can take years to fix, those who are not concerned about security of their phone transactions are burying their heads in the sand in my view.

As things are, alternative is to keep both POTS and Voip for different uses but that is not cost effective in the end. I'll be inclined to drop my Vonage service if I didn't get satisfactory information about security of calls over Vonage service if it came to choosing between old phone and Vonage.

When I first posted this information, I was ranting about customer care, I had no intentions of posting an abridged SOP (Standard Operating Procedure) on how to collect RTP traffic. After receiving responses which threatened the topic's credibility, I decided to provide the information contained in this thread to validate my position.

As far as Vonage goes, I called them, prior to sending the e-mail to customer support, and asked them flat out, is the system secure. Their customer support rep stated yes, it surely was. I realize the person I was speaking to didn't know really what she was talking about; she was instructed to say these things by management... That type of misdirection by Vonage Management concerns me greatly.

For the record, yes, I still have my Vonage line; I don’t know how long... I should have dropped the *beep* a while ago considering I haven't used it since this post.

kenn10 wrote:

I would hope that if someone is forward thinking enough to use Voip service, that they would also be ordering goods or paying bills via the internet as well over RSS encrypted connections. I never give account numbers over the telephone and I simply don't need to.

Again, I think the whole issue is paranoia more than anything else. If you're that paranoid, don't talk on the phone at all.

People who aren't doing something they shouldn't be doing usually don't worry about who might be listening. If you're a government spook, stick with land lines with Dick Tracy super-secret voice encryption technology.

Kenn10, you're funny. I mean you pretty much represent the majority of Vonage customers that really don’t care about this security mumbo jumbo... I agree, security is a hassle; too much of it, and technology is unusable... too little, and you're exposed to more threats than you could imagine.

I'm sure you've heard of voice recognition technology.... Sprint PCS uses it whenever you dial *2... "...Tell me the option you want..." the automated voice states... Granted it's preprogrammed for select phrases... Oh wait! Could they program something to parse through the audio files to see if an audio signature of "Credit Card" shows up? And if so, could they write, or have someone write code to read the next minute?

Lets see here, in the test that I performed, I guestimated that an active conversation takes up about 1 meg of disk space per minute... that would make recording snippets of information, and reviewing the information that much efficient for the would-be 'evil doer'...

ToddlerTN wrote:

You could listen in on all the calls I make all day long and you'd just be bored as hell. And you wouldn't need to capture my packets and reassemble them to do it. Just pull up with a frequency scanner or even a baby monitor and you'll probably pickup my cordless phone pretty quickly. I'd worry about that before I'd worry about someone grabbing my packets.

ToddlerTN, since you are aware of the things you stated in your post, I'm willing to bet you take care not to talk about financial information over your cordless. In reality, with new security technologies being implemented in cordless phones, I’m sure this isn't as much of a threat as it was five years ago.

My Uncle demonstrated to me once the powers of a scanner... lets just say I was amazed, and concerned...

bbtrumpetguy wrote:

In guardrailz defense, some of us get paid to be that paranoid. It doesn't necessarily mean we won't use the technology (hey, we're here aren't we) but it's something we never lose sight of and it's VERY hard to turn off (not that I would ever want to)!

You're correct, I am paid to be paranoid, and unfortunately it has a tendency to bleed over to the 'off hours' realm of my life. I'm not afraid of technology, and I do realize that from time to time, even a paranoid bastage such as me will slip and provide information over a cordless or Voip phone and mentally chide myself for doing so.

Posts: 34 · Vonage Forum Junior Joined: Feb 07, 2005 Posts: 34

Vonage could take a few simple steps that would improve the security situation.

For example, Vonage could optionally support Xtunnels http://xtunnels.org: connectivity from the subscriber to the Vonage proxy.

Alternatively, they could provide some kind of VPN connection to the Vonage proxy.

This would address the most vulnerable customers on shared LANS, like cable customers and public wi-fi users.

Plus, Vonage to Vonage calls could be encrypted end to end, if Vonage encrypted their backbone links (Internap?)

The PSTN end of calls would still remain in the clear, but the points of vulnerability would be protected.

Failure to match or exceed PSTN privacy levels exposes Vonage to a tremendous risks. Here are a few examples:

* Major incident exposes Voip vulnerability
* Competitors slip in with a superior encrypted service
* PSTN operators attack Vonage as unsafe
* Someone is burned and sues Vonage for damages for wilful negligence for failing to correct a known security vulnerability

Posts: 73 · Posted: Fri Mar 25, 2005 2:25 pm Post subject:

jcmallery wrote:

Vonage could take a few simple steps that would improve the security situation.

For example, Vonage could optionally support Xtunnels http://xtunnels.org: connectivity from the subscriber to the Vonage proxy.

Alternatively, they could provide some kind of VPN connection to the Vonage proxy.

This would address the most vulnerable customers on shared LANS, like cable customers and public wi-fi users.

Plus, Vonage to Vonage calls could be encrypted end to end, if Vonage encrypted their backbone links (Internap?)

The PSTN end of calls would still remain in the clear, but the points of vulnerability would be protected.

Failure to match or exceed PSTN privacy levels exposes Vonage to a tremendous risks. Here are a few examples:

* Major incident exposes Voip vulnerability
* Competitors slip in with a superior encrypted service
* PSTN operators attack Vonage as unsafe
* Someone is burned and sues Vonage for damages for wilful negligence for failing to correct a known security vulnerability

xtunnels sounds very cool, although there's already a technology called srtp, which basically encrypts the rtp traffic. As far as setting up vpn's from customers to their proxy, I'm not sure how well that will fly. It will *HAVE* to be transparent to the user, as in they wouldn't have to fool with it's configuration, and it has to work 'auto-magically' like the service does now (plug and play configuration).

I agree that if Vonage and other Voip companies dont take this issue seriously people will think twice before they transfer from their current POTS system provider

Posts: 482 · Posted: Fri Mar 25, 2005 10:50 pm Post subject:

GardRailz wrote:

I agree that if Vonage and other Voip companies dont take this issue seriously people will think twice before they transfer from their current POTS system provider

Well I couldn't disagree more.

I work with some pretty intelligent people in an extremely technical environment. None of them care about any of this, even the guys with (ISC)² CISSP certs. From a theoretical standpoint I'm sure they'd engage in conversation about it, but half of them are on Vonage and have no concerns.

But even if that market segment were to become utterly horrified by the issues you've raised, what makes you think regular people could possibly care so much that even though they want to switch, they feel they have stick with POTS for security purposes?

They're already closing in on a million customers, and I'd bet you the first 1,000,000 "early adopters" are much more comfortable dealing with and understanding technolological issue than the next 1,000,000 are going to be.

A year or two ago, Vonage was marketing to the tech geeks. Now, Vonage's target audience is the mainstream folks who decide to signup because they can't stop singing "whoo, hoo...some people do stupid things."

Posts: 86 · Posted: Sat Mar 26, 2005 1:40 am Post subject: Anyone taking the time and energy

Anyone taking the time and energy to rebuild and listen to any conversations is : taking too much time and energy.

BTW, anyone can download a sniffer and rebuild a conversation. But why bang your head against a wall if you are getting no response from the company. This should imply two things.

You can do the math and figure out the rest. Or you can take the time and energy to rebuild and listen to any conversations.

Good Luck,
Time and Energy