Security: Lack of response from customercare...

Posts: 482 · Posted: Sun Mar 27, 2005 10:32 pm Post subject:

Really, VoIP is already more secure than POTS in the sense that it's a heck of a lot more difficult and cumbersome to eavesdrop on a conversation with a packet sniffer than it is with alligator clips.

But let me say this...if I want your credit card numbers, there's a bunch of easier ways I can get them...and NONE of them involve tapping your phone.

If I know an employee at Circuit City, Best Buy, etc. then I look up your phone number, check your transaction history and go to town.

How about what's in your mailbox? I'll probably hit your entire street one afternoon if I feel like it.

How about your SSN? It's on that same stack of bills I lifted from you, plus it's on file with every utility in town, your mortgage company, wherever you bought your car, any retail stores where you have credit, any schools you attended...even voter registration is open for public inspection...and with your SSN I can do a full credit check and know more about you than you do.

I can even go old school and watch you swipe your card the next time you buy groceries. Think I can't read it that fast? If that's how I make a living, then you're dead wrong.

And if I do want to get it from your telephone line, I don't bother listening to all your calls or somehow capturing packets. I just call you and get you to tell me. Wink

If you do, then mission accomplished. If you don't, then you wouldn't have given it out over the phone anyway, and I just saved myself the wasted effort of tapping your phone calls.

Posts: 34 · Vonage Forum Junior Joined: Feb 07, 2005 Posts: 34

You can expect Vonage employees to tow the party line.

But, the reality is that Skype is the number one voip provider with over 1 million people logged in to their service at any given time (and upwards of 70 million downloads).

* They are coming out with dial in (currently in beta).

* Their internet traffic is encrypted.

* Their peer-to-peer architecture is more robust in the face of network vagaries, including denial of service.

* They include presence, IM and file transfer already.

The writing is already on the wall, even as Vonage remains in denial about encryption, Skype is busy laying the foundation to eat their lunch with plenty of VC funding.

Skype only needs two more things:

* A good QoS backbone story comparable to Internap (hire Internap?)

* Hardware router/ATA story to support QoS and take OS randomness out of the picture and lower the barrier to entry.

The Skype peer-to-peer architecture is probably not something Vonage can buy. The encryption story should be available, but will probably require some work to phase into a running infrastructure.

BUT, Vonage will soon roll out video call service, and doubtless presence/IM, so this will give Skype something to think about.

It will be interesting to see how this battle of start ups plays out. They are the two most heavily funded VC plays today.

Since Vonage is mostly a marketing operation trying to grow faster than the perceived competition, it will be interesting to see how much Vonage feels it actually needs to invest in infrastructure, QoS, CR, and features to hold on to customers. So far, it seems like they are pretty focused on QoS and their infrastructure seems to perform quite well under tremendous growth, despite occaisional congestion problems and outages.

BTW, you can be sure Vonage will want to poo-poo encryption, because deploying it would cut into the marketing budget....

Posts: 34 · Vonage Forum Junior Joined: Feb 07, 2005 Posts: 34

ToddlerTN wrote:

Really, VoIP is already more secure than POTS in the sense that it's a heck of a lot more difficult and cumbersome to eavesdrop on a conversation with a packet sniffer than it is with alligator clips.

Sowing doubt and confusion...

Do you happen to know how most internet attacks are done?

Someone with a clue writes the tool and puts it out, then 15 year-old script kiddles hammer the unsophisticated computer users (that would be everyone at first approximation).

How many points of lost GNP do you think this accounts for? choices: greater than 1% or less than 1%

You can download automatic crackers for certain encypted wi-fi networks.

So, do you think there isn't already a handy voip sniffer out there we can all download?

Anyway, I can see why Vonage is terrified of this thread...they are busy digging a hole at a rate of 15k subscribers per week....

Maybe about the time of the IPO (later this year?), Vonage can come out with a big encryption marketing hype wave....should help.

Sounds good, hunh, encrypted video calling?

(This forces some peer-to-peer architectural shifts, and will make the service all the better!)

Posts: 11 · Vonage Forum Associate Joined: Mar 26, 2005 Posts: 11

I for one am happy to see this thread. It has seriously changed my views of Vonage. One obvious difference between a POTS line and Vonage, is someone is Russia can't go outside and hook up to a pedestal and listen in on my line. Capturing packets sent via the internet is somewhat easier for anyone on the internet, anywhere in the world. Or am I wrong here???

My biggest concern (thank god I still have my POTS Line) is at work, where we take customers credit card #'s all day long. Many people that sign up for Vonage have business plans and take cc#'s over the phone as well. So technically, your not handing out your credit card numbers, but you aren't being to responsible and protecting your customers privacy & information.

Not to say that encryption is 100%, I have seen many many things that were encrypted get cracked. But at least they could show a little compassion and address users concerns regarding this (big)issue.

If this truly isn't an issue please tell me now, I have only had vonage for about a week now and have been happy in my testing, but I need to know before my 14 day money back guarantee grace period runs out and before I transfer my phone number over.

Posts: 482 · Posted: Mon Mar 28, 2005 1:47 am Post subject:

I'm halfway tempted to give out my IP address and challenge any of you guys to grab a phone call. It's simply not something worth worrying about to me when there are so many other ways to obtain the same information.

Posts: 11 · Vonage Forum Associate Joined: Mar 26, 2005 Posts: 11

ToddlerTN wrote:

I'm halfway tempted to give out my IP address and challenge any of you guys to grab a phone call. It's simply not something worth worrying about to me when there are so many other ways to obtain the same information.

ToddlerTN, so are you saying that in my case I have nothing to worry about? The chance of somebody getting my customers personal information isn't elevated in anyway using VoIP???

Posts: 482 · Posted: Mon Mar 28, 2005 2:06 am Post subject:

Well, tell me this...is your question just an attempt concoct a scenario in which a theoretical vulnerability exists?

You originally said "at work, we take customers' credit card numbers over the phone..." and it sounded like you were using Vonage at home. Now you're asking about the "chance of somebody getting my customers' personal information" if you switch to Vonage. So I can't tell whether you're now implying you own the business and are considering switching your business lines to Vonage, or if you're planning on going home and reading your customers' credit card numbers to someone over the phone.

Posts: 11 · Vonage Forum Associate Joined: Mar 26, 2005 Posts: 11

I am currently testing it at my house and have been happy with the results so far, because of this I was contemplating getting it at work. I was leaning heavily towards getting it for work, but because of this thread I am seriously rethinking it. I am not worried about using it at my house. I very rarely give any of my credit card info out over my home line. I think the possibility of somebody actually capturing packets at the exact moment when I do give it out isn't very likely, you would probably have a better chance of winning the lottery. But at work, I literally take credit card numbers, addresses, names, phone #'s, etc.. all day. If its a 4 hour work day, I probably take info from 16 customers.

Posts: 482 · Posted: Mon Mar 28, 2005 2:32 am Post subject:

Well then I can head you off at the pass on that one, because I wouldn't recommend Vonage for a business anyway at this point. It's just not stable enough yet where I would feel comfortable putting any revenue at stake by relying on Vonage to be the always-on link between my business and prospective customers.

And since you're satisfied with the performance and not worried about this issue at home, I hope that gives you the confidence to go ahead and file your LNP request.

Posts: 432 · Posted: Mon Mar 28, 2005 9:53 am Post subject:

I think this topic is VERY relevant. Yes, someone impersonating a telco employee could stick a butt-set on the J-box down the street. Yes, the waitress could copy your credit card number. Yes, the bank teller might try something sneaky. Everything we do has a threat associated with it-- BUT-- there's a difference with anything Internet based because the attacker does not have to be local to the crime.

A hacker in Russia, China, or even the script kiddie 20 miles away, can compromise a network and install packet capture software. I'm a network engineer by profession, and believe me, I can tell you some horror stories related to security. I once worked at a local ISP, which was run by a "good ole boy" with no formal training. Back in 1996 when people were just realizing the internet existed, he bought a server (for email and www), a modem rack, a router, fractional T1, and called himself an ISP. The modem rack vendor sent an engineer out to get everything installed and configured. Long story short, once his operation grew beyond his ability to manage it, he hired me as his network guy.

There was absolutely NO security whatsoever. No firewall, servers were horribly behind on security patches and nearly all of them were "owned" by hackors using them for every imaginable purpose. My first two weeks on the job was spent solely on cleaning up the nightmare.

My point is, I know for a fact there are ISPs all over the country in similar conditions, limping along with little or no security, and servers that have been "rooted" many times. Any hacker that "owns" a network like this has the ability to scan your phone conversations, just like GardRailz said. What makes it so different is, you will never see this hacker climbing the phone pole in front of your house, you will never hand them your credit card. They sit in near total anonymity, a few miles away, in the next town, the next state, or halfway around the world, and you will never know they exist.

But just because you see them doesn't mean they aren't there.