Protecting your business from Internet phone hackers

Once considered an alternative telephony solution, VoIP (Voice over Internet Protocol) is now a mainstream technology used by an increasing number of businesses due to its superior features and competitive pricing.

However, with VoIP technology comes a far bigger price for your business to pay should your phone solution remain vulnerable to potential security risks from clever Internet hackers.

During the course of a telephone call, sensitive information is often divulged either in spoken voice or in the key tones, known as DTMF tones, used to signal key presses.

This can apply to large corporations through to small businesses including accountants, lawyers, GPs, hospitals, scientific and engineering firms.

Security problems are not only relevant to businesses that take payments over the phone as most businesses accumulate a raft of confidential information about their customers, employees, products, research and financial status.

If I were to ask any business owner whether they would be concerned about a phone discussion on any of these areas being tapped into, the obvious answer would be 'yes!'

The fact of the matter is, VoIP phone calls can be at high risk to interception making organisations vulnerable to attacks that are not even traceable, yet the whole network can be exposed.

Many business owners do not fully appreciate this risk, having been sold a telephone solution that at first seemed cheaper and superior, but often doesn't have the necessary encryption required to protect from cyber crime.

What's changed?

Until recently, security for VoIP wasn't high on the agenda due to the fact that most IP voice traffic remained on local and wide area enterprise networks, which were considered more or less secure and protected from public Internet.

Increasingly, VoIP technology is being used to make and receive telephone calls via external IP networks, which must be considered open or public.

The majority of VoIP traffic over the Internet is unencrypted making it easier for anyone with network access to listen-in on conversations. Eavesdropping on phone calls has become a very real business threat with a tool now widely available on the Internet to make it simple for anyone with a little bit of know-how to start capturing voice information.

To put this into context, it could be a member of staff eavesdropping on a call between the Managing Director and Financial Director discussing restructuring and redundancies through to an experienced cyber criminal listening to a credit card number being given over the phone.

Many tactics can be employed to intercept phone calls and there are too many to list here. Today, private lines should not automatically be assumed as secure as they are not typically protected by strong encryption.

Safeguard your business

Now more than ever, it's vital to ensure your preferred telephony supplier has the necessary systems in place to counteract cybercrime.

What to look out for:

  • Question your telephony provider about their Secure Internet Protocol (SIP) trunking services. A good system should automatically disable non-secure components and protocols so calls are always encrypted.
  • Businesses involved in the transmission or the recording of calls need to ensure their VoIP telephony system is protected as defined by ISO270021. Many regulators or corporate quality procedures now require phone calls to be recorded, which leaves the storage of sensitive information accessible.
  • If cardholder payments are made via the phone, businesses need to ensure they adhere to the Payment Card industry Data Security Standard (PCI DSS). It is important the connection provided by your VoIP telephony company is encrypted to protect cardholder data.
  • Check if your provider uses Transport Layer Security (TLS) to provide privacy and data integrity between two communicating applications. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping or tampering.
  • Consider adopting direct access circuits that offer no public access and are for use only with your voice traffic. This will ensure your VoIP telephone system is immune from remote access attempts or a cyber criminal's bid to make your service unusable, often referred to as a DDOS or Distributed Denial of Service attack.

There is no question about the benefits of VoIP as a telephone system. It makes perfect business sense to make use of a technology that offers free or very low cost telephone calls, providing that technology is secure. Irrespective of business size or sector, business owners must be aware of the risks presented by today's tech savvy cyber world to guarantee the protection of their company, employees and customers.

At Cyber Security Expo stand A16, Adam Crisp, CTO of Voip.co.uk, will be available with his team to answer all of your telecommunications questions. Voip.co.uk is also launching SIP Encrypt to the security market and is offering significant discounts to Cyber Security Expo visitors. Register for IP EXPO now!

Adam Crisp is chief technology officer of Voip.co.uk