Writing about the problem of VoIP security is kind of like writing about the problem of paying for my five-year old son's college education -- you know it'll be a problem some day, a big one, but right now there are other, more pressing issues to deal with before it gets to that point.
First off, get into the idea of IP call centers at all. If it's not in every home yet it's a far cry from a geek toy. In December 2003, the Minnesota State Department Of Revenue, not exactly confused with Silicon Valley startups when it comes to bleeding edge technology, began rolling out an IP call center system "one floor at a time at its four-story headquarters in St. Paul," according to industry observer Megan Santosus
By March 2004, Santosus writes, "the regional site in Ely was up and running. Today, nearly 1,200 DOR employees have IP-based telephony services, and 300 agents use the new call center system to field taxpayer calls at the two sites." And over the next few months the DOR plans to expand VoIP phone services throughout the DOR's operations by hooking up eight smaller offices.
The department now saves more than $100,000 annually due to reduced long-distance charges and the elimination of individual phone lines for each employee, according to the department's figures, Santosus reports.
And a couple weeks ago mass-marketer Verizon Business added VoIP to its contact center service, IP-enabling its network-based call center services to allow customers to use inbound VoIP calls with local number assignments to replace toll-free calling for customer service, according to industry reports
. Everyone's doing VoIP call center system products.
The reason we're harping on this is that according to industry observer Pedro Pereira
, "fewer than half of U.S. small and midsize businesses have enough confidence in the security of Voice-over-IP systems to invest in the technology, according to a recent survey."
(Bear in mind that these are the same folks 65 percent of whom, told pollsters they trust the security of Ethernet data networks, 76 percent of whom trust the security of traditional telephony systems and 55 percent trust the security of local wireless networks. For some reason VoIP is seen po'ly in comparison.)
Despite recent research indicating two thirds of SMB companies believe VoIP systems might give them a business advantage over competitors, Pereira writes, "the new survey found only 48 percent of small and midsize companies trust the security of IP telephony solutions currently available."
But friends, 'da fact is 'dat VoIP security has not presented a big problem so far, no horror stories making the rounds of companies flushed down the loo due to VoIP security breaches. Granted some think that's about to change as VoIP usage and SIP deployments move into the mainstream, making the technologies attractive targets.
Currently VoIP service provides only basic network-level security functions, leaving both the subscriber and the provider exposed to some risks. Fully authenticated, validated and encrypted subscriber connections and comprehensive application-level perimeter security to defend the service provider's infrastructure are means to address the issue now.
David Endler's a good guy to listen to. He's chairman of the VoIP Security Alliance, and last year told industry observer Eric Parizo
that the most prevalent threats to VoIP are the same threats that endanger the data network, "but in some cases those threats can take on an increased impact."
For instance, Endler says, if a call center is under attack, it may mean that a 911 call is hard to hear because of latency, or might not go through at all: "But over time you'll see attacks specific to VoIP applications, like caller spoofing, toll fraud, call hijacking and call redirection."
So when will this start happening? "As soon as it becomes lucrative to launch those kinds of attacks," Endler says reasonably, similar to what happened in the realm of spyware: "It's become a hugely lucrative enterprise for organized crime, and there are tools and templates for rolling out new threats and convincing people to load malicious apps on the desktop. Eventually, you'll see auto-generated toolkits that let people make free phone calls."
It'll happen. Of course, the odds are good that by then, the security will be available to combat it.
In the meantime, I'll explain to my son that there are many rewarding, fulfilling careers which don't require college educations, and in some of them you even get your name on your shirt. Is that cool or what?