|
Asignificant amount of attention is currently spent on the concern around securing VoIP infrastructure. As organizations embark upon the migration from traditional PBX systems and face potential sniffers of VoIP traffic, attackers who abuse VoIP system implementation flaws, and attacks against call manager servers, they implement firewalls, token access and encryption protocols. These are without question, critical concerns and precautions, but can tend to overshadow another basic and potentially serious security issue, and one that actually has a fairly simple solution.
Consider the following voice services scenarios:
- Organization X begins its implementation of a unified communications solution that includes unified messaging. The organization has always paid considerable attention to its email security policies, but fails to consider the risks of accessing email messages through the voicemail system.
- Consumer Y receives an email, seemingly from his bank, asking him to call a number to verify his account information. He does, and the automated answering service captures his information, another successful 'vishing' (voice fishing) attack.
- Business Traveler Z is catching up on some work in an airport lounge before her flight takes off. She makes calls on her laptop softphone, accessing the office PBX. Someone is sniffing on the IP, sees her credentials and begins to make malicious calls accessing her employer's SIP PBX through his own SIP phone.
All three of these scenarios are based on situations that can utilize additional security. The first two, specifically, use the ubiquitous method of DTMF (touchtone entries) to enter in a numeric pin code to access voicemail, bank/medical information or to make a SIP-based call. This method of entry is ultimately easy to steal and hack.
Voice biometrics, or voice verification, a technology based on identifying and recognizing the uniqueness of an individual's voice pattern, can provide an additional layer of security for voice services vulnerable to an attack. Voice biometrics verifies an identity by matching a live voice with a digitally stored 'voice print' or voice pattern. It functions as a password replacement tool or supplement that includes two steps: registration and authentication. In the registration phase, the system is trained to recognize the unique vocal pattern of an individual. In this stage, the individual is asked to repeat a series of words multiple times. Once the system is trained, the individual is authenticated to access the voice service by using this same series of words. For an additional layer of security, an individual can be asked to repeat back a random set of numbers. This method removes the concern around recording and playback of an individual's voice to gain access.
Now, consider these alternate voice biometric secured scenarios:
- Organization X, which happens to be a medical institution, is regulated by law with respect to email compliance. While there are currently no government regulations when it comes to voicemail, it doesn't mean it is not susceptible to hacking. Apart from unified communications, voicemail is still a very important communication tool in any business, not to mention medical, government and financial institutions. Organization A implements voice biometrics in its voicemail system, ensuring that emails accessed through voicemail have the same level of security as when accessed through an email client.
- Consumer Y has previously set up his voice biometrics secured account through his bank. He knows that unless he is prompted to authenticate himself when accessing bank services he should never give out any personal account information.
- Business Traveler Z activates her laptop softphone, accessing the office PBX which recognizes her and sends her a challenge question. She successfully authenticates, and she begins making secured calls. While the sniffer still sees her credentials, he has no way of mimicking her voice and cannot gain access to the PBX.
When implementing a voice biometric solution, an organization should examine the rates of False Rejection (FRR) where an individual is not recognized and is therefore unable to gain access to the service, and the extremely critical False Acceptance (FAR) where the wrong person is authenticated and gains access. Other items to examine include scheduling capabilities that enable administrators to set time/date parameters for usage of the system, the capacity for real time security breech alerts and usage reports, as well as the ease of integration with the current voicemail solution, including integrating with speech recognition for completely hands-free access.
Voice biometrics does not have to replace other security mechanisms such as caller ID and pin codes for accessing voice services. It does, however, add an additional layer that helps to patch this security hole.
Yaniv Livneh is the CEO of T3 Telecom Software. (news - alert) For more information, visit the company online at http://www.myt3.com.
|
SUBSCRIPTIONS
TMCnet LOGIN
WEBINARS
