JimXq
join:2008-08-13
| Security; Would you give out your SSN when using VOIP?
For years I have maintained a POTS line both for backup purposes and so that I can make calls that will contain "sensitive" data like social security numbers (I use a hardwired phone too, no cordless).
Lately I have gone to multiple broadband connections so the "backup purposes" doesn't make as much sense any more (plus I have cell phone). The one remaining issue is a big deal though. I don't care so much about things like credit card numbers but with social security numbers I do worry about people putting in the effort to get them. I know hardlines can be tapped too but there are so many laws in place making that illegal and difficult that it doesn't seem to happen very often. VOIP doesn't have those safeguards and it's already in a form that makes it easy to sniff and process.
Plus E911 service on the hardline but I think that is always available, even without service (ie. it's free).
It's so incredibly rare that I need to do anything that requires this sensitive information. It seems like a waste to maintain a POTS line that I never use. Even though I'm on the absolute cheapest plan, it's still pretty expensive because of the taxes (the taxes are twice as much as the line; sad). What do you do in the VOIP world when you need to do secure stuff? |
|
Lenagainster
join:2005-01-07
Silver Spring, MD
 ·VoicePulse
 ·DIRECTV
·magicjack.com
| Did you know that when you qualify for Medicare, your Medicare ID number is your social security number followed by a letter or two? And every time you go to a doctor or order prescriptions, you give them your "Medicare number"? I don't get Social Security payments b/c I've never worked under SS, so I get a bill or a statement from Medicare once a month that has my "Medicare" number in three places on the bill. If that letter ever gets lost in the mail, my SS number has been compromised.
The idea that your SS number is secure is a joke. I wouldn't let the worry about the relative insecurity of VoIP deter you from freeing yourself of overpriced POTS. There are so many other avenues to steal your identity that the odds of someone tapping into your phone conversation at just the time you are relating your ssn is highly unlikely. |
|
PX Eliezer
Premium
join:2008-08-09
New Jersey
·Callcentric
·Optimum Voice
·callwithus
·voip.ms
| reply to JimXq
I agree with Lenagainster.
It may be a little better to use a US/Canadian Voip provider, but regardless of that, there are far bigger security concerns these days. Your SS # is already all over the place.
I'd be more concerned about having good antivirus, antispyware, firewalls, HIPS, antirootkit, port-closing measures, and other hardening measures, on my computers. |
|
trekologer
join:2005-10-20
Old Bridge, NJ
| reply to JimXq
You do realize that for POTS, all that someone would need to listen into your calls is physical access to the telephone line and, for around 90% of homes that's right on the outside of your house?
The idea that POTS is secure is just plain wrong. |
|
priller
join:2000-10-20
Gainesville, VA
·voip.ms
·Callcentric
·Vonage
·callwithus
| said by trekologer  :You do realize that for POTS, all that someone would need to listen into your calls is physical access to the telephone line and, for around 90% of homes that's right on the outside of your house? Or the pedestal down the street. POTS tapping is literally available to anybody. It would be more difficult to tap VoIP.
|
|
Mango
toao.net
join:2008-12-25
Vancouver, BC
 ·Shaw
·voip.ms
·Callcentric
·LINGO
·Netfone
 ·Digital Voice
| reply to JimXq
trekologer and Priller beat me to it - apparently I'm in a verbose mood, as usual. But I was going to say that tapping into most POTS lines is incredibly easy. For example, at my parents' place, the NID is on the outside wall of their house...and it's even at ground level. In the house where I grew up, the NID was inside, but the phone wires have to come from somewhere. Finding them would require a ladder, but that's about it.
On the other hand, getting into my home network would be somewhat challenging. I wouldn't even know where to start if I wanted to tap a Cable or ADSL connection. I don't use wireless, and my router has a hardware firewall. So, your options for tapping a VoIP call would be:
1) Being actually inside my home and having physical access to my network.
2) Hacking one of my ISP's routers and analyzing the packets, figuring out which belong to me, figuring out which ones are SIP, and decoding them, all without interrupting my conversation.
3) Hacking my VoIP Provider and setting up call recording software that you can access.
I would imagine 1) would be quite difficult to do unnoticed, 2) would be near-impossible, and 3) I sincerely hope improbable.
So I feel quite secure using VoIP.
m. |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs: | reply to JimXq
I feel more secure using VoIP as it in my mind is a bit more difficult for someone to access, retrieve and interpret the data stream. |
|
RockyBB
Premium
join:2005-01-31
Longmont, CO
| reply to JimXq
I can't think of a single instance of identity theft reported due to random audio eavesdropping of the general public. There could be few, I just don't remember them. The bulk of identity theft certainly has to due with either luring (persuading someone to reveal info under false pretenses) or invasion (such as hacking unsecured databases of thousands of identities at one time) or careless disposal of personal documents (dumpster diving). There is no rational basis to your fear -- but if you feel more comfortable with that land line, then keep it. Of course, don't use it with a cordless phone, and don't forget to seal up the phone box on the outside of your home.
Keeping the line for E911 purposes is a much more rational justification, especially if you're in a high risk situation (neighborhood, kids, valuables, medical condition, etc.). Don't assume that the E911 would work on a disconnected line that you're not paying for. |
|
rizzo2dial
Premium
join:2004-08-05 | reply to JimXq
Yes, I would be perfectly comfortable giving out YOUR SSN over VoIP!  |
|
jonnyz
Premium
join:2003-03-20
Canfield, OH
clubs: | reply to JimXq
My rule is no sensitive data over ANY phone, period. Anything can be listened in on.
--
Join the RC5 team. |
|
PX Eliezer
Premium
join:2008-08-09
New Jersey
·Callcentric
·Optimum Voice
·callwithus
·voip.ms
| 
Max and The Chief |
said by jonnyz :My rule is no sensitive data over ANY phone, period. Anything can be listened in on. I think that on ebay you can buy this product called "The Cone of Silence". It's regularly $ 99 but on sale it can be had for $ 86. |
|
JimXq
join:2008-08-13
| reply to JimXq
Maybe I'm jaded because I work in the security field.
Although it's very easy to tap POTS lines, it also requires a lot of physical effort. It requires exposing yourself to a good deal of physical risk, either by sneaking around someones house, medaling in phone boxes or lines on the street, breaking into the telephone companies private network, or similar. All very conspicuous and illegal. Then there is the time issue because most likely the information you're looking for isn't going to come right away which means you're physically exposed for a long period of time (either with your physical presence or illegal hardware you have to install). On top of that, even if you manage to physically get on a line you still only have access to one line at a time (or however many limited to the physical hardware you have).
Tapping VOIP is so much easier. Anyone with the skill can do it from their desk. All they need is access to a machine, router, switch, whatever that is somewhere between you and the POTS termination point. That's a lot of places that are exposed and makes it very easy to tap lots of phones simultaneously for long periods of time with very little effort. Plus it's not necessarily illegal to listen in on VOIP calls. If you didn't have to break any laws to get into one of the network hops (say, an owner of the hardware) then you might be able to capture anything you want. Trust me, it's trivial to pull out a VOIP stream.
As for your SSN being all over the place. Well, that might have been the case 10 years ago but nowadays that really isn't true. My drivers license no longer has it, my insurance cards no longer use it, etc. Big companies have spent a lot of money preventing it from getting out so they mush think it's worthwhile to protect it. |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| said by JimXq :Tapping VOIP is so much easier. Anyone with the skill can do it from their desk. All they need is access to a machine, router, switch, whatever that is somewhere between you and the POTS termination point. I don't think that's true at all for cable Internet subscribers. Once your DOCSIS modem sends out the packets they're encrypted. No easy access anywhere. |
|
pandora
Premium
join:2001-06-01
Outland
·ooma
·Future Nine Corpor..
·Comcast
1 edit |  reply to JimXq
I think there is encryption on the local cable end, on DSL there is a private line to the CO. At some point most VOIP traffic enters internet unencrypted.
I believe there are ATA's and a protocol that uses a public encryption standard for VOIP. I know of no VOIP provider who uses it. Maybe someone on this forum would know of a provider which can support encrypted VOIP.
The only VOIP provider who claims to encrypt everything is Ooma. I'm not even certain about that. It is a claim that has been made by Ooma reps, but never verified by a third party.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
JimXq
join:2008-08-13
| reply to garys_2k
said by garys_2k :I don't think that's true at all for cable Internet subscribers. Once your DOCSIS modem sends out the packets they're encrypted. No easy access anywhere.  Nope. That encryption only exists between your cable modem and the cable companies hub. That might prevent your neighbor from sniffing on the physically shared cable line and it might protect your VOIP traffic if your cable company is your VOIP provider (ie. there is nothing outside your cable company between you and the POTS termination) but it doesn't do anything to protect the network traffic once it's routed out across the Internet. |
|
PX Eliezer
Premium
join:2008-08-09
New Jersey
·Callcentric
·Optimum Voice
·callwithus
·voip.ms
| reply to JimXq
said by JimXq :As for your SSN being all over the place. Well, that might have been the case 10 years ago but nowadays that really isn't true. You might want to see this recent FTC report:
»www.ftc.gov/os/2008/12/P075414ssnreport.pdf
From 2004-2007, California was selling SS# of its residents for just 6 dollars online:
»www.californiaprogressreport.com···o_1.html
ABC News 2008:
"Full identities -- including a functioning credit card number, Social Security number or equivalent and a person's name, address and date of birth -- are going for as little as $100 for 50 people, or $2 apiece.
»abcnews.go.com/print?id=4606745
. |
|
JimXq
join:2008-08-13
| I'm not sure if you are arguing against me or with me. All of those are good examples of why it's a good idea to protect your SSN and that other people think so too. Sniffing VOIP traffic for SSN's is exactly how they could in up in the hands of the people selling them for $2. |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| reply to JimXq
said by JimXq :said by garys_2k :I don't think that's true at all for cable Internet subscribers. Once your DOCSIS modem sends out the packets they're encrypted. No easy access anywhere. Nope. That encryption only exists between your cable modem and the cable companies hub. That might prevent your neighbor from sniffing on the physically shared cable line and it might protect your VOIP traffic if your cable company is your VOIP provider (ie. there is nothing outside your cable company between you and the POTS termination) but it doesn't do anything to protect the network traffic once it's routed out across the Internet. Sure, but just HOW are you going to stealthily install your "router, switch, whatever" into a given ISP's 'net connection? THAT would require "a lot of physical effort. It requires exposing yourself to a good deal of physical risk, either by sneaking around [the ISP's office] or lines on the street, breaking into the [ISP's] private network, or similar. All very conspicuous and illegal."
I maintain that security starts with physical access, and if you're a PI hired by an ex-spouse, you're going to find Joe Blow's POTS connection zillions of times easier to tap than his cable-Internet's VOIP line. |
|
RockyBB
Premium
join:2005-01-31
Longmont, CO
| reply to PX Eliezer
said by PX Eliezer :"Full identities -- including a functioning credit card number, Social Security number or equivalent and a person's name, address and date of birth -- are going for as little as $100 for 50 people, or $2 apiece. » abcnews.go.com/print?id=4606745. Hey get your tootsie-fruitsee! What, you don't you have a code book? |
|
JimXq
join:2008-08-13
1 edit | reply to garys_2k
said by garys_2k :Sure, but just HOW are you going to stealthily install your "router, switch, whatever" into a given ISP's 'net connection? I don't need to install anything. Like I said, all I need to access to an existing one. Keep in mind your Internet traffic is usually passing through a lot more hardware than just your ISP.
Edit:
I maintain that security starts with physical access, and if you're a PI hired by an ex-spouse, you're going to find Joe Blow's POTS connection zillions of times easier to tap than his cable-Internet's VOIP line. That's something different and not what I'm worried about in this case. I'm more worried the operations that collect thousands of identities and sell them for $2 like in the articles above. These aren't targeting individuals, they're just getting what is available. |
|
