Bad Stuff Business security

Is encryption the answer to data loss?

Is encryption the answer to data loss?  Voipfone CEO Colin Duffy thinks not

The TalkTalk hack and subsequent data loss – and to a lesser extent the Vodafone hack only a few days later – bring the issue of data security and telecommunications into the news. In the media, much emphasis has been placed on the use of encryption as a line of defence against data loss. This is only very partially true – encryption is not a panacea.

When it is useful, the system has already been compromised, the data is already lost and can be worked on at the criminal’s leisure or sold on to more sophisticated criminals with the tools to decrypt it. Encryption is not perfect and through cryptanalysis it can be broken. For example, knowing that you are looking at a list of tens of thousands of postcodes that are encrypted with the same key can provide sufficient information to decrypt the entire list. Moreover, the encryption key itself then becomes a prime target for hackers.

Encryption is most useful when it is used to protect data transport over a hostile medium e.g. when data is exchanged between two parties over the Internet or a laptop being taken out of the office or situations where physical hardware can be stolen.

But inside private networks it is far less useful. This is because customer data is in constant use by multiple users – for billing, reporting, and customer support and by customers for updates and information. Customer databases need multiple entry points and authorisations for both human and machine access. Encrypted information is unencrypted on the fly by the computer which processes it. If the hacker gains access to that computer as a user the data is automatically unencrypted and visible.

Any breach that allows an attacker access to a component such as remote code execution and login access would also give them access to the encrypted data and the encryption key. There are very few remote attack forms where encryption would prevent data loss once the hacker has penetrated the system.

In these circumstances, encrypting data adds extra load on processors and systems, adds system and managerial complexity and cost and mostly does little more than provide a false sense of security. In reality, encryption of data inside networks is of most use not for the protection of the data, but from subsequent media accusations of security laxness.

Finally, encryption does not protect against the database deletion or interference.

For a limited number of risks, data encryption can bring some security value to a system, but for most it has no benefit whatsoever. Therefore it certainly isn’t a replacement for the other security measures – protecting access to systems, minimising SQL injection or code execution vulnerabilities. It has to be considered a last line of defence, added on top of all other reasonable measures.

Colin Duffy

This week of telecoms fraud posts is edited by Manuel Basilavecchia of Netaxis.

Bad Stuff Business ofcom scams security voip

VoIP Fraud — Technological Conventionality Achieved

VoIP has reached the mainstream. We know because the fraudsters are coming after us. welcomes VoIP Week guest contributor Colin Duffy, CEO of Voipfone and ITSPA Council member.

VoIP merges two of the largest industries in the world: Telecommunications ($5.0 trillion) and the Internet ($4.2 trillion). It is big business.

Estimates of VoIP market size vary, though they are universally large. For instance, Infotenetics Research estimates the global residential and business VoIP market to be worth $64bn in 2014, growing to $88bn in 2018. Visiongain, on another hand, puts the 2018 value at $76bn. WhichVoIP (Bragg) has it as $82.7bn by 2017, and also claims that VoIP calls account for 34% of global voice traffic – 172bn call minutes. And then there is the United States Federal Communications Commission, which estimates that “In December 2011, there were 107 million end-user switched access lines in service [ the USA and..] 37 million interconnected VoIP subscriptions.

And with opportunity comes the thief:

ICT Recent Scenarios: VoIP Week: Colin Duffy
(Corporate ICT)


(You have to love that New Scotland Yard hack…..)

But it’s not confined to big organisations; perhaps a little closer to home:

“A family-run business says it has ‘nowhere left to turn’ after hackers rigged its telephone system to call premium rate phone numbers — racking up a bill of nearly £6,000. ‘We reported it to the police, but we were told there was very little likelihood of them catching anyone so they wouldn’t be able to investigate’, she added.”                               

— Lancashire Telegraph

The Communications Fraud Control Association publishes a global fraud loss survey, and in 2013 they estimated that the global telecommunication industry loss to fraud was an enormous $46.3bn, which included:

  • VoIP hacking ($3.6bn),
  • PBX hacking ($4.4bn),
  • Premium Rate Services Fraud ($4.7bn),
  • Subscription Fraud ($5.2bn)
  • International Revenue Share Fraud ($1.8).

Over 90% of the telephone companies included in the CFCA’s survey reported that fraud within their company had increased or stayed the same since the last report.

Globally, the top emerging fraud type was identified as Internet Revenue Sharing Fraud, with Premium Rate Service Fraud (both international and domestic) also in the top five. Of the top five emerging fraud methods, PBX Hacking was the most important with VoIP Hacking at number three.

Who’s doing all this is a big and interesting topic, but here’s a starter:

Top Ten Countries where fraud

Top Ten Countries where fraud

East Timor

CFCA, Global Fraud Loss Survey, 2013

What can be done?

Earlier this year a customer of Voiceflex was hacked to the tune of £35,000 when over 10,000 calls were sent to a Polish Premium Service number over a period of 36 hours. The customer refused to pay, which resulted in a court case that the telco lost. Now the industry is looking to its terms and conditions for protection, but it’s clear that this isn’t enough – the cause needs addressing.

The best approach would be to cut off the money supply – if Telcos could withhold payments for known fraudulent calls, the activity would end. But this solution requires changes to inter-operator agreements and cross-jurisdiction interventions.

“We are currently in discussions with our fellow EU regulators about steps that may be taken to address cross-border [Dial Through] fraud and misuse. It is important that companies using VoIP systems take steps to ensure both the physical and technical security of their equipment in order to avoid becoming an ‘easy target’ for this type of criminal activity […..] We are approaching the NICC and relevant trade associations to ensure their advice is updated to help businesses better protect themselves against newer types of dial-through fraud that have emerged as technology has developed.”

— Ofcom 2013

For once I agree with Ofcom. The industry needs to work harder at target-hardening. We need to be making this industry safer for our customers.

There’s a lot to be done but a good start is to read and apply the guidance issued by ITSPA – the UK trade organisation for Internet Telcos.

I’m taking a close personal interest in VoIP fraud and security, and I invite anyone who has more information or who wishes to discuss this in more detail to contact me at email

A naive user asked me, ‘why can’t you just make safe telephones?’ Well, why can’t we?

Business phones UC voip voip hardware

Ten Years of VoIP – Happy Birthday! welcomes VoIP Week guest contributor Colin Duffy, CEO of Voipfone and ITSPA Council member

ITSPA and Voipfone are both 10 years old this year so perhaps it’s a good time to look back at how the industry has developed.

Back in 2004, VoIP was just becoming sexy; Skype had made a big impact on international telephony revenues and was in the public eye — particularly amongst students and those with family overseas. Perhaps more importantly for the industry in general, though, was the acceptance of two technologies: SIP (Session Initiation Protocol, which has become the international standard for VoIP telephony) and Asterisk (the brilliant open source PBX software that allowed anybody to build a telephone switchboard either for their own office use or as a Hosted Service Provider). The combination of these two technologies has efficiently killed the old TDM-based PBX and is well on the way to killing ISDN circuits.

Of course, VoIP couldn’t have been as successful as it has become if it wasn’t for the growth in broadband provision to home and office. In the early days, ITSPA was concerned that the entire industry would be strangled if the Internet Service Providers blocked VoIP, and net neutrality was a much-discussed issue. As it turned out it, ISPs have not stood in the way of VoIP and the two industries have learned to live together fairly peaceably, give or take a few issues surrounding the routers of end-users. Now, the main net neutrality issues correlate to the mobile networks, some of which are grimly determined to keep VoIP off their networks, despite advertising the Internet as a main selling point. (The Internet minus some of the services that the Internet provides is not, in my view, the Internet, it’s Internet Light.)

We also dealt with VoIP regulation worries. Ofcom seemed determined to treat VoIP as something requiring separate legislation, in a ‘there be dragons’ sort of way, whereas ITSPA took the view that this was not necessary. ITSPA lost that argument, however, and — in one of the strangest of many strange meeting I’ve had with Ofcom — we managed to convince it that VoIP Service Providers needed to provide 999 services. Burning grannies were a big thing at the time…