Vulnerability Of Web Phone Service to Fraud
By Dionne Searcey and Shawn Young
The Wall Street Journal
Thursday, June 8, 2006
The rise of Internet calling, hailed for its ability to
bring consumers inexpensive phone service, is providing an
opportunity for hackers, mischief makers and scam artists.
Yesterday, federal authorities arrested the head of two
small Miami telecom companies, as well as a Spokane, Wash.,
computer programmer, for hacking into the networks of as
many as 15 other Internet phone providers to fraudulently
route customers' calls, according to a federal complaint
filed in New Jersey.
The telecom company's owner, Edwin Andres Pena, spearheaded
a scheme that scanned the networks of unsuspecting
companies, searching for weak spots to exploit and use to
route his own customers' calls, the government alleges. He
then billed a Newark, N.J., Internet telephone company for
more than 500,000 unauthorized calls that he had sold to his
customers at deeply discounted rates, the complaint said.
Robert Moore, of Spokane, helped Mr. Pena hack into routers
to disguise the calls' origins. Mr. Pena collected more than
$1 million in connection fees and used the money to buy a
motor boat, luxury cars and Miami real estate, according to
"Emerging technologies and the Internet represent a sea of
opportunity for business but also for sophisticated
criminals," New Jersey's U.S. attorney, Christopher J.
Christie, said in a prepared statement. "The challenge...is
to stay ahead of the cybercriminal and protect legitimate
Neither Mr. Pena nor Mr. Moore could be immediately reached
The Newark telecom company, Net2Phone Inc., a unit of
IDT Corp., is a relatively small telecom provider with
roughly 100,000 U.S. customers and hundreds of thousands
more overseas, but large firms are also vulnerable to
similar fraud, security experts say. They say the incident
could open the floodgates for further mischief -- ranging
from tapping in to calls and voice mail to theft of call
records -- because it shows that hackers can crack the
systems of Internet-based phone service, known as VOIP for
voice over Internet protocol. Net2Phone didn't return calls
The case comes at an inopportune time for VOIP providers.
Vonage Holdings Corp. have fallen 29% since its initial
public offering of stock last week, and technology experts
are raising more alarms than ever about the security of VOIP.
a related article on consumers' frustration with lack of
regulation of Web-based phone services.)
Hackers are often drawn to big targets, and VOIP is getting
EBay Inc.'s Skype Technologies Inc., which is available
around the world, has 75 million users. Vonage, which has a
phone subscription service, has roughly 1.6 million paying
users. Cable companies also are rolling out phone service
that runs on Internet technology, as are several traditional
phone companies, including
AT&T Inc. In the U.S., analysts estimate that by 2009
about 20 million households will have at least one phone
connected to a VOIP service.
While VOIP calls are free or cost a fraction of traditional
phone service, there is a price: "You're creating a
connection between your phone and the Internet," says
Vincent Weafer, senior director of security response at
Symantec Corp., a specialist in cybersecurity. That
means the household phone can suddenly be vulnerable to the
glitches and chicanery of the online world.
Vonage encrypts the beginnings and ends of calls, when calls
are admitted onto the network, but it doesn't encode voice
conversations, a company spokeswoman says.
Internet crises can be paralyzing enough without crashing
phone systems. In 2003, the Slammer worm affected an
emergency-dispatch system near Seattle that served two
police departments and 14 fire departments. Because the
conventional phone network wasn't harmed by the worm,
operators were able to get calls, but the computerized
system they used to dispatch help was linked to servers that
were disrupted by the worm. For more than eight hours,
operators resorted to pencil and paper to run their dispatch
system. After the attack, local officials vowed to look for
ways to further isolate their systems from the Internet.
But consumers and businesses are hurtling in the other
direction, toward using the Internet for phone service. Many
experts predict that within the year, there will be a
widespread instance of SPIT, which stands for spam over
Internet technology, or a use of Internet-based calling
technology to produce floods of bogus calls and messages.
Experts also fear phone connections could be used to steal
identities, alter messages, crash computers or paralyze
online phone services. Security experts at companies and
universities are mobilizing to identify and address
weaknesses before they affect users.
But the users themselves are part of the problem. "The user
is the wild card. The carrier can do everything right, and
if you leave your system vulnerable, it's all a waste," says
Symantec's Mr. Weafer.
From his home in downtown Omaha, Mike Hrabik, chief
technology officer of Soluntionary Inc., a cybersecurity
company, usually has the option of tapping into the wireless
home networks of at least 15 neighbors and using their
Internet connections. It wouldn't be a stretch for an
invader to hack in and help himself to a neighbor's VOIP
service, he says.
The damage could go far beyond freeloading. Hackers could
use their victims' phones to send SPIT to other victims or
to commit crimes, as they already do with email. About two
years ago, Mr. Hrabik's company worked on a case in which
someone was sending threatening messages to police using an
unwitting stranger's email. The villain, who was relaying
messages through a string of remotely controlled puppet
computers, was never caught.
Doug Graham, a consultant at BusinessEdge Solutions Inc. who
has worked with large phone and cable companies on Internet
phone security issues, said the industry is just now waking
up to the importance of securing VOIP networks. "I think
there's been an avoidance of the security issue because we
haven't yet seen a major predator or a huge denial of
service attack," he says. AT&T,
Verizon Communications Inc., and
Time Warner Inc.'s cable unit, all of which have VOIP
offerings, are among Mr. Graham's clients.
"A lot of the infrastructure out there has not been properly
secured," Mr. Graham says. "People are rushing to get VOIP
solutions out there, and in many cases aren't taking the
extra steps to get them secured."
In the most recent case, Mr. Pena and Mr. Moore were
allegedly able to obtain the "prefixes," or proprietary
codes that are established by telecom companies to accept
calls for routing. Using a method called "brute force," they
flooded VOIP telecom providers with test calls, each
carrying a different prefix, until they found a match,
according to the complaint.
Mr. Pena allegedly also hacked into the router of a hedge
fund in Rye Brook, N.Y., so that customers' VOIP calls could
be sent through it to disguise their origin, making it
appear the hedge fund had initiated the calls. From the
hedge fund's router, Mr. Pena sent the calls through the
networks of VOIP providers, including the Newark VOIP
company, authorities said.
Mr. Pena started soliciting customers for two of his telecom
companies as early as November 2004, offering them wholesale
purchase of VOIP minutes for as low as four-tenths of a cent
per minute. He ended up selling more than 10 million minutes
but didn't have to pay for calls because he routed them by
hacking into Internet phone providers, the complaint
The VOIP providers couldn't identify where the calls were
coming from, but they all racked up charges of about
--Amol Sharma contributed to this article.
Write to Dionne Searcey at
email@example.com and Shawn Young at