PX Eliezer
Premium
join:2008-08-09
New Jersey
 ·Callcentric
·Optimum Voice
·callwithus
·voip.ms
| Customer liability for VoIP fraud
Over in the ViaTalk forum we see this change to VT Terms of Service:
"If you feel that your service has been fraudulently used or stolen, it is your responsibility to notify ViaTalk. Until you notify ViaTalk, you will be liable for all use of our service using a device stolen from you and any stolen, fraudulent, or unauthorized use of our service whether or not it involves a stolen device".
(Emphasis added)
How do folks feel about this?
How do the providers like F9 and VOIPo (and others) feel?
This would make me kind of nervous about using VoIP. Are customers expected to constantly check their call logs and balances?
The VoSP should have some monitoring in place to see if an account greatly deviates from previous patterns. |
|
neftv
join:2000-10-01
Broomall, PA | I think that is common sense here. They shouldn't have to tell you to check your account much less make it a rule.
I quite often check my call logs anyway. |
|
dcurrey
Premium
join:2004-06-29
·ViaTalk
1 edit | reply to PX Eliezer
I know that Vonage has the same terms. You are responsible until you notify us. Others make no mention of who eats the cost.
But seriously if an ATA is behind a router and not in DMZ chances of it being hacked are slim. Port forwards may allow some access but very limited.
If they have a packet sniffer close to the network they may be able to get credentials that way since some voip companies transmit them in the clear.
Oh and yea voip companies should have some sort of monitoring in place to prevent excess usage. If they allow an account to get $1000 worth of usage that the voips companies fault for being stupid. |
|
neftv
join:2000-10-01
Broomall, PA
·Broadvox Direct
| said by dcurrey  :If they have a packet sniffer close to the network they may be able to get credentials that way since some voip companies transmit them in the clear. THAT is what should be talked about. |
|
nonymous
join:2003-09-08
Glendale, AZ
| reply to PX Eliezer
My take in the other forum is it is not my problem. Now for my example the device is supplied to me and not BYOD. Baring I lose the device or allow others access to it if someone manages to hack an account that is up to my provider to make it secure. I have no choice in that. Some providers even say to run a device before a router to make it work. Or DMZ it for functionality.
If I lose my device or give away my credentials it is my fault. If some hacks a device supplied to me or my account how is it my fault. I just think this is making the terms way to broad and putting all the risk on the customer. No grey areas the customer always loses no risk for the provider so if there happens to be a security risk later for any devices then the provider is off the hook for everything.
Now BYOD can lead to other issues. |
|
nonymous
join:2003-09-08
Glendale, AZ
1 edit | reply to neftv
said by neftv :said by dcurrey :If they have a packet sniffer close to the network they may be able to get credentials that way since some voip companies transmit them in the clear. THAT is what should be talked about. Yep they run that in the clear so it is now my risk not theirs. So my choice would be to not use them anymore if the risk of their own security levels or lack thereof falls on me.
So they decide my risk level and I pay for it if they decide wrong not them. They have no incentive as they now have zero risk.
It would be like my bank saying they stopped using vaults and if my money gets stolen so be it. Not their risk mine. |
|
josephf
join:2009-04-26 | reply to PX Eliezer
Such terms are virtually unenforceable. Even if they successfully bill the customers credit card, the customer can easily have a charge-back issued against the VoSP. |
|
Mango
toao.net
join:2008-12-25
Vancouver, BC
 ·Shaw
·voip.ms
·Callcentric
·LINGO
·Netfone
 ·Digital Voice
| reply to PX Eliezer
As harsh as it sounds, I have to agree with ViaTalk.
Based on my customers when I used to do rent-a-geek, there are a great deal of people with completely unsecured wireless networks with not even admin passwords on their router. The majority of these people either (a) don't know and don't care or (b) know and still don't care. The smaller portion know and hired me to fix it.
In situations like these it is quite conceivable that SIP credentials could be sniffed. In fact, I hear that even WEP encryption is easyish to hack.
I don't feel nervous about using VoIP. I don't have open ports on my router and its access is disabled unless I'm using it. I don't even use wireless. I use long SIP passwords with a mix of uppercase and lowercase letters and numbers. However, inexperienced monkeys like my customers likely outnumber experienced monkeys like those of us in this forum.
Those of us who pay attention to internet security likely don't have to worry (though I check my CDR every week or two just as a matter of principle). It's those that I described above that the ToS update is for. If someone hacks my device, even if supplied, and I had (example) a completely unsecured wireless router, it's my fault. In this case, I'm asking for trouble.
m.
--
Who is the best VoIP provider? | Which ATA should I buy? | Dial Plan Tips and Tricks |
|
trev
join:2009-06-29
Victoria, BC
| reply to PX Eliezer
I would find it typical that whoever has possession of the credentials will be liable for the calls. If your ITSP provides the credentials to you, it's your job to make sure they stay safe. You're liable for fraud. If it's a preprovisioned ATA or IP Phone and nobody ever tells you what the credentials are, then it's the ITSP's problem to deal with the fraud.
--
Wondering what I do? Find out at »www.digitalcon.ca |
|
nonymous
join:2003-09-08
Glendale, AZ
| reply to PX Eliezer
What does a secure network have to do with it. Some VOIP say to run their adapter DMZ or straight to the modem with no blocks. My computer could be a virus infested zombie but if I do not have any password to the VOIP adapter how is my computer a threat? If it is then just connecting to the net is?
If my VOIP company has given me an insecure adapter then how is it my responsibility to secure it? If i can not access it I can not mess it up.
If my VOIP company has given out an insecure adapter then how is it my fault?
I just think this terminology is way to broad and puts everything on the customer.
If they chose say 123 as the admin password for themselves to access it over the net not my faultPlus as another said how about their end. Not letting a 10,000 bill or whatever just happen. All of a sudden a hardly used account makes huge overseas calls. With modern computers and programming this should be an easy one. Not like they would have to do it by hand. |
|
dcurrey
Premium
join:2004-06-29
·ViaTalk
| reply to neftv
said by neftv :said by dcurrey :If they have a packet sniffer close to the network they may be able to get credentials that way since some voip companies transmit them in the clear. THAT is what should be talked about. Security risk yea. But even in the clear the chances of it being intercepted on the internet are slim to none. This is true with just about anything sent over the internet. Most hacks occur at the server level or on personal computer. |
|
nitzan
Premium,VIP
join:2008-02-27
·ViaTalk
·Comcast
| reply to PX Eliezer
The only time we've had a user with this problem - it wasn't because his ATA was stolen (who steals an ATA anyway?!?) - it was because his Asterisk box had easy passwords and was hacked.
From our perspective - we're not going to "eat" the costs of fraud caused by the customer's negligence. What we did for that user is gave him a partial refund - but keep enough to cover our own costs.
In our case though (as opposed to ViaTalk) - our system is prepaid, meaning the above customer only had $30 in his account and lost a grand total of $30. When his balance reached zero - the calls stopped connecting which limited his liability for fraud to the amount of credit he had in his account.
With ViaTalk (for example) however- billing is POST paid which means a customer who gets hacked has no liability limit. The hackers can go on to make thousands of Dollars worth of calls.
I'm not sure if VT has their own monitoring systems to identify and suspend accounts with overusage - but I don't see how they can even attempt to bill someone hundreds or thousands of Dollars. The customer can simpy refuse to pay and VT will have a very hard time collecting. |
|
bbtech6650
Premium
join:2004-10-28
Pittsburgh, PA
·Future Nine Corpor..
·voip.ms
 ·Verizon FIOS
| reply to Mango
said by Mango :As harsh as it sounds, I have to agree with ViaTalk. Based on my customers when I used to do rent-a-Mango, there are a great deal of people with completely unsecured wireless networks with not even admin passwords on their router. The majority of these people either (a) don't know and don't care or (b) know and still don't care. The smaller portion know and hired me to fix it. In situations like these it is quite conceivable that SIP credentials could be sniffed. In fact, I hear that even WEP encryption is easyish to hack. I don't feel nervous about using VoIP. I don't have open ports on my router and its access is disabled unless I'm using it. I don't even use wireless. I use long SIP passwords with a mix of uppercase and lowercase letters and numbers. However, inexperienced monkeys like my customers likely outnumber experienced monkeys like those of us in this forum. Those of us who pay attention to internet security likely don't have to worry (though I check my CDR every week or two just as a matter of principle). It's those that I described above that the ToS update is for. If someone hacks my device, even if supplied, and I had (example) a completely unsecured wireless router, it's my fault. In this case, I'm asking for trouble. m. Fixed it for ya! |
|
nitzan
Premium,VIP
join:2008-02-27
·ViaTalk
·Comcast
| reply to Mango
said by Mango :In situations like these it is quite conceivable that SIP credentials could be sniffed. In fact, I hear that even WEP encryption is easyish to hack. AFAIK, SIP credentials are never presented as plain-text - there is some encryption going. I am not sure what strength and how easy/hard it would be to hack it though.
Again- 99% of such fraud comes not from stolen SIP credentials - it comes from hacked PBXs. I've heard this story many many times- someone plays with Asterisk, forgets/doesn't know they need to worry about security, gets hacked. |
|
nonymous
join:2003-09-08
Glendale, AZ
1 edit | reply to nitzan
said by nitzan :The only time we've had a user with this problem - it wasn't because his ATA was stolen (who steals an ATA anyway?!?) - it was because his Asterisk box had easy passwords and was hacked. From our perspective - we're not going to "eat" the costs of fraud caused by the customer's negligence. What we did for that user is gave him a partial refund - but keep enough to cover our own costs. In our case though (as opposed to ViaTalk) - our system is prepaid, meaning the above customer only had $30 in his account and lost a grand total of $30. When his balance reached zero - the calls stopped connecting which limited his liability for fraud to the amount of credit he had in his account. With ViaTalk (for example) however- billing is POST paid which means a customer who gets hacked has no liability limit. The hackers can go on to make thousands of Dollars worth of calls. I'm not sure if VT has their own monitoring systems to identify and suspend accounts with overusage - but I don't see how they can even attempt to bill someone hundreds or thousands of Dollars. The customer can simpy refuse to pay and VT will have a very hard time collecting. That is the same problem I have with cell phones. A prepaid cell you can not run over even if stolen. A monthly contracted phone you can not put a limit on even if you want to. The companies so much want you to go over they put no stop on it. So a $40,000 cell bill for data can happen. Well it is not prepaid we thought you wanted it. B.S. Call a cell company and say can you limit me to $100 in overages. No can do you want more expensive prepay?
The VOIP companies and cell do not want to lazy somethings. Even a credit card has a limit. Plus if they see something odd they stop it before you do sometimes.
VOIP and cell could easily do say over $100 overages they shut off anything that costs extra and immediately notify you. Just a random number and with computers a customer could set their own choice from several for usage need and risk. So Viatalk just says oh we thought you wanted a $10,000 dollar bill how could we know. Same way as jerk cell phone companies. Leave doors open and blame the users.
I had a cell plan that allowed me to set how much over I could go over a month. Verizon absorbed it. kept my plan minus the feature. They where not technically able to do it. Technically is saying no they do not want to do it.
Viatalk brought out new features all the time. How about a feature that lets the customer set their risk level. I only go over $20 a month my risk level. Shut me off on the extras like international calling and email me if I go over it.
A cross between a prepaid and normal account. Nope they want the overages or you can go prepay. Assume the risk we want the overages. |
|
nitzan
Premium,VIP
join:2008-02-27
·ViaTalk
·Comcast
| I totally agree- a company cannot fail to protect you against overages via a cap AND at the same time tell you you're liable for those overages. That's why I love prepaid- there is always a liability limit.
Same as banks and their so-called "overdraft protection" fees. It's a total scam. They want you to overdraft. I tried asking my bank to block and just deny overdraft transactions - they refused to do it. |
|
