While there are plenty of legitimate issues surrounding identity on the Internet at large and with VoIP specifically. the Reuters story
Scam Artists Dial for Dollars on Internet Phones by Andy Sullivan gets it wrong on many counts, IMHO.
First, the story repeats the myth that somehow the traditional phone networks are somehow more secure and less vulnerable than the Internet. I won’t even go there.
The statement that “VOIP calls … are vulnerable to the same security problems that plague e-mail and the Web” is just silly. If a VoIP call is being handled by an independent device, such as an ATA or IP phone, it is no more likely to cause a virus than a printer or other networked device on your LAN. If an IP phone ran Windows and used IE and Outlook, then it may be as vulnerable as your computer, but since there are no such phones, this statement is pure FUD, in my opinion.
The article also says “experts at AT&T say VOIP conversations can be monitored or altered by outsiders.” Well this is technically true, but the same can be said about calls placed over the traditional phone system. The question is whether one kind of call is more likely to be intercepted than another. The assumption is usually that VoIP calls are easier to intercept, but that assumption needs some criticial review. It cannot be taken at face value. In my experience, I find that people generally overestimate the difficulty of intercepting traditional calls and underestimate the difficulty, in practice, of intercepting Internet traffic. In general, I’d flag the two as about equal in difficulty. It is far easier to violate the security of a central office than most people think and far more difficult to break into an Internet peering point than most people think. Neither is easy for the casual hacker.
What’s the easiet way to intercept a call? In both the VoIP case and traditional phone system case, it’s at the edges, near the caller or the callee. And in fact, in both cases the easiest techniques are probably similar and low tech, such as a snooper microphone. A call over open Wi-fi is probably the one case where VoIP is fairly easy to snoop, if you’re within range of the Wi-fi signal (and the same applies to a plain cordless phone using a cheap radio shack scanner). So again, it’s FUD to imply that somehow VoIP inherently makes all your calls available for the world to hear.
Finally, the primary topic of the article, Caller ID spoofing, is not a VoIP problem per se. In fact, flaws in the security model of the traditional phone system is what enables Caller ID spoofing in the first place. One doesn’t need VoIP to enjoy Caller ID spoofing. It is in fact standard PSTN interface signalling that introduces the spoofed Caller ID info into the PSTN, and that can be generated anywhere in the network and it has nothing to do with VoIP.
So where are they getting this mis-information and why are they spreading it? The final paragraph of the article perhaps offers a hint: “the problem will likely recede as companies like VeriSign Inc. and NeuStar Inc. develop ways to verify online identities.”