A piece of software on your computer or in your new VoIP telephone converts your analogue voice into packets of digital information which are then sent down your internet connection to whomever you are calling. Their software then collects the packets, re-assembles them and converts them into sounds you can hear in your phone. This is called an 'on-net call' because it is VoIP end to end.
If the call goes to a telephone on the old fashioned telephone network - the PSTN - the call is passed from the VoIP provider through a gateway into BT's network and on to the called party. This is called an 'off-net call.'
While all that is happening with your voice, some other stuff is being sent to your VoIP service provider giving him information that he uses for billing and call management purposes & such as who the call is to and how long it lasts.
When someone says 'how secure is VoIP?' you really need to know what he's thinking about. Normally he just means 'is it possible to eavesdrop on my conversation?' And the dead honest answer is 'yes'.
But there's much more to it than that!
In practice the security issues for VoIP users break down into 3 basic areas:
- Can anyone overhear my conversations?
- Are my own networks and computers safe?
- Can someone steal my calls and make me pay for them?
Just like an ordinary phone or mobile, people can physically hear your calls - of course. Most people with mobiles don't appear to care.
If you are concerned that people may be able to hear your conversations or hack into your call remotely by listening in to them it is certainly possible that with the right equipment, a lot of knowledge and a good incentive, that someone may be able to do so; just as it is with both mobile and ordinary PSTN telephony.
However, there are a few things to consider.
Firstly, you need to ask yourself why anyone would be remotely interested in your conversations? Secondly, if you didn't worry about it before, when it was possible for someone to simply put two clips across your telephone wire to listen in, why are you concerned now when it requires a lot more technical ability?
You also need to separate in your mind the difference between a phone call and other pieces of computer information sent down your telephone line. A phone call happens in real time, its start point is unknown before it happens and is gone forever when it's over. Other data, such as emails, are stored in ordered format and can be searched for historically and worked on over time. So phone calls start and finish more securely than most other communication methodologies and don't leave a stored record of their content.
If you are making telephone calls that need to be totally secure from eavesdropping you should use no publicly available telephone service. Or use fully encrypted communication channels. (This is not possible for calls to ordinary landlines telephone and mobiles - it requires point to point encryption using dedicated hardware.)
2. Are my own networks and computers safe from outside attack?
This is possibly a more realistic, though still highly unlikely, threat and it too has to be put in perspective. If you have an 'always on' connection to the internet - which is how broadband works & or a wireless connection and don't have any protection against external intrusion, your computer and network are vulnerable.
Ignorance is the main enemy. Many PCs have no protection at all from attacks from outside but there is no reason why this should be the case. Both Windows 7 and Windows 8 are now equipped with a firewall and there are all sorts of free and paid for Virus and Spyware guards available.
Normally too, and particularly for business use, you will have a router connected to the internet and your PCs and VoIP phones connected to it. You then have a further security feature, a hardware firewall which protects your internal network.
All wireless routers provide encrypted security & it just needs to be turned on!
If these common sense precautions are used, you are perfectly safe from all but the most determined attack, and, please note, this has nothing to do with VoIP; it's just a fact of life if you use the internet for anything at all.
3. Can someone make calls and get them billed to me?
This can only happen if someone gets hold of your password and username and knows their way around your service. They could then use whatever credit was in your account at the time. Just like if you lost your credit card and wrote your PIN on it.
But obviously you would notice very quickly if this was happening.
The solution of course is not to allow anyone access to your username or password. Customer support people never ask by email or anything else for your full password & never disclose it.
There are particular risks introduced when installing local PBX servers such as Asterisk and TrixBox. If these are used, you are strongly advised to employ an experienced network professional as they are increasingly open to external attack if not properly installed and maintained.
Hackers will attempt to get into these new services but they'll start where they can find the most lucrative or high profile challenge. If small businesses and individuals take normal sensible precautions there is no reason to believe that VoIP will create any new or increased threat.
No unsolicited PMs or emails unless you're planning on asking for paid help.