It seems like every possible attack vector is used these days to gather intel and hack into systems these days.
Why are we now insisting on using “end-to-end encrypted” calling when doing IT support calls?
When you make or receive any call from a normal phone line / VoIP line or mobile phone then that call is effectively insecure. British Telecom and most other phone providers around the world have now transitioned the majority of analogue landline voice calls to VoIP digital calling. There are hundreds of other VoIP providers in the world and the majority are transmitting voice calls without encryption through various networks. Even mobile to mobile calls can be intercepted and decoded easily with a fairly cheap bit of kit these days or recorded at the mobile provider level. An intercept can occur on either side of the call. This can easily be recorded or stored with or without your knowledge by the phone provider for various purposes which includes call quality recordings, government requirements or simply for customer playback use. Legally, business call recording in the UK requires consent from both parties before recording the call but that does not generally apply to the service provider themselves or to someone intercepting the call.
An IT support call almost always contains a verbal conversations that include very sensitive information, passwords and remote access credentials.
This means that the information should be kept absolutely secured otherwise a data breach could take place.
In fact any business that involves sensitive information should also comply with these security standards. Lawyers, doctors and financial institutes should be required to ensure a call is encrypted from end to end. It doesn’t help if just one side is secured. These requirements are suggested in most good security standards but few people follow them as it is possible to get away with it for now.
A standard call on landline has a reasonable risk of the interception from multiple locations including the local office through a LAN tap, an old insecure bit of office equipment, a weak Wi-Fi password, rouge staff at the internet provider or even your actual phone provider who employs staff at minimum wage and they are selling customer data on the side. It happens far more often than you think.
With this in mind – there is no reason why secure calling is not mandatory just like two factor authentication. We all have free access to secure calling and messaging products on the market like WhatsApp Mobile or WhatsApp Desktop and for the ultimate security we use Signal which works great on mobile and desktop with great file dropping abilities.