Skype allows impostors to fool you says privacy watchdog

Stan Beer
Thursday, 17 March 2011 14:06

Self-described human rights advocate, Privacy International, has raised the alarm about what it claims are severe security deficiencies in massively popular online phone and messaging service Skype. A major concern is the ease with which users can impersonate other users.

With 700 million users worldwide, Skype is arguably the most popular free online phone and chat service on the web. Skype's peer-to-peer network, which uses the power of participating users' computers to scale instead of centralised server farms, has grown at breakneck speed since it was founded in 2003 by the Scandinavian entrepreneurs Niklas Zennström and Janus Friis.

Security has always been somewhat of sticking point, as Skype users are often bombarded with unsolicited requests to communicate by spammers and other cyber nasties.

Privacy International, however, has raised the security bar to a new level by highlighting the ease with which users can impersonate others on the network by simply assuming their real name.

All users on Skype have a unique username identifier. However, more often than not they do not use this to identify themselves to other users but use their real name instead.

Thus, a user can simply impersonate another user and attempt to communicate with friends of that user.

If the user receives a request via Skype to communicate with someone using a familiar name, they have no way of knowing if that person is an impostor or genuine unless the person is already on their contact list, in which case there is no need to send a request to communicate.

Privacy International has pointed this out as a major security risk in a statement on its site:

"Currently Skype's interface relies on the use of full names on the contact list rather than unique user names, which makes it easy to impersonate other users and introduces substantial security risks. When you create a Skype account, you are asked to register a unique user name and password, in conjunction with an arbitrary profile name. This arbitrary profile name is what appears on your contact list, and permits people to easily impersonate others. Average users are easily tricked as a result. Does Skype intend to remedy this security flaw in its user interface?"

Another major security issue, according to Privacy International, is the failure of Skype to provide secure downloads of its software using the HTTPS protocol:

"By neglecting to provide HTTPS downloads from skype.com, the company has failed to prevent your download from being tampered with by a third party. China, for example, has been known to produce its own trojan-infected version of Skype, leaving users exposed to interception, impersonation and surveillance (http://books.google.com/books?id=ZojiQG4irWEC). It is impossible to know the extent to which other malevolent actors have done likewise. Why, given that Facebook, GMail and Twitter offer this HTTPS-level of protection, is Skype unprepared to do so?"

A third issue raised by Privacy International involves encryption of Skype voice communications:

"Skype currently uses a VBR audio compression codec which, regardless of how it is encrypted, renders it an extremely specious and vulnerable means of protection. Is Skype aware that recent research (see http://www.cs.unc.edu/~fabian/papers/oakland08.pdf) indicates that this codec allows phrases to be identified with an accuracy of 50-90%, and if so why hasn't the company taken action to remedy this problem? (Note: A codec compresses audio into data for transmission.)"

The privacy watchdog has called on Skype to publicly respond to its concerns saying that interim Skype users are vulnerable to security threats.

Privacy International's Human Rights and Technology Advisor, Eric King, says: "Skype's misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It's time for Skype to own up to the reality of its security and to take a leadership position in global communications."

A number of posters have responded in agreement to the concerns raised by Privacy International on its site.