Any new technology has bugs in its system to work out, and phone calls that run over the Internet are no exception.

VoIP, or voice-over-Internet protocol, calls can get "spoofed," SPIT" (spam-over-Internet-telephony), "sniffed" and even stalked by "computer zombies" that hackers control remotely to launch all kinds of attacks. However exotic the language, the logic is clear: These are serious security issues.

The problem is even the experts don't agree on how to address the challenges.

Take encryption, for instance. The average VoIP subscriber, lured by a price tag that's 80% and 90% less than a land line, is comforted to hear that his VoIP provider "encrypts," or protects, phone calls.

But while some fully encrypt calls, others don't, says Vincent Weafer, senior director of security response at Symantec ( SYMC - Get Report), the company that created the popular Norton antivirus software. "Everyone I've looked at encrypts at least the initial user-authentication portion of the call, which is the most sensitive data because it contains your user ID and password."

Encryption promises often aren't fully reliable, says Doug Graham, a consultant for BusinessEdge Solutions in East Brunswick, N.J., whose clients include AT&T ( T - Get Report), Verizon Communications ( VZ - Get Report) and Time Warner's ( TWX) cable unit.

"Most companies say encryption helps, but once the conversation starts, that conversation is generally not encrypted or protected." Only some companies own the wires end to end, which is why they can't guarantee content remains private," says Graham.

Vonage ( VG - Get Report) spokeswoman Brooke Schultz says encrypting private conversations isn't necessary. "It would be very hard to target into one conversation -- the hacker would have to have access to a network or to a home user's machine."

But that's exactly what they do, say Weafer and Graham. Special software can eavesdrop, intercept and interrupt your calls, says Weafer. If your leave your computer unprotected and a hacker steals your user ID and password, he can start to "impersonate you and make calls in your name." VoIP attacks range from the merely mischievous (calls that "spoof," or pretend, to be you) to the malicious (calls that redirect financial transactions to a third party).

"A likely scenario is a virus that comes into a computer via email or Instant Messaging, or into high-risk adware/spyware via Web downloads," says Weafer. "Once infected, that virus can send the user ID and password in the VoIP system back to the attacker to enable them to impersonate you or place calls on your account."

"Tapping into somebody's data stream is not as easy as you think, but it's easier than a land line," says Graham. "The attacker doesn't have to have proximity to the victim, they're looking for patterns to exploit, such as transactions using Social Security numbers. It's not hard to write software that can do a more sophisticated form of wiretapping than we're familiar with."

By the time you realize there's a problem, unfortunately, the damage will be done, and there's nowhere to turn to for help. The Federal Communications Commission regulates the telecommunications industry, but not yet Internet-based phone services.

Growing Threat

Recently, two hackers rerouted 500,000 calls from 15 VoIP phone providers and billed them to Net2Phone, a small provider in Newark, N.J., a unit of IDT ( IDT - Get Report) by probing weak spots in these networks to steal calls.

Cyber crooks can easily steal data, says Graham. "They pick specific 'exploits' -- say, transactions with Social Security numbers or a banking transaction -- and they scan very widely. They go after the vulnerability in the network, not the person."

"Vulnerability" is hardly the word that Vonage, eBay's ( EBAY - Get Report) Skype Technologies, AT&T and other phone providers want to hear as they initiate, or expand, VoIP services.

VoIP usage is growing rapidly, making it unlikely that hacker attacks will go away. By the end of 2010, research firm Telegeography estimates that nearly 25 million customers will use phone services that run over high-speed Internet connections. The same features that make VoIP attractive to consumers -- it's easy to use -- makes it valuable to criminals, too.

Become a Security Specialist

Weafer and Graham say it's wise to do the following to protect yourself:

  • Install good security software. Packages with antivirus software, a personal firewall and intrusion prevention can help prevent hackers from attacking your VoIP connection. They also watch for unauthorized leakage of sensitive information via channels, such as email, that might contain your user ID or account information, says Weafer.
  • Change passwords regularly. For sensitive financial information, Graham recommends using the financial institution's Web site, not VoIP. "The institutions will have better authentication, and the process is encrypted, or protected, from end to end," he says.
  • Choose a known VoIP provider. "Go for a brand -- don't go walking down the dark alleys of the Internet," says Weafer. Graham suggests asking if the provider has control of the traffic between you and the phone company.
  • Invest in more encryption protection. Some providers offer full encryption, but "None may offer the level of encryption you might like," says Graham. He recommends a program called Zfone, which encrypts conversations from end to end.
  • Create your own "disaster recovery" security plan and make sure you have an alternative contact, such as a cell phone or land line. In case of an emergency, small businesses should have an 800 number in case of emergency, and home users can ask their VOIP provider to reforward calls to an alternative number.
  • Master these basic practices because more creative attacks are coming. "I predict we'll soon be seeing 'double confirmation' calls," says Weafer. He expects that VoIP hackers will mix email "phishing" with an anonymous phone caller pretending to be your financial institution. Some also may create "SPIT."

    Hackers can also simply pretend to be you. "With a traditional phone, I have to break into your house to impersonate you," says Weafer." With VoIP, I just have to tap into your phone line."

    Dorianne Perrucci has been helping consumers dig into personal finance since 1998, when she reported for Jane Bryant Quinn's groundbreaking columns in The Washington Post and Good Housekeeping. Since 2001, she has written for Newsweek, The New York Times and Consumer Reports, among others.