The weakest aspect of Skype's security is that it is possible to be able to login simultaneously to the same account on one or more machines without being notified. The only thing you can do about this is change your password regularly within the 256–AES-tunnel (on the Skype interface in the softwarse itself) immediately after you received the new password via e-mail reset and then hope that the outside “evil” world has not figured out another way to access your Skype Account. The point is that you will never see how many IP-addresses (read : eyes,finger on a computer) that are currently logged in to your account.
The reason why I am raising this issue is because people ask me if Skype is safe and how to use it wisely. I want to know for myself too. My general answer is : use it wisely. Trust no one. Nothing on the internet is totally safe anyway. Therefore it’s a myth thinking as such. I am not talking about the AES-256 security level in Skype. I am talking about other flaws.
So I am testing some basic things. For example : logon on Keeping it simple. Here is the scenario : 2 computers connected to 1 router which gets a DHCP IP address from my provider. The 2 computers are on a LAN, running in Windows XP and they have both a Skype version 2.0.xx running and I put them in autorespond. I want to know which Skype-ID is going to take the call.
Current observation is that the both accounts (same Skypename) take the call randomly it seems. Even on an external IP address I can also see during a split second on the ghost-account when the original account is ringing. That is spooky. Basically the ghost-account will miss the incoming call and that will be mentioned in the history-tab. So you know the inbound calls that the original account holder received.
Since the ghost-entity has your login (public skype-ID or email-address). 50 percent of the problem solved (since you don't need to guess for it). Most of the Skype ID’s are publically retrievable.
The ghost-entity knows where to login, therefore 75 procent of the problem solved (just login online at skype user account of logon with the skype-client).
The ghost-entity knows the format of the 1st password being sent to you : 8 alphabetical chars (uppercase/lowercase), so that should not be to difficult to “crack”.
So IF the ghost-entity has found your password via :
1. guessing
2. brute forcing
3. intercepting
4. simply knowing
5. socially engineering
6. resetting your password on the public https: password reminder of Skype or by grabbing your email-content
THEN it could be used by the ghost-entity so that they can/could :
a. see all you contacts without you knowing and see the updates.
b. see and read / follow your chats (incoming / outgoing chats)
c. see when you receive a phone-call.
d. see can see the incoming file-transfer (you canot receive the file, but you see the filename)
e. develop intercept technology to eavesdrop on the original Skype-call.
I also wonder if a password reset via the public https://secure.skype.com/store/member/login.html?username= will email the password to other email-addresses entered in the Skype-alternative email-fields. Questions on the email-issue are answered here by Skype Support.
So basically, if you got hacked at pop/smtp-level, you are in trouble. Most users have pop/smtp email-systems.
Risks / Interpretation.
micro-level : somebody around me knows my account
macro-level : government x wants to eavesdrop, companies can monitor accounts (not eavesdropping) and so can any external entity.
This is as far as I looked, but since there is calling credit and private and confidential information being sent over Skype-account sometimes, it does look troublesome having the multiple login feature present without any notification or traceability. On that level there is no accountability (anybody can create any account anytime, being anybody they want). For example : somebody could actually get hold of a Skype-account and just start using the phone-credit.
The distinction between internal/external does not exist anymore (not in this system, meaning that is does not matter where you are to access this system, anybody can talk to anybody also). We are all on one happy Skype User Cloud. Welcome. . Happy and safe Skyping to you all. We have a great (really) p2p cloud but there are risks too.
| Online: | Skype 2.x Video | USB Ipfone | Integrate Skype / Outlook | Pamela Skype Answering Machine | SAM Skype Answering Machine | Yappernut-box | USB-Telbox |
Quite a good article and logical analysis. Here's another problem: every so often when making Skype Out calls you will get an unsolicited feedback request opening your browser. The URL of that feedback is not even SSL, just http and it contains the telephone number you have just called, along with your Skype ID. Hit send and that is potentially useful information to eves droppers.
Posted by: Skype Inside | February 27, 2006 at 06:11 AM
And I hear more and more big (starting from 100 users to 50.000 users) that decide to abandon skype due to lack of manageability. A very sad and doomed scenario could be lurking around the corner. Skype rang the VoIP bell and woke up people. The viral marketing is great and many users will still join but something better happen soon in order to address the business-markets. Skype is now on the list of allowed but not totally authorized programs due to certain security holes in it's setup. Flaws that better better addressed sooner than later.
Posted by: tropicaljantie | February 28, 2006 at 01:40 PM