Setting up Secure Phone Conferences
The fundamental security consideration when setting up a phone conference is access control. Since phone conferences are "invitation only" events, a certain level of access control is built into the invitation process itself.
To invite someone to participate in a phone conference, you need to send him or her a dial-in number and an access code for that individual call. No one can enter the phone conference without this information.
It's not uncommon for a company to use the same dial-in number and access code for more than one phone conference. Also, if everyone in the phone conference uses the same access code, then the code tells you nothing about the individual who possesses it. The company CEO has the same access code as a spy from the competition.
To tighten access control, it's smart to assign each invitee a PIN (personal identification number) that's tied to their personal information in the phone conferencing system. This way, when the person logs into the phone conference with their PIN, the moderator knows exactly who has joined the call.
Most phone-conference systems allow the moderator to do a "roll call" of all the people participating in the phone conference. The moderator can do this either by pressing a special number command on his telephone keypad or through a Web interface. None of the other participants in the phone conference will hear the roll call other than the moderator.
Another handy security feature of most phone conferencing services is the ability to lock a conference, blocking any new guests from entering, even if they were invited.
Most phone-conference services also offer the option of using a live operator to assist with the call. For an added layer of security, the operator can greet new callers and ask for their PIN and personal information to see if it checks out with the invitee list. The operator can also introduce each new participant to the group as they enter the call.
For an even higher level of access control, a moderator can choose to dial out to his guests rather than have them dial into a central number. This way, the only people that can participate in the call are those who are contacted by the moderator himself.
For phone conferences that demand the highest levels of security -- like government or military calls -- simple access control won't cut it. Hackers don't have to be logged into the conference to eavesdrop on the conversation elsewhere on the network. To prevent uninvited guests from listening in, it's necessary to encrypt the call.
To do this, all the call participants must have an encryption box installed somewhere between their phone and the PSTN (public switched telephone network) [source: Snapshield]. The boxes use special encryption keys to establish a secure connection between the two phones. Without the right key, no one can listen in on the conversation.
Now let's go over some phone conferencing security tips.