You can take your SIP credentials with you wherever you go, plug them into any VoIP phone or application, and make and receive calls using your SIP identity. Suffice it to say that SIP is pretty powerful. Unfortunately, that means that many stand to gain from SIP identity theft.
Once a person has your SIP identity in hand, he or she can charge up your credit card with a massive number of calls in a surprisingly short period of time, abuse any privileges you have, and receive any calls destined for you. It's a nightmare.
There is no perfect, "bulletproof" system, but there are a few things you can do to decrease the likelihood of this happening to you. For example, did you know that if I can get the IP address of your phone, there's a good chance that I can get your SIP credentials without breaking a sweat?
How can this be so, you ask? It's quite simple, actually: People don't bother to change the passwords to their phone's admin interface.
For example, the admin password for a Polycom phone's admin interface is '456'. This is common knowledge to anyone familiar with the brand. For other brands, it's 'admin' or 'adminpass', and so forth.
It's absolutely imperative that you change your phone admin passwords, especially if you're ever not behind a NAT.
If an attacker gets into your phone's admin interface, it won't matter how strong your SIP password is because some manufacturers will offer up all of your credentials in plain text. And we can't do anything about it.
Please protect yourselves.