SoylentNews is people
SoylentNews
from the believe-it-when-you-see-it dept.
https://www.engadget.com/2018/11/06/fcc-caller-id-authentication-2019/
Even if you don't agree with Ajit Pai's stance on some important issues, you might still want to hear about his latest campaign against robocalls. The FCC chairman has demanded (PDF) the adoption of a robust call authentication system to prevent caller ID spoofing, telling American carriers to implement the technology no later than 2019. Pai has sent letters to the CEOs of 14 voice providers to ask them to conjure up concrete plans to adopt the SHAKEN/STIR framework, which would validate legitimate calls across networks before they reach recipients. That would block spam and scam robocalls from going through, so you don't have to be wary of answering calls anymore.
"Combatting illegal robocalls is our top consumer priority at the FCC. That's why we need call authentication to become a reality -- it's the best way to ensure that consumers can answer their phones with confidence. By this time next year, I expect that consumers will begin to see this on their phones," Pai said in a statement.
He asked the carriers about their implementation plans and warned that if it doesn't seem like the call authentication system is on track to get up and running by 2019, the FCC will take action. Pai didn't elaborate on what the FCC will do, but the agency says it "stands ready to ensure widespread deployment to hit this important technological milestone."
(Score: 3, Informative) by edIII on Wednesday November 07 2018, @10:18PM (2 children)
Slow down there! First off, there is the traditional system, PSTN, and the "new hotness", VoIP. Unless you were somebody that could directly tap into the telecom carriers network with sophisticated knowledge of the SS7 protocols and exploits, you spoof calls with VoIP.
VoIP cannot really work at all without spoofing. It's fundamental to the system because far enough upstream you have the connection between TCP/IP and the internal SS7 network. To my knowledge, it would not be remotely feasible to have my number directly held there with two wires to connect up to. I say that, because I've been in a datacenter before that did this and I put a dial-up connection on a server with my phone line wires wrapped around posts.
So it's all just a transition between SIP to SS7, which means the VoIP provider is "spoofing" each and every call, and the target is a gateway.
The problem is that the ANI system was abandoned, according to people I talked with upstream. I was super aggressive in tracking a call once, and could get nowhere, and that was with me acting as a telecom company, not an end-user. Porting laws have made things even harder, because there is no way to tell if it is correct for a number to be at an exchange now. It's entirely possible to have a New York number assigned to a telecom in SF. Where the VoIP provider connects to the PSTN, there are no separate connections with separate ANI. It's fundamentally a spoof job through a single gateway.
What is supposed to happen is that the VoIP provider sends accurate Caller ID information (number only), but also flags to indicate if the caller wants it blocked or suppressed. The receiving VoIP provider is still supposed to know exactly where it came from. That shit hardly happens, and there are many different levels of VoIP providers in a maze of middlemen. Tracking it back by IP address may, or may not, help. The name part? Not even fucking transmitted, which makes it a lot of fun to inform VoIP customers why it shows up different to their parents in Vermont. That's kept in an industry group managing a white book. No shit, look it up [opencnam.com]. There is not even a guarantee that everyone is using it, which means the name part is a fucking crap shoot.
Where you address this is laws and regulations on VoIP providers, and you really need to stick it to them hard. Meaning, FOREIGN traffic has NO EXCEPTIONS TO THE RULES. You think you are being robocalled from within the US? All calls placed should contain Caller ID numbers that are associated with a paying customer. I should not be able to call my grandmother with 666 on the Caller ID, but I used to be able to :)
That way VoIP can spoof calls all day long, but only while servicing legitimate accounts that prove ownership of the phone numbers being presented to the system. Large VoIP providers are already doing this, all that the FCC is doing is asking that they also implement this new framework for authentication. I haven't seen it, but if it creates an authenticated connection that verifies Caller ID cryptographically with the phone number owner (usually a large telecom like PacWest), that will put a huge dent in Robocalling. They won't be able to spoof numbers, and the numbers they have will become increasingly toxic and present on RBLs and RBL-linked apps like Mr. Number.
What you want is legal spoofing that puts the screws to even the smallest VoIP provider for violating it. It's usually these "border" companies that are middlemen to the shitheads running the Robocalling centers.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by bob_super on Wednesday November 07 2018, @10:33PM (1 child)
You're looking at it the wrong way.
The Telcos can always figure out who to send the phone bill to. If they don't, fat chance your calls will go through for long.
"I'd like to reach Bill"
"Sure, I'll connect you as soon as I know I'm getting paid"
Whoever is authenticated as paying should get their number put on the caller ID, unless they paid extra for the privilege of having the telco display something else, which the telco knows to be legit. If that last part means some minor paperwork, not a big deal for the legal legit users...
If the Telcos didn't have an incentive to let the calls through (I'd argue their effect of people dropping their landlines is a negative), the problem would be solved in minutes.
(Score: 2) by edIII on Wednesday November 07 2018, @11:39PM
Wrong. Post-paid is going the way of the dodo bird. So are reverse charges. Unless you are directly inside the PSTN network, shit like reverse charges, collect calls, etc. do not work. You have to configure Asterisk to understand some of the codes, and it does not be default enable or use most of them. As an example, I can tell if it is a public telephone booth from some ANI information, but not who is calling obviously. Most of those carrier features are irrelevant or unneeded in VoIP, and as such, are not implemented. The spoofing is not coming from these networks, but coming from VoIP. VoIP does not send billing data to 3rd parties in case you want to reverse the charges. They're not even set up for that. The most they can possibly do is send accurate Caller ID, and unlikely, but they could work with a company like PacWest to amend the ANI information on the SS7 sessions. Again though, I've heard ANI is broken at least WRT VoIP. They are not setting billing information fields, and their ANI is defaulted.
Once it reaches the PSTN though, yeah, PacWest knows who to bill.... your VoIP provider. They don't know anything about me, or my account. Just the the megacorp sending them traffic on my behalf. How does the VoIP provider know to bill me? It's not an anonymous gateway that I use, but a strongly authenticated endpoint. Every single SIP connection I create contains account information for my endpoint. That way every single call that is made, whether for me, or another end user of the system, is strongly tagged with my account information. My VoIP provider knows exactly who I am, but still only sets Caller ID number. Not name, just number. The billing? All pre-paid coming out of a bucket. They don't just know who to bill, but they get paid beforehand, and take their money literally within milliseconds of owing it.
No, no extra. As stated above, I'm already strongly authenticated. However, I decide what is in the Caller ID, not them. By default, if not presented, it is the main account DID. That's actually a main number for a telecom. Anything else I want to set is because I either own the number directly with the VoIP provider acting like a registrar. So it is white-listed, but I pick out of it. It would be hard for VoIP providers to white-label services and offer connectivity if they couldn't spoof.
That last part MUST be direct proof of ownership. If I don't own the number with them, I own it with somebody else. Hence, a bill showing ownership of that DID. Having control over the line is insufficient in of itself. Paper documentation is mandatory.
The telcos can't do a damned thing, because again, the information is not there. However, nothing stops them from implementing a white-list and demanding paper documentation from that megacorp VoIP provider too. The big providers are not the problem, but the smaller providers are. Push the white-lists upstream. Where an incentive is required, is getting the traditional telcos (PSTN), to moderate their VoIP customers with the same white-list methodology and insist that the same rules go for all downstream providers. Meaning that fine? From the lowest to the highest, everybody is fined. For the record, that megacorp doesn't actually have all the customer records and paper proof. There is an agreement between me and them that there is, and if there is a complaint of illegal spoofing, I would be required to produce at that time.
If you pushed the white-listing with heavy penalties and fines for undocumented spoofing from the highest upstream to the lowest downstream, you would stop the illegal spoofing period. Foreign firms wouldn't be able to set just any Caller ID, but could only pick from the DIDs they have registered with a US based VoIP company. Force all foreign entities to use a local US company to forward their traffic into our networks, and you will see the bad behavior largely disappear over night.
Of course, white-listing along will not help us without the creation of RBLs that both end-users and VoIP providers can use to filter bad numbers.
Technically, lunchtime is at any moment. It's just a wave function.