Mailing List Archive

1 2 3  View All
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thu, 2019-07-11 at 11:59 -0400, Paul Timmins wrote:
> Chris it would be trivial for this to be fixed, nearly overnight, by
> creating some liability on the part of carriers for illicit use of
> caller ID data on behalf of their customers.

This 1000%. Once legal liability is in place, the carriers themselves
will come up with the most effective and efficient solutions to solve
the problem.

> But the carriers don't want that,

And the legislators are in the pockets of Corporate America so nothing
will happen.

b.
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:
>
> Chris it would be trivial for this to be fixed, nearly overnight, by
> creating some liability on the part of carriers for illicit use of
> caller ID data on behalf of their customers.

'illicit use of caller id' - how is caller-id being illicitly used though?
I don't think it's against the law to say a different 'callerid' in the call
session, practically every actual call center does this, right?

> But the carriers don't want that, so now we have to create tons of
> technical half solutions to solve a problem that would be neatly solved
> by carriers.

logs analysis and 'netflow' (CDR trolling, really) would be nearly free for
them, implementing actions based on the data / outcomes of that
analysis at near-real-time would also be nearly free...

but sure, we can do a bunch of this other stuff too... My sort of solution
has actually got proven track record though?

-chris

> On 7/11/19 12:09 AM, Christopher Morrow wrote:
> > There seem like a bunch of pretty simple 'correlations' one could
> > make, that actually look a heck of a lot like 'netflow/log analysis
> > for ddos detection':
> > o is this trunk sourcing calls to 'too many' of my subs in period-of-time-X
> > o is this trunk sourcing calls from a low distribution of ANI but
> > a different distribution of CallerID
> > o is this trunk sourcing calls from unmatched (as a percent of
> > total) ANI/CallerID
> >
> > I would think you could make similar correlations across the
> > destinations on your phone-network:
> > o Is there one ANI or CallerID talking to 'all' (a bunch, more
> > than X of type Y customer end point) of my endpoints?
> > o are there implausible callerid being used? (lots of 'NPA-NXX
> > matches destination, yet from a very different geography?)
RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thursday, 11 July, 2019 11:18, Christopher Morrow <morrowc.lists@gmail.com> wrote:

>On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:

>> Chris it would be trivial for this to be fixed, nearly overnight,
>> by creating some liability on the part of carriers for illicit use of
>> caller ID data on behalf of their customers.

>'illicit use of caller id' - how is caller-id being illicitly used
>though?
>I don't think it's against the law to say a different 'callerid' in
>the call session, practically every actual call center does this, right?

The problem is that CallerID is not really the CallerID. It is some fraudulent shit created by the caller. This is not how "CallerID" was originally sold. It was sold as being the ID of the Caller. If it is not the ID of the Caller then Fraud is being committed and the bastards should be castrated (or worse), and the CEO and Directors of the carrier responsible for fraud getting through to the end-user should face the same penalty.

See then how quickly this gets fixed. You will fall off your chair and it will be a "solved problem" before your arse hits the ground!

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
So I have a meta-question about all of this. Why in 2019 are we still
using telephone numbers as the primary identifier? It's a pretty sip-py
world these days, even on mobile phones with wifi calling, I assume. It
seems like this problem would be more tractable if callerid was a last
resort rather than a first resort.

Mike


On 7/11/19 10:18 AM, Christopher Morrow wrote:
> On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:
>> Chris it would be trivial for this to be fixed, nearly overnight, by
>> creating some liability on the part of carriers for illicit use of
>> caller ID data on behalf of their customers.
> 'illicit use of caller id' - how is caller-id being illicitly used though?
> I don't think it's against the law to say a different 'callerid' in the call
> session, practically every actual call center does this, right?
>
>> But the carriers don't want that, so now we have to create tons of
>> technical half solutions to solve a problem that would be neatly solved
>> by carriers.
> logs analysis and 'netflow' (CDR trolling, really) would be nearly free for
> them, implementing actions based on the data / outcomes of that
> analysis at near-real-time would also be nearly free...
>
> but sure, we can do a bunch of this other stuff too... My sort of solution
> has actually got proven track record though?
>
> -chris
>
>> On 7/11/19 12:09 AM, Christopher Morrow wrote:
>>> There seem like a bunch of pretty simple 'correlations' one could
>>> make, that actually look a heck of a lot like 'netflow/log analysis
>>> for ddos detection':
>>> o is this trunk sourcing calls to 'too many' of my subs in period-of-time-X
>>> o is this trunk sourcing calls from a low distribution of ANI but
>>> a different distribution of CallerID
>>> o is this trunk sourcing calls from unmatched (as a percent of
>>> total) ANI/CallerID
>>>
>>> I would think you could make similar correlations across the
>>> destinations on your phone-network:
>>> o Is there one ANI or CallerID talking to 'all' (a bunch, more
>>> than X of type Y customer end point) of my endpoints?
>>> o are there implausible callerid being used? (lots of 'NPA-NXX
>>> matches destination, yet from a very different geography?)
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
What if you use different carriers for termination and origination? How
does your termination carrier validate that your origination carrier has
allocated certain numbers to you and that you're therefore allowed to make
outbound calls with a caller ID set to those numbers? That doesn't sound to
me like something that can be solved as quickly and easily as you imply.

On Thu, Jul 11, 2019, 2:33 PM Keith Medcalf <kmedcalf@dessus.com> wrote:

>
> On Thursday, 11 July, 2019 11:18, Christopher Morrow <
> morrowc.lists@gmail.com> wrote:
>
> >On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:
>
> >> Chris it would be trivial for this to be fixed, nearly overnight,
> >> by creating some liability on the part of carriers for illicit use of
> >> caller ID data on behalf of their customers.
>
> >'illicit use of caller id' - how is caller-id being illicitly used
> >though?
> >I don't think it's against the law to say a different 'callerid' in
> >the call session, practically every actual call center does this, right?
>
> The problem is that CallerID is not really the CallerID. It is some
> fraudulent shit created by the caller. This is not how "CallerID" was
> originally sold. It was sold as being the ID of the Caller. If it is not
> the ID of the Caller then Fraud is being committed and the bastards should
> be castrated (or worse), and the CEO and Directors of the carrier
> responsible for fraud getting through to the end-user should face the same
> penalty.
>
> See then how quickly this gets fixed. You will fall off your chair and it
> will be a "solved problem" before your arse hits the ground!
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says
> a lot about anticipated traffic volume.
>
>
>
>
>
RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thursday, 11 July, 2019 12:38, Ross Tajvar <ross@tajvar.io> wrote:

>What if you use different carriers for termination and origination?
>How does your termination carrier validate that your origination
>carrier has allocated certain numbers to you and that you're
>therefore allowed to make outbound calls with a caller ID set to
>those numbers? That doesn't sound to me like something that can be
>solved as quickly and easily as you imply.

It does not really matter. What matters is that they bear responsibility for an act in furtherance of a conspiracy to commit fraud.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


>
>On Thu, Jul 11, 2019, 2:33 PM Keith Medcalf <kmedcalf@dessus.com>
>wrote:
>
>
>
> On Thursday, 11 July, 2019 11:18, Christopher Morrow
><morrowc.lists@gmail.com> wrote:
>
> >On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins
><paul@telcodata.us> wrote:
>
> >> Chris it would be trivial for this to be fixed, nearly
>overnight,
> >> by creating some liability on the part of carriers for
>illicit use of
> >> caller ID data on behalf of their customers.
>
> >'illicit use of caller id' - how is caller-id being illicitly
>used
> >though?
> >I don't think it's against the law to say a different
>'callerid' in
> >the call session, practically every actual call center does
>this, right?
>
> The problem is that CallerID is not really the CallerID. It is
>some fraudulent shit created by the caller. This is not how
>"CallerID" was originally sold. It was sold as being the ID of the
>Caller. If it is not the ID of the Caller then Fraud is being
>committed and the bastards should be castrated (or worse), and the
>CEO and Directors of the carrier responsible for fraud getting
>through to the end-user should face the same penalty.
>
> See then how quickly this gets fixed. You will fall off your
>chair and it will be a "solved problem" before your arse hits the
>ground!
>
> --
> The fact that there's a Highway to Hell but only a Stairway to
>Heaven says a lot about anticipated traffic volume.
>
>
>
>
>
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
Well yeah, people need to take responsibility, but IMO we as engineers need
to discuss the specific circumstances and methodologies that enable that to
happen. It's easy to say "they should fix it", and you're not wrong that
they should, but how? Do you have a validation framework in mind which
carriers can implement that prevents fraudulent caller ID information from
being sent without preventing legitimate use cases?

On Thu, Jul 11, 2019, 2:46 PM Keith Medcalf <kmedcalf@dessus.com> wrote:

>
> On Thursday, 11 July, 2019 12:38, Ross Tajvar <ross@tajvar.io> wrote:
>
> >What if you use different carriers for termination and origination?
> >How does your termination carrier validate that your origination
> >carrier has allocated certain numbers to you and that you're
> >therefore allowed to make outbound calls with a caller ID set to
> >those numbers? That doesn't sound to me like something that can be
> >solved as quickly and easily as you imply.
>
> It does not really matter. What matters is that they bear responsibility
> for an act in furtherance of a conspiracy to commit fraud.
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says
> a lot about anticipated traffic volume.
>
>
> >
> >On Thu, Jul 11, 2019, 2:33 PM Keith Medcalf <kmedcalf@dessus.com>
> >wrote:
> >
> >
> >
> > On Thursday, 11 July, 2019 11:18, Christopher Morrow
> ><morrowc.lists@gmail.com> wrote:
> >
> > >On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins
> ><paul@telcodata.us> wrote:
> >
> > >> Chris it would be trivial for this to be fixed, nearly
> >overnight,
> > >> by creating some liability on the part of carriers for
> >illicit use of
> > >> caller ID data on behalf of their customers.
> >
> > >'illicit use of caller id' - how is caller-id being illicitly
> >used
> > >though?
> > >I don't think it's against the law to say a different
> >'callerid' in
> > >the call session, practically every actual call center does
> >this, right?
> >
> > The problem is that CallerID is not really the CallerID. It is
> >some fraudulent shit created by the caller. This is not how
> >"CallerID" was originally sold. It was sold as being the ID of the
> >Caller. If it is not the ID of the Caller then Fraud is being
> >committed and the bastards should be castrated (or worse), and the
> >CEO and Directors of the carrier responsible for fraud getting
> >through to the end-user should face the same penalty.
> >
> > See then how quickly this gets fixed. You will fall off your
> >chair and it will be a "solved problem" before your arse hits the
> >ground!
> >
> > --
> > The fact that there's a Highway to Hell but only a Stairway to
> >Heaven says a lot about anticipated traffic volume.
> >
> >
> >
> >
> >
>
>
>
>
>
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thu, 11 Jul 2019, Ross Tajvar wrote:

> What if you use different carriers for termination and origination? How
> does your termination carrier validate that your origination carrier has
> allocated certain numbers to you and that you're therefore allowed to make
> outbound calls with a caller ID set to those numbers? That doesn't sound to
> me like something that can be solved as quickly and easily as you imply.

I attended the first panel at the FCC and Scott Mullen, CTO at Bandwidth,
was the only one that brought up issues that are not addressed by
implementing STIR/SHAKEN.

1. There's no delegation -- there is no standardized means of telling
anyone who is the End User of a specific TN.

2. Self-signed certs are being used so far, which means that you need
to establish trust in a full mesh in order for STIR/SHAKEN to be of any
value. Not feasible, definitely fragile. This could be addressed
using a Public Cert Authority.

3. Relies 100% in your trust of the initial carrier to properly set the
Attestation level on the call.

4. Does not cover if the call is received with a STIR/SHAKEN header to
a termination provider with Full Attestation that turns out to be a
lie.

5. Does not actually verify that the CallerID is really the EU
generating the call. For Wireless Carriers it can, since calls are
both received and placed by the same carrier in most cases, but what
about roaming? Is Three UK going to implement STIR/SHAKEN or will it
occur at Verizon's edge? How do any of us know that the Identity:
header was added at the first point of origin?

All STIR/SHAKEN is doing is adding an Identity: header to the SIP payload
that one can use to verify that a carrier signed the call at some point.
Some carriers may be trustworthy, some may blindly add Full Attestation
for a termination customer that has a nice mix legit and spoofed calls.

There is still no connection between the End User of a phone number and
the call itself. And there's no way for me as a carrier to check to see if
a phone number should only originate from specific networks or not. Even
if it is signed, I know nothing more than I do now about the legitimacy of
the call.

Argh.

Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
Pretty simply - Sending caller ID to commit fraud. It's literally
already illegal. The legislature has already defined it for us, even.

47 USC 227

https://www.law.cornell.edu/uscode/text/47/227

(B)
to initiate any telephone call to any residential telephone line using
an artificial or prerecorded voice to deliver a message without the
prior express consent of the called party, unless the call is initiated
for emergency purposes, is made solely pursuant to the collection of a
debt owed to or guaranteed by the United States
<https://www.law.cornell.edu/uscode/text/47/227>, or is exempted by rule
or order by theCommission
<https://www.law.cornell.edu/uscode/text/47/227>under paragraph (2)(B);

(e)(1)In general

It shall be unlawful for any person
<https://www.law.cornell.edu/uscode/text/47/227> within the United
States <https://www.law.cornell.edu/uscode/text/47/227>, in connection
with any telecommunications service
<https://www.law.cornell.edu/uscode/text/47/227> orIP-enabled voice
service, <https://www.law.cornell.edu/uscode/text/47/227> to cause
anycaller identification service
<https://www.law.cornell.edu/uscode/text/47/227>to knowingly transmit
misleading or inaccuratecaller identification information
<https://www.law.cornell.edu/uscode/text/47/227>with the intent to
defraud, cause harm, or wrongfully obtain anything of value, unless such
transmission is exempted pursuant to paragraph (3)(B).

All I'm asking is to make the carrier liable if it should have been
obvious to a carrier using basic traffic analysis that the service was a
robocaller (low answer rates combined with tons of source numbers,
especially situations where the source and destination number share the
first 6 digits) that the carrier be liable for failing to look into it.

Carriers already look at things like short duration in order to assess
higher charges, and already investigate call center traffic. If they
then look at the caller ID and it looks "suspect", and the customer then
is contacted and barred from sending arbitrary caller ID until they can
verify they own the numbers they're calling from, then they're good to go.

If the carrier continues to just ensure that call center traffic is a
revenue stream they can bill higher without making sure they're
outpulsing valid numbers, then they should absorb the social costs of
what's going on.

Let's not get this confused - this isn't about customer PBXen outpulsing
forwarded calls when they do it, it's about people shooting millions of
calls a month, the carrier hitting them with short duration charges,
making more money, and having zero incentive to question the arrangement.

-Paul

On 7/11/19 1:18 PM, Christopher Morrow wrote:
> 'illicit use of caller id' - how is caller-id being illicitly used though?
> I don't think it's against the law to say a different 'callerid' in the call
> session, practically every actual call center does this, right?
RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
Not my job.

However, if you hire me I am sure that I can come up with a solution.

Since retirement my rates have dropped to $1,000/hour with a 4 hour minimum. Payable in advance since you probably have no established credit with me.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


>-----Original Message-----
>From: Ross Tajvar [mailto:ross@tajvar.io]
>Sent: Thursday, 11 July, 2019 12:54
>To: Keith Medcalf
>Cc: Christopher Morrow; North American Network Operators' Group
>Subject: Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
>
>Well yeah, people need to take responsibility, but IMO we as
>engineers need to discuss the specific circumstances and
>methodologies that enable that to happen. It's easy to say "they
>should fix it", and you're not wrong that they should, but how? Do
>you have a validation framework in mind which carriers can implement
>that prevents fraudulent caller ID information from being sent
>without preventing legitimate use cases?
>
>On Thu, Jul 11, 2019, 2:46 PM Keith Medcalf <kmedcalf@dessus.com>
>wrote:
>
>
>
> On Thursday, 11 July, 2019 12:38, Ross Tajvar <ross@tajvar.io>
>wrote:
>
> >What if you use different carriers for termination and
>origination?
> >How does your termination carrier validate that your
>origination
> >carrier has allocated certain numbers to you and that you're
> >therefore allowed to make outbound calls with a caller ID set
>to
> >those numbers? That doesn't sound to me like something that can
>be
> >solved as quickly and easily as you imply.
>
> It does not really matter. What matters is that they bear
>responsibility for an act in furtherance of a conspiracy to commit
>fraud.
>
> --
> The fact that there's a Highway to Hell but only a Stairway to
>Heaven says a lot about anticipated traffic volume.
>
>
> >
> >On Thu, Jul 11, 2019, 2:33 PM Keith Medcalf
><kmedcalf@dessus.com>
> >wrote:
> >
> >
> >
> > On Thursday, 11 July, 2019 11:18, Christopher Morrow
> ><morrowc.lists@gmail.com> wrote:
> >
> > >On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins
> ><paul@telcodata.us> wrote:
> >
> > >> Chris it would be trivial for this to be fixed,
>nearly
> >overnight,
> > >> by creating some liability on the part of carriers
>for
> >illicit use of
> > >> caller ID data on behalf of their customers.
> >
> > >'illicit use of caller id' - how is caller-id being
>illicitly
> >used
> > >though?
> > >I don't think it's against the law to say a different
> >'callerid' in
> > >the call session, practically every actual call center
>does
> >this, right?
> >
> > The problem is that CallerID is not really the CallerID.
>It is
> >some fraudulent shit created by the caller. This is not how
> >"CallerID" was originally sold. It was sold as being the ID of
>the
> >Caller. If it is not the ID of the Caller then Fraud is being
> >committed and the bastards should be castrated (or worse), and
>the
> >CEO and Directors of the carrier responsible for fraud getting
> >through to the end-user should face the same penalty.
> >
> > See then how quickly this gets fixed. You will fall off
>your
> >chair and it will be a "solved problem" before your arse hits
>the
> >ground!
> >
> > --
> > The fact that there's a Highway to Hell but only a
>Stairway to
> >Heaven says a lot about anticipated traffic volume.
> >
> >
> >
> >
> >
>
>
>
>
>
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thu, Jul 11, 2019 at 2:31 PM Keith Medcalf <kmedcalf@dessus.com> wrote:
>
>
> On Thursday, 11 July, 2019 11:18, Christopher Morrow <morrowc.lists@gmail.com> wrote:
>
> >On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:
>
> >> Chris it would be trivial for this to be fixed, nearly overnight,
> >> by creating some liability on the part of carriers for illicit use of
> >> caller ID data on behalf of their customers.
>
> >'illicit use of caller id' - how is caller-id being illicitly used
> >though?
> >I don't think it's against the law to say a different 'callerid' in
> >the call session, practically every actual call center does this, right?
>
> The problem is that CallerID is not really the CallerID. It is some fraudulent shit created by the caller. This is not how "CallerID" was originally sold. It was sold as being the ID of the Caller. If it is not the ID of the Caller then Fraud is being committed and the bastards should be castrated (or worse), and the CEO and Directors of the carrier responsible for fraud getting through to the end-user should face the same penalty.
>

This is why I said ANI in one of my messages, yes.
you CAN, however, in the network see the callerid, and ANI and tell
what's going on...
(credit where due: a kind caller noted to me:
https://www.law.cornell.edu/uscode/text/18/1028
which may make the use of 'someone elses' callerid by 'me' illegal)

-chris

>
> See then how quickly this gets fixed. You will fall off your chair and it will be a "solved problem" before your arse hits the ground!
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
>
>
>
>
RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thu, 11 Jul 2019, Keith Medcalf wrote:

> On Thursday, 11 July, 2019 12:38, Ross Tajvar <ross@tajvar.io> wrote:
>
>> What if you use different carriers for termination and origination?
>> How does your termination carrier validate that your origination
>> carrier has allocated certain numbers to you and that you're
>> therefore allowed to make outbound calls with a caller ID set to
>> those numbers? That doesn't sound to me like something that can be
>> solved as quickly and easily as you imply.
>
> It does not really matter. What matters is that they bear responsibility
> for an act in furtherance of a conspiracy to commit fraud.

Fraud means you'll need to know the content of the call to determine if
the spoofing of the CallerID value meets the bar of breaking the law.

Truth in CallerID Act is only violated if there is intent to defraud when
the CallerID is spoofed. If you spoof CallerID and do not know the content
of the call, you cannot know if the Act was violated.

And we don't want to get into the business of monitoring the content of
phone calls. That opens legal floodgates.

If someone complains, at least you have some recourse. But you have that
today. And by the time someone complains and you trace the call back to a
source in the US (if you can, a woman from AT&T said a "traceback" now
takes days instead of months, still too slow to take any real action), you
find out it originated outside the US and you have a dead end.

Traceroute for Calls would be nice... each hop adds its own header, kind
of like the "Received:" header that exists multiple times in an email.

Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thu, Jul 11, 2019 at 2:35 PM Michael Thomas <mike@mtcc.com> wrote:
>
> So I have a meta-question about all of this. Why in 2019 are we still
> using telephone numbers as the primary identifier? It's a pretty sip-py
> world these days, even on mobile phones with wifi calling, I assume. It
> seems like this problem would be more tractable if callerid was a last
> resort rather than a first resort.

yes! I bet that if you provided some form of 'identity' to the caller
and permitted the callee to verify that data upon call setup... you'd
get further along.
there could even be an ecosystem of services which callees could
subscribe to in order to report reputation and have that be used to
influence call completions over time...

if only there were such systems in existence already... if only some
form of proof of concept existed?

> Mike
>
>
> On 7/11/19 10:18 AM, Christopher Morrow wrote:
> > On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:
> >> Chris it would be trivial for this to be fixed, nearly overnight, by
> >> creating some liability on the part of carriers for illicit use of
> >> caller ID data on behalf of their customers.
> > 'illicit use of caller id' - how is caller-id being illicitly used though?
> > I don't think it's against the law to say a different 'callerid' in the call
> > session, practically every actual call center does this, right?
> >
> >> But the carriers don't want that, so now we have to create tons of
> >> technical half solutions to solve a problem that would be neatly solved
> >> by carriers.
> > logs analysis and 'netflow' (CDR trolling, really) would be nearly free for
> > them, implementing actions based on the data / outcomes of that
> > analysis at near-real-time would also be nearly free...
> >
> > but sure, we can do a bunch of this other stuff too... My sort of solution
> > has actually got proven track record though?
> >
> > -chris
> >
> >> On 7/11/19 12:09 AM, Christopher Morrow wrote:
> >>> There seem like a bunch of pretty simple 'correlations' one could
> >>> make, that actually look a heck of a lot like 'netflow/log analysis
> >>> for ddos detection':
> >>> o is this trunk sourcing calls to 'too many' of my subs in period-of-time-X
> >>> o is this trunk sourcing calls from a low distribution of ANI but
> >>> a different distribution of CallerID
> >>> o is this trunk sourcing calls from unmatched (as a percent of
> >>> total) ANI/CallerID
> >>>
> >>> I would think you could make similar correlations across the
> >>> destinations on your phone-network:
> >>> o Is there one ANI or CallerID talking to 'all' (a bunch, more
> >>> than X of type Y customer end point) of my endpoints?
> >>> o are there implausible callerid being used? (lots of 'NPA-NXX
> >>> matches destination, yet from a very different geography?)
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
"with the intent to defraud, cause harm, or wrongfully obtain anything of
value"

Kind of a huge hole that, unless you record all calls which opens other
liability, is hard to prove.

Beckman

On Thu, 11 Jul 2019, Paul Timmins wrote:

> Pretty simply - Sending caller ID to commit fraud. It's literally already
> illegal. The legislature has already defined it for us, even.
>
> 47 USC 227
>
> https://www.law.cornell.edu/uscode/text/47/227
>
> (B)
> to initiate any telephone call to any residential telephone line using an
> artificial or prerecorded voice to deliver a message without the prior
> express consent of the called party, unless the call is initiated for
> emergency purposes, is made solely pursuant to the collection of a debt owed
> to or guaranteed by the United States
> <https://www.law.cornell.edu/uscode/text/47/227>, or is exempted by rule or
> order by theCommission <https://www.law.cornell.edu/uscode/text/47/227>under
> paragraph (2)(B);
>
> (e)(1)In general
>
> It shall be unlawful for any person
> <https://www.law.cornell.edu/uscode/text/47/227> within the United States
> <https://www.law.cornell.edu/uscode/text/47/227>, in connection with any
> telecommunications service <https://www.law.cornell.edu/uscode/text/47/227>
> orIP-enabled voice service, <https://www.law.cornell.edu/uscode/text/47/227>
> to cause anycaller identification service
> <https://www.law.cornell.edu/uscode/text/47/227>to knowingly transmit
> misleading or inaccuratecaller identification information
> <https://www.law.cornell.edu/uscode/text/47/227>with the intent to defraud,
> cause harm, or wrongfully obtain anything of value, unless such transmission
> is exempted pursuant to paragraph (3)(B).
>
> All I'm asking is to make the carrier liable if it should have been obvious
> to a carrier using basic traffic analysis that the service was a robocaller
> (low answer rates combined with tons of source numbers, especially situations
> where the source and destination number share the first 6 digits) that the
> carrier be liable for failing to look into it.
>
> Carriers already look at things like short duration in order to assess higher
> charges, and already investigate call center traffic. If they then look at
> the caller ID and it looks "suspect", and the customer then is contacted and
> barred from sending arbitrary caller ID until they can verify they own the
> numbers they're calling from, then they're good to go.
>
> If the carrier continues to just ensure that call center traffic is a revenue
> stream they can bill higher without making sure they're outpulsing valid
> numbers, then they should absorb the social costs of what's going on.
>
> Let's not get this confused - this isn't about customer PBXen outpulsing
> forwarded calls when they do it, it's about people shooting millions of calls
> a month, the carrier hitting them with short duration charges, making more
> money, and having zero incentive to question the arrangement.
>
> -Paul
>
> On 7/11/19 1:18 PM, Christopher Morrow wrote:
>> 'illicit use of caller id' - how is caller-id being illicitly used though?
>> I don't think it's against the law to say a different 'callerid' in the
>> call
>> session, practically every actual call center does this, right?
>

---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Thu, Jul 11, 2019 at 3:04 PM Peter Beckman <beckman@angryox.com> wrote:
>
> "with the intent to defraud, cause harm, or wrongfully obtain anything of
> value"
>
> Kind of a huge hole that, unless you record all calls which opens other
> liability, is hard to prove.
>

I'm not sure that the cited code works for this case, agreed.
I'm also not a lawyer :)
I'm a chemical engineer.

> Beckman
>
> On Thu, 11 Jul 2019, Paul Timmins wrote:
>
> > Pretty simply - Sending caller ID to commit fraud. It's literally already
> > illegal. The legislature has already defined it for us, even.
> >
> > 47 USC 227
> >
> > https://www.law.cornell.edu/uscode/text/47/227
> >
> > (B)
> > to initiate any telephone call to any residential telephone line using an
> > artificial or prerecorded voice to deliver a message without the prior
> > express consent of the called party, unless the call is initiated for
> > emergency purposes, is made solely pursuant to the collection of a debt owed
> > to or guaranteed by the United States
> > <https://www.law.cornell.edu/uscode/text/47/227>, or is exempted by rule or
> > order by theCommission <https://www.law.cornell.edu/uscode/text/47/227>under
> > paragraph (2)(B);
> >
> > (e)(1)In general
> >
> > It shall be unlawful for any person
> > <https://www.law.cornell.edu/uscode/text/47/227> within the United States
> > <https://www.law.cornell.edu/uscode/text/47/227>, in connection with any
> > telecommunications service <https://www.law.cornell.edu/uscode/text/47/227>
> > orIP-enabled voice service, <https://www.law.cornell.edu/uscode/text/47/227>
> > to cause anycaller identification service
> > <https://www.law.cornell.edu/uscode/text/47/227>to knowingly transmit
> > misleading or inaccuratecaller identification information
> > <https://www.law.cornell.edu/uscode/text/47/227>with the intent to defraud,
> > cause harm, or wrongfully obtain anything of value, unless such transmission
> > is exempted pursuant to paragraph (3)(B).
> >
> > All I'm asking is to make the carrier liable if it should have been obvious
> > to a carrier using basic traffic analysis that the service was a robocaller
> > (low answer rates combined with tons of source numbers, especially situations
> > where the source and destination number share the first 6 digits) that the
> > carrier be liable for failing to look into it.
> >
> > Carriers already look at things like short duration in order to assess higher
> > charges, and already investigate call center traffic. If they then look at
> > the caller ID and it looks "suspect", and the customer then is contacted and
> > barred from sending arbitrary caller ID until they can verify they own the
> > numbers they're calling from, then they're good to go.
> >
> > If the carrier continues to just ensure that call center traffic is a revenue
> > stream they can bill higher without making sure they're outpulsing valid
> > numbers, then they should absorb the social costs of what's going on.
> >
> > Let's not get this confused - this isn't about customer PBXen outpulsing
> > forwarded calls when they do it, it's about people shooting millions of calls
> > a month, the carrier hitting them with short duration charges, making more
> > money, and having zero incentive to question the arrangement.
> >
> > -Paul
> >
> > On 7/11/19 1:18 PM, Christopher Morrow wrote:
> >> 'illicit use of caller id' - how is caller-id being illicitly used though?
> >> I don't think it's against the law to say a different 'callerid' in the
> >> call
> >> session, practically every actual call center does this, right?
> >
>
> ---------------------------------------------------------------------------
> Peter Beckman Internet Guy
> beckman@angryox.com http://www.angryox.com/
> ---------------------------------------------------------------------------
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On 7/11/19 12:03 PM, Christopher Morrow wrote:
> On Thu, Jul 11, 2019 at 2:35 PM Michael Thomas <mike@mtcc.com> wrote:
>> So I have a meta-question about all of this. Why in 2019 are we still
>> using telephone numbers as the primary identifier? It's a pretty sip-py
>> world these days, even on mobile phones with wifi calling, I assume. It
>> seems like this problem would be more tractable if callerid was a last
>> resort rather than a first resort.
> yes! I bet that if you provided some form of 'identity' to the caller
> and permitted the callee to verify that data upon call setup... you'd
> get further along.
> there could even be an ecosystem of services which callees could
> subscribe to in order to report reputation and have that be used to
> influence call completions over time...
>
> if only there were such systems in existence already... if only some
> form of proof of concept existed?
>
>>
15 years ago when I was working on DKIM, I added DKIM signatures to SIP
messages for shits and giggles. It really wouldn't be that hard to
extend DKIM for SIP. Same goes for SPF. Same goes, I assume, for DMARC.
We pretty much know how to identify email providers, and the providers
can pretty well identify individual accounts. Same goes for SIP, it
seems to me.

I assume interprovider these days is all IP for the most part. I would
think that the only remaining vestiges of the PSTN is the last mile
where landlines are going extinct, and most mobile minutes are done over
wifi/IP.

Mike
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On 7/11/19 12:05 PM, Christopher Morrow wrote:
> On Thu, Jul 11, 2019 at 3:04 PM Peter Beckman <beckman@angryox.com> wrote:
>> "with the intent to defraud, cause harm, or wrongfully obtain anything of
>> value"
>>
>> Kind of a huge hole that, unless you record all calls which opens other
>> liability, is hard to prove.
>>
> I'm not sure that the cited code works for this case, agreed.
> I'm also not a lawyer :)
> I'm a chemical engineer.


I used to think that email spam was a law enforcement problem too, but
it's become very clear that law enforcement has little to no interest in
solving geeks' problems.

Mike
RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


On Thursday, 11 July, 2019 13:03, Peter Beckman <beckman@angryox.com> wrote:


>On Thu, 11 Jul 2019, Keith Medcalf wrote:

>> On Thursday, 11 July, 2019 12:38, Ross Tajvar <ross@tajvar.io>
>wrote:
>>
>>> What if you use different carriers for termination and
>origination?
>>> How does your termination carrier validate that your origination
>>> carrier has allocated certain numbers to you and that you're
>>> therefore allowed to make outbound calls with a caller ID set to
>>> those numbers? That doesn't sound to me like something that can be
>>> solved as quickly and easily as you imply.
>>
>> It does not really matter. What matters is that they bear
>responsibility
>> for an act in furtherance of a conspiracy to commit fraud.
>
> Fraud means you'll need to know the content of the call to
>determine if
> the spoofing of the CallerID value meets the bar of breaking the
>law.
>
> Truth in CallerID Act is only violated if there is intent to
>defraud when
> the CallerID is spoofed. If you spoof CallerID and do not know the
>content
> of the call, you cannot know if the Act was violated.

The "content" of the call is irrelevant.

If one received identification information (the CallerID) and then passes that information on (a deliberate act) with the intent that it be acted upon as if valid (is the CallerID), and that information later turns out to be fraudulent (it does not in fact identify the caller) then the "passer on" has acted in furtherance of the conspiracy to defraud. Neither negligence nor recklessness is a defense against the conspiracy. The only essential elements that need to be proved are that (a) the callerid information was fraudulent (b) the passer-on intended that the information be taken as non-fraudulent. The fact that the passer-on also "made money from" its specific act in furtherance of the conspiracy is further proof of active participation and benefit from participation in the conspiracy.

The second rule in relation to intent also applies:

If one deliberately engages on a course of action in which a given result is possible outcome, and that result ensues, implies the intent to cause the result so obtained, notwithstanding that the course of action was intended to obtain a different result.

If "CallerID" were in fact sold as "whatever information caller chooses to convey" rather than as the Identification of the caller, then there would be no problem in "passing on" that information. However holding out that "CallerID" is in fact the ID of the Caller, and making money by holding out that to be the case, means that the passer-on of the fraudulent information is liable for the falsity of that information notwithstanding that he cannot verify it.

So in fact the whole thing is and was from the get-go a designed with the intent to convey information under fraudulent pretenses and for fraudulent purposes.
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
Not really. For reasons already cited by Keith Medcalf in an offshoot of
the thread, and because the real world implication of that liability
transfer would be telecom carriers undertaking risk management and
looking at their products and pricing and deciding whether certain
customers should be allowed to send arbitrary caller ID. What would
likely happen is that small customers would be allowed to send whatever,
like today. Call center customers (they are already identifying these
because most big carriers have different rates for callcenter activity
because of the network load it puts on them) would likely be restricted
to a subset of numbers, and the biggest, long term call centers would
probably be allowed to send whatever they want, but with a contract that
compels them to indemnify the carrier against loss (which would only
work if the call center was well capitalized enough to make that
commitment, because the carrier would NOT want to be stuck with the bill
if they couldn't pay up).

It may sound burdensome, but speaking as an employee of a carrier who is
in a position to see how things work on the business AND technical side
(who I do not speak for, in this context) - we're already looking at
what our customer's intended use is, and whether they're asking for a
product they can reasonably afford, we run their business credit and if
they aren't clean enough, we request prepayment for our services, or
similar.

This would just be one more risk we'd take into account.

-Paul

On 7/11/19 3:04 PM, Peter Beckman wrote:
> "with the intent to defraud, cause harm, or wrongfully obtain anything of
> value"
>
> Kind of a huge hole that, unless you record all calls which opens other
> liability, is hard to prove.
>
> Beckman
>
> On Thu, 11 Jul 2019, Paul Timmins wrote:
>
>> Pretty simply - Sending caller ID to commit fraud. It's literally
>> already illegal. The legislature has already defined it for us, even.
>>
>> 47 USC 227
>>
>> https://www.law.cornell.edu/uscode/text/47/227
>>
>> (B)
>> to initiate any telephone call to any residential telephone line
>> using an artificial or prerecorded voice to deliver a message without
>> the prior express consent of the called party, unless the call is
>> initiated for emergency purposes, is made solely pursuant to the
>> collection of a debt owed to or guaranteed by the United States
>> <https://www.law.cornell.edu/uscode/text/47/227>, or is exempted by
>> rule or order by theCommission
>> <https://www.law.cornell.edu/uscode/text/47/227>under paragraph (2)(B);
>>
>> (e)(1)In general
>>
>> It shall be unlawful for any person
>> <https://www.law.cornell.edu/uscode/text/47/227> within the United
>> States <https://www.law.cornell.edu/uscode/text/47/227>, in
>> connection with any telecommunications service
>> <https://www.law.cornell.edu/uscode/text/47/227> orIP-enabled voice
>> service, <https://www.law.cornell.edu/uscode/text/47/227> to cause
>> anycaller identification service
>> <https://www.law.cornell.edu/uscode/text/47/227>to knowingly transmit
>> misleading or inaccuratecaller identification information
>> <https://www.law.cornell.edu/uscode/text/47/227>with the intent to
>> defraud, cause harm, or wrongfully obtain anything of value, unless
>> such transmission is exempted pursuant to paragraph (3)(B).
>>
>> All I'm asking is to make the carrier liable if it should have been
>> obvious to a carrier using basic traffic analysis that the service
>> was a robocaller (low answer rates combined with tons of source
>> numbers, especially situations where the source and destination
>> number share the first 6 digits) that the carrier be liable for
>> failing to look into it.
>>
>> Carriers already look at things like short duration in order to
>> assess higher charges, and already investigate call center traffic.
>> If they then look at the caller ID and it looks "suspect", and the
>> customer then is contacted and barred from sending arbitrary caller
>> ID until they can verify they own the numbers they're calling from,
>> then they're good to go.
>>
>> If the carrier continues to just ensure that call center traffic is a
>> revenue stream they can bill higher without making sure they're
>> outpulsing valid numbers, then they should absorb the social costs of
>> what's going on.
>>
>> Let's not get this confused - this isn't about customer PBXen
>> outpulsing forwarded calls when they do it, it's about people
>> shooting millions of calls a month, the carrier hitting them with
>> short duration charges, making more money, and having zero incentive
>> to question the arrangement.
>>
>> -Paul
>>
>> On 7/11/19 1:18 PM, Christopher Morrow wrote:
>>> 'illicit use of caller id' - how is caller-id being illicitly used
>>> though?
>>> I don't think it's against the law to say a different 'callerid' in
>>> the call
>>>   session, practically every actual call center does this, right?
>>
>
> ---------------------------------------------------------------------------
>
> Peter Beckman Internet Guy
> beckman@angryox.com http://www.angryox.com/
> ---------------------------------------------------------------------------
>
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
Chairman Pai issues statement at the conclusion of the SHAKEN/STIR
robocall summit.

https://docs.fcc.gov/public/attachments/DOC-358430A1.pdf

WASHINGTON, July 11, 2019—Federal Communications Commission Chairman Ajit
Pai issued the following statement on today’s SHAKEN/STIR Robocall Summit
at the FCC:

“We must move aggressively to help consumers combat scam robocalls that
use and abuse caller ID spoofing, and that’s why we held today’s summit.
The summit was productive, and we received generally encouraging signs
that companies are headed toward full implementation of the SHAKEN/STIR
caller ID authentication framework. I was pleased to hear from voice
service providers, vendors, consumer advocates, and others about the
successes to date and the challenges that remain.

“Given what I heard today, I am optimistic that the major voice service
providers will meet the end-of-2019 deadline for implementation I set for
them. That said, we stand ready to take regulatory action if this deadline
is not met. We have already adopted a Notice of Proposed Rulemaking and
will move quickly to mandate SHAKEN/STIR if needed.

“As I’ve said before and as panelists noted today, there is no silver
bullet to solving the problem of unwanted robocalls. But caller ID
authentication is an important part of the solution. And we will continue
to execute on the rest of our multi-pronged strategy as well. We have been
and will continue to do everything we can to protect American consumers
from this scourge.”
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
----- Original Message -----
> From: "Christopher Morrow" <morrowc.lists@gmail.com>

> On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:
>>
>> Chris it would be trivial for this to be fixed, nearly overnight, by
>> creating some liability on the part of carriers for illicit use of
>> caller ID data on behalf of their customers.
>
> 'illicit use of caller id' - how is caller-id being illicitly used though?
> I don't think it's against the law to say a different 'callerid' in the call
> session, practically every actual call center does this, right?

I can speak to that, having originated calls from a call center.

Yes, of course we sent out calls with "spoofed" CNID.

But, even though only 2 or 3 or our 5 carriers* held *our* feet to the fire,
we held the clients' feet to the fire, requiring them to prove to our
satisfaction that they had adminstrative control over the numbers in question.

But it's the carrier's responsibility, properly, to do that work.

[. It was, IIRC, Verizon, Qwest and maybe Sprint that forced the issue with us;
at least two carriers did not. No longer recalll which ones. ]

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On 7/15/19 12:07 PM, Jay R. Ashworth wrote:
> ----- Original Message -----
>> From: "Christopher Morrow" <morrowc.lists@gmail.com>
>> On Thu, Jul 11, 2019 at 12:00 PM Paul Timmins <paul@telcodata.us> wrote:
>>> Chris it would be trivial for this to be fixed, nearly overnight, by
>>> creating some liability on the part of carriers for illicit use of
>>> caller ID data on behalf of their customers.
>> 'illicit use of caller id' - how is caller-id being illicitly used though?
>> I don't think it's against the law to say a different 'callerid' in the call
>> session, practically every actual call center does this, right?
> I can speak to that, having originated calls from a call center.
>
> Yes, of course we sent out calls with "spoofed" CNID.
>
> But, even though only 2 or 3 or our 5 carriers* held *our* feet to the fire,
> we held the clients' feet to the fire, requiring them to prove to our
> satisfaction that they had adminstrative control over the numbers in question.
>
> But it's the carrier's responsibility, properly, to do that work.
>

How do the clients prove that?

Way back when when we were working on mipv6 we had to work through a
somewhat similar problem for handoffs. The ultimate answer was a return
routability test: that is, if you can answer on the address you're
trying to claim "ownership" for, it's good enough.

Maybe such a thing can be done in for spoofing? Even out of band spot
checking might be adequate to keep clients honest?

But right you are, it's ultimately the carrier who needs to care about
this problem at or nothing gets better.

Mike
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Tue, 16 Jul 2019, Michael Thomas wrote:
> But right you are, it's ultimately the carrier who needs to care about this
> problem at or nothing gets better.

either the carrier starts dealing with it or legislation will come down to
force the issue.

-Dan
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
On Tue, Jul 16, 2019 at 6:28 PM Dan Hollis <goemon@sasami.anime.net> wrote:
>
> On Tue, 16 Jul 2019, Michael Thomas wrote:
> > But right you are, it's ultimately the carrier who needs to care about this
> > problem at or nothing gets better.
>
> either the carrier starts dealing with it or legislation will come down to
> force the issue.

<checks watch>It's 2019 right? This has been happening since
~1996</checks watch>
Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC [ In reply to ]
----- Original Message -----
> From: "Michael Thomas" <mike@mtcc.com>

> On 7/15/19 12:07 PM, Jay R. Ashworth wrote:
>> Yes, of course we sent out calls with "spoofed" CNID.
>>
>> But, even though only 2 or 3 or our 5 carriers* held *our* feet to the fire,
>> we held the clients' feet to the fire, requiring them to prove to our
>> satisfaction that they had adminstrative control over the numbers in question.
>>
>> But it's the carrier's responsibility, properly, to do that work.
>
> How do the clients prove that?

Do you know, I don't know; it was above my paygrade; the few times I stubbed
a toe on it, I threw it over a wall.

I presume that there was paperwork...

> Way back when when we were working on mipv6 we had to work through a
> somewhat similar problem for handoffs. The ultimate answer was a return
> routability test: that is, if you can answer on the address you're
> trying to claim "ownership" for, it's good enough.

Might have been a handshake like that; I suspect it was mostly just
"here's a picture of the client's phone bill".

> But right you are, it's ultimately the carrier who needs to care about
> this problem at or nothing gets better.

Yup.

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274

1 2 3  View All