Mailing List Archive

Carriers need to independently verify LOAs
On Sat, 17 Apr 2021, Eric Kuhnke wrote:
> Anecdotal: With the prior consent of the DID holders, I have successfully
> ported peoples' numbers using nothing more than a JPG scan of a signature
> that looks like an illegible 150 dpi black and white blob, pasted in an
> image editor on top of a generic looking 'phone bill'.

All carriers should independently verify any LOAs received for account
changes.

Documents received from third-parties, without independently verifying
with the customer of record, using the carriers own records, are just junk
papers.

Almost no carriers verify LOAs by contacting the customer of record.
Worse, they call the phone number on the letterhead provide by the scammer
for "verification."

The U.S. Postal Service used to let random people change mail forwarding
orders, without verifying with the original and new addresses. As you can
guess, there were lots of fake forwarding orders and criminal activity.
After USPS begin verifying mail forwarding orders by sending a letter to
the ORIGINAL address and NEW address, mail forwarding fraud declined. Not
zero, but declined.
Re: Carriers need to independently verify LOAs [ In reply to ]
US/Canada (ideally all of NANPA) Carriers need to standardize the porting
process.

Right now, I have an anecdotal database for each carrier which requires a
slightly different process. For Verizon Wireless, you have to generate a
Port Out PIN for each number, which expire after 7 days. Excellent! But
only if there isn't a Freeze on the number.

For another, you have to call to get your account number and PIN, as you
cannot get it without calling the carrier, and it is different.

For some carriers, the address on file isn't the End-user's address, which
causes regular and constant rejections. Must request a CSR.

For Google Voice, pay $3 first, then unlock.

For $random_carrier, provide anything and they release the number, without
notice to anyone.

Many carriers do not require an LOA to Port, usually where porting is
automated, and the automated carriers require a PIN and Account Number and
service/billing address to ensure numbers don't get "accidentally" ported,
either due to fraud or a typo.

And while it would be nice if everyone "independently verified every LOA"
the cost of doing so in the far-too-many edge cases is business-endingly
high.

It is the lack of a standard that all carriers share that cause these
problems.

In Europe, you generate a UUID, give the UUID and number to Port to the new
carrier, and it's done. If every NANPA carrier allowed the End-User to
generate a UUID for Porting Out that expired after 7 days, all of this
inconsistency would go away. Mostly. Probably.

Beckman

On Mon, 19 Apr 2021, Joe Greco wrote:

> On Mon, Apr 19, 2021 at 01:20:22PM -0400, Sean Donelan wrote:
>> On Sat, 17 Apr 2021, Eric Kuhnke wrote:
>>> Anecdotal: With the prior consent of the DID holders, I have successfully
>>> ported peoples' numbers using nothing more than a JPG scan of a signature
>>> that looks like an illegible 150 dpi black and white blob, pasted in an
>>> image editor on top of a generic looking 'phone bill'.
>>
>> All carriers should independently verify any LOAs received for account
>> changes.
>>
>> Documents received from third-parties, without independently verifying
>> with the customer of record, using the carriers own records, are just junk
>> papers.
>>
>> Almost no carriers verify LOAs by contacting the customer of record.
>> Worse, they call the phone number on the letterhead provide by the scammer
>> for "verification."
>
> Presumably we're kinda talking about a problem parallel to the
> Internet ASN/IP space LOA problem here.
>
> It would be awesome if there were a nice easy way to identify the
> responsible parties, so you could figure out WHOIS the appropriate
> party to contact. If you've ever tried Googling a company with a
> hundred thousand employees, calling their contact number on the Web,
> and getting through to anybody who knows anything at all about IT,
> well, you can spend a day at it and still have gotten nowhere.
>
> It's too bad that this information is so frequently redacted for
> privacy.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "The strain of anti-intellectualism has been a constant thread winding its way
> through our political and cultural life, nurtured by the false notion that
> democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
>

---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
Re: Carriers need to independently verify LOAs [ In reply to ]
On Mon, Apr 19, 2021 at 01:20:22PM -0400, Sean Donelan wrote:
> On Sat, 17 Apr 2021, Eric Kuhnke wrote:
> >Anecdotal: With the prior consent of the DID holders, I have successfully
> >ported peoples' numbers using nothing more than a JPG scan of a signature
> >that looks like an illegible 150 dpi black and white blob, pasted in an
> >image editor on top of a generic looking 'phone bill'.
>
> All carriers should independently verify any LOAs received for account
> changes.
>
> Documents received from third-parties, without independently verifying
> with the customer of record, using the carriers own records, are just junk
> papers.
>
> Almost no carriers verify LOAs by contacting the customer of record.
> Worse, they call the phone number on the letterhead provide by the scammer
> for "verification."

Presumably we're kinda talking about a problem parallel to the
Internet ASN/IP space LOA problem here.

It would be awesome if there were a nice easy way to identify the
responsible parties, so you could figure out WHOIS the appropriate
party to contact. If you've ever tried Googling a company with a
hundred thousand employees, calling their contact number on the Web,
and getting through to anybody who knows anything at all about IT,
well, you can spend a day at it and still have gotten nowhere.

It's too bad that this information is so frequently redacted for
privacy.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
Re: Carriers need to independently verify LOAs [ In reply to ]
On Mon, 19 Apr 2021, Peter Beckman wrote:
> And while it would be nice if everyone "independently verified every LOA"
> the cost of doing so in the far-too-many edge cases is business-endingly
> high.

If carriers faced legal liability, with appropriate incentatives, I'd bet
they would solve the verification problem -- quickly, cheaply.

No liability -- no reason to solve the problem.
Re: Carriers need to independently verify LOAs [ In reply to ]
Nothing is stopping the perpetrator of a BGP hijack as a result of a forged
or otherwise illegitimate LOA from facing civil litigation as a result of
revenue loss or other harm done.

This thread and others like it highlight that there is absolutely some
negligence here and could very well find itself in an evidence pile at some
point in the future.

So there IS liability, but the lack of solid precedent means that the bean
counters can't assign a dollar amount to the risk associated with blindly
accepting LOAs, and therefore it might as well not exist.

Someday, somebody will have the pants sued off them because they let their
new customer hijack the hell out of a government entity, bank, oil company,
etc. and we'll start to see better processes.

-Matt

On Mon, Apr 19, 2021 at 11:59 AM Sean Donelan <sean@donelan.com> wrote:

>
> On Mon, 19 Apr 2021, Peter Beckman wrote:
> > And while it would be nice if everyone "independently verified every LOA"
> > the cost of doing so in the far-too-many edge cases is business-endingly
> > high.
>
> If carriers faced legal liability, with appropriate incentatives, I'd bet
> they would solve the verification problem -- quickly, cheaply.
>
> No liability -- no reason to solve the problem.
>
>

--
Matt Erculiani
ERCUL-ARIN