FCC proposes $10 Million fine for spoofed robocalls

• Previous message (by thread): FCC proposes $10 Million fine for spoofed robocalls
• Next message (by thread): FCC proposes $10 Million fine for spoofed robocalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/19/19 12:09 PM, Andreas Ott wrote:
> I have also been told that there is no equivalent of uRPF in the phone world.

This is the biggest issue, and unfortunately (and my knowledge of the 
PSTN is admittedly a bit lacking, here), there's likely no good way to 
add it.

Calls on the PSTN are routed essentially based on "who do I feel like 
handing this off to, today", and then that entity may do the same, and 
so on.  It's pretty routine for an outfit to have multiple contracts for 
termination that may not even be aware of the "legitimate" numbers from 
which their customers might "source" a call.

Further, it's entirely normal and perfectly legitimate (to varying 
degrees) for an outfit to purport in CID a number that is not directly 
assigned to them nor which will actually result in a callback being 
routed to them.

Think of caller ID more like reverse DNS.  It's largely advisory and, 
outside some situations where you deliberately want a higher degree of 
repuatation/identity verification and are willing to accept a 
potentially large number of false flags, there's no real reason to rely 
on it outside of human nicety.

The rough analogy to the source IP address is the ANI information that's 
not even passed to most end users.  That's "who should I bill this to?". 
  But even that can get overwritten sometimes during call routing, from 
what I gather.  It's also rarely a valid callback number for any 
non-trivial call source.  Or, at least, if you did call it, the person 
who (might) answer the phone will have no idea what prompted you to do so.

SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a 
way albeit very much re-envisioned based on circuit switching rather 
than packet switching.  Each intervening network can attest to what 
degree they are able to verify the CID (and maybe ANI?) information in 
the call.  Unfortunately, a perfectly valid attestation is "I cannot 
verify it", and indeed that's likely to be most of the attestations 
you'll see at least at first.  The best it really lets you do is figure 
out some networks at which to point fingers.

When "full attestation" is present, i.e. the network operator has been 
able to verify that the CID field represents a number authorized for use 
by the entity originating the call, it's maybe more like DKIM in that 
you can, with cryptographic certainty, know THE network at which to 
point fingers as they're the ones who admitted the call into the PSTN 
with authority that the CID field (among others) is "valid".

[And all the old PSTN folks will please forgive me if I'm inaccurate, 
here, though corrections are welcome]
-- 
Brandon Martin

• Previous message (by thread): FCC proposes $10 Million fine for spoofed robocalls
• Next message (by thread): FCC proposes $10 Million fine for spoofed robocalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]