<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>People who are actually interested in this subject are well
advised to read this thoroughly because it equally applies to SIP
spam with a system far less complex and far fewer gaping security
holes as STIR.</p>
<p><a class="moz-txt-link-freetext" href="https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf">https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf</a></p>
<p>Mike<br>
</p>
<div class="moz-cite-prefix">On 7/2/21 8:54 AM, Paul Timmins wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1de25a15-273b-7f9f-4d19-6eee4d9fd93e@telcodata.us">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Fun part is that just because it's a telnyx number with a
checkmark, it doesn't mean the call came from Telnyx, just that
the call came from a carrier that gave the call attestation A.
As the carrier, we can see who signed the call (it's an x509
certificate, signed by the STI-PA, with the carrier's name and
OCN in it) and hold them accountable for the traffic, which is
huge.</p>
<p>But that's where the confusion will lie - a customer might say
well this is a verizon wireless number, i'll yell at them! But
the actual call came in through Lumen, and they're the ones who
can stop it. A carrier can see the cert, but you can just get
the verstat flag from the P-Asserted-Identity field in the call
to the handset and see that it passed the tests for attestation
A.</p>
<p>Just because you don't see a checkmark doesn't mean signatures
aren't happening. Attestation B and C aren't displayed on the
handset (but are seen in the carrier's systems) and most
androids don't have a way to display stir/shaken stuff yet.
T-Mobile doesn't send the verstat header to handsets they don't
verify as s/s compliant (usually only ones they sell). My trick
was to sim swap into an iphone for a day, then back to my
android which started displaying the verification after that.</p>
<p>It's all new, but just because you don't see it doesn't mean
it's not there. Report the calls to your carrier, they have new
tools to track down the misbehavior.<br>
</p>
<div class="moz-cite-prefix">On 7/2/21 8:32 AM, Nick Olsen wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPr_aJbG+8Xb7nydCA6ScBi4fuGNo1VNdTzb1i8pEqR4JyUXzg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="ltr">Not all have implemented it yet. But if you
haven't. You were supposed to implement some kind of robo
calling mitigation plan (Or atleast certify that you have
one). At $dayjob we're fully deployed (inbound and outbound).
<div><br>
</div>
<div>I received my first ever STIR/SHAKEN signed (iPhone Check
mark, highly scientific) spam call on my personal Cell phone
on 6/30. It was a Telnyx number. Had the call terminated to
$dayjob network. I fully would have collected all various
information and ticketed it with Telnyx.</div>
<div><br>
</div>
<div>Time will tell how truly effective this is. But we have
better originating information now (breadcrumbs) to follow
back to the source.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jul 1, 2021 at 5:42
PM Andreas Ott <<a href="mailto:andreas@naund.org"
moz-do-not-send="true">andreas@naund.org</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jul 1, 2021 at
12:56 PM Keith Medcalf <<a
href="mailto:kmedcalf@dessus.com" target="_blank"
moz-do-not-send="true">kmedcalf@dessus.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">... and the end
carrier is making money for terminating them. </blockquote>
<div><br>
</div>
<div>Survey (of n=1) says: nothing has changed, aka the
new technology is not working. I just received the
same kind of recorded message call of "something
something renew auto warranty" on my AT&T u-Verse
line. This time when I called back the displayed
caller ID number it was ring-no-answer, versus the
previous "you have reached a number that is no longer
in service". By terminating the call the carrier made
probably more money than it would cost them to enforce
the new rules.</div>
<div><br>
</div>
<div>Other than the <a href="http://donotcall.gov"
target="_blank" moz-do-not-send="true">donotcall.gov</a>
portal, is there a new way to report the obvious
failure of STIR/SHAKEN?</div>
<div><br>
</div>
<div>-andreas</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</blockquote>
</body>
</html>