EEVblog Electronics Community Forum

Computing => Security => Topic started by: DrG on July 03, 2021, 01:43:59 pm

Title: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: DrG on July 03, 2021, 01:43:59 pm
https://www.fcc.gov/call-authentication (https://www.fcc.gov/call-authentication)

https://www.cnn.com/2021/07/02/tech/robocall-prevention-stir-shaken/index.html (https://www.cnn.com/2021/07/02/tech/robocall-prevention-stir-shaken/index.html)
https://transnexus.com/whitepapers/stir-and-shaken-overview/ (https://transnexus.com/whitepapers/stir-and-shaken-overview/)

From what I gather, this is a certificate-based authentication system that will, later in Sept. (two years later for small wireless carriers), require blocking of spoofed caller-ID. Techniques to be able to do this are now required.

I notice that some carriers are already touting their part in the war against robocalls, e.g., https://www.verizon.com/business/products/contact-center-cx-solutions/voice-security/stir-shaken-caller-id-identification/ (https://www.verizon.com/business/products/contact-center-cx-solutions/voice-security/stir-shaken-caller-id-identification/)

Naturally, worries include, accidental or otherwise inaccurate blocking and missed blocking (leading to false authentication).

It will be interesting to see how this plays out.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: RPM on July 06, 2021, 07:00:07 pm
Also interesting to watch how the SaaS messaging services navigate these requirements and how they ensure compliance. Recent interactions on the topic with Twilio (top tier provider) and Plivo (mid tier provider) have revealed these companies still have some work to do to get their act together. 
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: TimFox on July 06, 2021, 07:28:01 pm
I can't wait!  I am so damned tired of spoofed caller-ID numbers that are not only in my area code, but also in my exchange.  I once asked a sub-continental voice where he was located, since his phone number appeared to come from my block--like the police telling the baby-sitter that the evil call comes from inside the house.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Stray Electron on July 07, 2021, 01:16:33 pm
   I didn't read the article but let's just say that I'm skeptical.  The FCC has NEVER been involved in regulating the telecommunications industry in the US. Telecommunications in the US has always been regulated through state agencies and the (completely in-effective) USG's FTC. IF the FCC is allowed to make rules, then it will be a fundamental shift in the regulatory authority of the Telecommunications Industry in the US.

  The "spoofing" of phone numbers was originally allowed specifically so allow police in the US to make undercover phone calls without giving away the true origin of their phone calls. But since then the US phone companies have allowed anyone with money to do the same.

  Even if the FCC makes rules, how are they going to enforce that on companies making spoof calls from outside of the US?
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: TimFox on July 07, 2021, 01:41:46 pm
Telecommunications in the US has been assigned to the FCC since the Communications Act of 1934.  States do not have the authority to regulate interstate commerce.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Marco on July 07, 2021, 02:54:24 pm
Even if the FCC makes rules, how are they going to enforce that on companies making spoof calls from outside of the US?
By fining the first company to route it inside the US border? If it's not signed and signals an US phone number it shouldn't be allowed to come into the country, problem solved. Run an ingress filter or get fined into oblivion.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: I wanted a rude username on July 10, 2021, 02:32:11 am
Pretty sure the spammers here just use VoIP services with Australian dial-out numbers. They appear as Australian land-line or mobile numbers. This mechanism wouldn't block them.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Marco on July 10, 2021, 02:44:24 pm
Pretty sure the spammers here just use VoIP services with Australian dial-out numbers. They appear as Australian land-line or mobile numbers. This mechanism wouldn't block them.

If the VoIP service can't spoof and does business with scammers it will get blocked by carrier anti-spam services almost immediately assuming the carriers are allowed to offer them (which they are in the US AFAIK). Even if not, people will be instantly suspicious of unknown numbers which is why scammers try to use recipient area codes or worse. Spoofing is pretty much necessary for scam calls, people have gotten too suspicious.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: DrG on October 04, 2021, 10:39:01 pm
I don't know if others are seeing the same, but recently I am noticing "verified" or (V) on caller ID tags. There has been a decrease in BS calls in the last week or two...at least I think so. Anybody noticing similar?
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Stray Electron on October 04, 2021, 11:37:41 pm
  I haven't seen that in the US but to tell the truth I haven't gotten a legitimate call on a land line phone in months so I might have missed it. But FWIW I am still getting SCAMMER calls on those lines.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Jr460 on October 05, 2021, 12:06:17 am
STIR/SHAKEN is a complex solution looking for a problem.

It MAY help a bit.   The FCC used to very active in finding and fining tele-scum.   I know I used to report things and get action.   Then the sort of blew off consumer reports.   Then the problem got big.

Like most government things, they created a committee to look at ways to stop the caller SPAM.   Some very easy and quick things were put out, but they required the major Telecos to do work, they all got rejected and we got out of it STIR/SHAKEN.

Just cut off all inbound IP calls from a certain country, and the problem is solved.    On, no, a lot of legit companies have call centers in the same cities as the scammers you say.   Well, I say, too bad.   They outsourced operations to get cheap labor, they also outsource their reputations.   They can pull that back to some place that is not full of scammers or where they can be quickly reached by FCC the FCC and courts.   
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: james_s on October 05, 2021, 01:21:02 am
We are way, way past due for some kind of solution to this. I get probably 3-8 robocalls every single day, it has gotten so bad that I stopped answering my phone years ago for any numbers not in my contact list. It's also the reason I dumped my landline back around 2008, the only calls I was ever getting anymore were political robocalls. Spam calls have completely ruined the telephone as a means of communication.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: xrunner on October 05, 2021, 01:25:47 am
We are way, way past due for some kind of solution to this. I get probably 3-8 robocalls every single day, it has gotten so bad that I stopped answering my phone years ago for any numbers not in my contact list. It's also the reason I dumped my landline back around 2008, the only calls I was ever getting anymore were political robocalls. Spam calls have completely ruined the telephone as a means of communication.

I hear ya. I get spam calls and messages every day asking me if I want to sell my house. It's really getting out of control. The T-Mobile spam blocker this evening says it blocked TEN calls from the same number in a matter of minutes.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: james_s on October 05, 2021, 01:28:46 am
I don't understand why the carriers seem reluctant to do something about this, it really makes their product a lot less appealing. At the very least there should be an option in every phone or every carrier to flat out not respond at all to any number not in the list, don't ring the phone at all, just go to voicemail and require a specific button or phrase to leave a message.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Marco on October 05, 2021, 11:30:39 am
Even if the FCC makes rules, how are they going to enforce that on companies making spoof calls from outside of the US?
By fining the first company to route it inside the US border? If it's not signed and signals an US phone number it shouldn't be allowed to come into the country, problem solved. Run an ingress filter or get fined into oblivion.
Well, you were right in as far that the FCC didn't even think about closing the loophole ahead of time. But the FCC does seem to have the same level of common sense as me, just handle it at whoever brings the traffic inside the US.

https://arstechnica.com/tech-policy/2021/10/fcc-plans-to-rein-in-gateway-carriers-that-bring-foreign-robocalls-to-us/
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Marco on October 05, 2021, 02:17:39 pm
I don't understand why the carriers seem reluctant to do something about this
AFAIK until recently they weren't even allowed to drop calls they thought were spam.

Most of them now seem to have spam blocking services and some even pass on the stir/shaken verification.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: TimFox on October 05, 2021, 03:44:24 pm
So far to my main phone, spam calls from spoofed phone numbers (often in my area code, even in my exchange) continue to get through.
When I call back to a "missed call" out of curiosity, the result is usually "the number you have dialed is not in service".
Just like with my old landline, the spam calls never ring more than four times.  That was my filter years ago.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Stray Electron on October 05, 2021, 04:46:08 pm
I don't know if others are seeing the same, but recently I am noticing "verified" or (V) on caller ID tags. There has been a decrease in BS calls in the last week or two...at least I think so. Anybody noticing similar?

  I went and looked at the last 50 calls on my land line phone and four of them (all from close family members) show (V), and another one shows that it came from a local medical center but without a V so i don't know if it is legitimate or not. About 35 shows "Suspected Spam" and all of the others show as an unknown callers.  So there does seem to be some progress in identifying the callers but not in automatically blocking them.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: DrG on October 05, 2021, 04:50:55 pm
So far to my main phone, spam calls from spoofed phone numbers (often in my area code, even in my exchange) continue to get through.
When I call back to a "missed call" out of curiosity, the result is usually "the number you have dialed is not in service".
Just like with my old landline, the spam calls never ring more than four times.  That was my filter years ago.

Those (the spoofed numbers) are the ones that I no longer get...at least so far. I'm always seeing the 'verified' or "V". I may get some without verification but have not noticed yet. The last point is something I am keeping my eye out for because I am thinking that the telcos will be reluctant to not pass through calls if there is a doubt about verification - at least at first.

Is your service provided by a large telco? Smaller ones have longer to comply and I am wondering if that is your situation or whether they have not yet implemented it or ?
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: james_s on October 05, 2021, 06:36:16 pm
So far to my main phone, spam calls from spoofed phone numbers (often in my area code, even in my exchange) continue to get through.
When I call back to a "missed call" out of curiosity, the result is usually "the number you have dialed is not in service".
Just like with my old landline, the spam calls never ring more than four times.  That was my filter years ago.

The spoofed numbers in my exchange are funny, I don't know anyone whose number is in the same exchange, so rather than appearing to be someone I know, it is immediately obvious that it's probably a spoofed spam call.

The phone itself could easily reject calls from any number not in the contact list and send them straight to voicemail, but I don't believe that feature is there.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: TimFox on October 05, 2021, 07:41:34 pm
I have asked human operators with non-local accents from such calls if their office were next door to me, and they
 did not understand, even when I explained myself.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: jpanhalt on October 05, 2021, 08:08:07 pm
The spoofed numbers in my exchange are funny, I don't know anyone whose number is in the same exchange, so rather than appearing to be someone I know, it is immediately obvious that it's probably a spoofed spam call.

The phone itself could easily reject calls from any number not in the contact list and send them straight to voicemail, but I don't believe that feature is there.

I do not send to voicemail.  It identifies you are a live number.

I block anyone who I do not recognize.  One of the biggest offenders is/was Charles Schwab.  Its calls do/did not include a relevant caller ID.  I blocked them.  For some reason, it doesn't want to use email?  Hmmm ...  I wonder why?  (So, far, it has complied, but not with any content.  Basically, its emails ask me to contact it.  Yes, I am considering changing, but there are some good aspects to it too.)
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: james_s on October 05, 2021, 09:01:47 pm
It goes to voicemail eventually no matter what. I don't care if they know it's a live number if none of those calls ever ring my phone.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: james_s on October 05, 2021, 09:02:52 pm
I have asked human operators with non-local accents from such calls if their office were next door to me, and they
 did not understand, even when I explained myself.

They don't know what number they're calling from. They're just low wage people hired to work in a sweatshop call center.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: TimFox on October 06, 2021, 04:23:26 am
Yes, I know that.  They still annoy me.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: DrG on October 08, 2021, 12:55:11 pm
After just a few days, I am starting to see more unverified and, presumably, spoofed CID numbers. How to deal with these, apart from not answering, is the same old problem.

I took a look at some of the "spam blockers"; one of them says this:

Spam blocker will categorize and label nuisance calls into three categories based on level of risk. “High Risk” calls will be blocked, “Medium Risk” calls will be sent to voicemail, and “Low Risk” calls will ring through to your phone and show as “Spam?” on your Caller ID. You will have the ability to adjust these settings to meet your needs.

Given that there is no point in blocking a spoofed caller ID, it seems (I have a sneaky suspicion) like blocking based on adjustable rules is an unnecessary and ineffective approach. The whole STIR/SHAKEN protocol is to use a certificate based system to authenticate caller ID - no? This "spam blocking" approach appears to be ill-advised unless it is a tacit admission that the protocol is already a fail.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Marco on October 08, 2021, 01:15:36 pm
Losing access to all foreign based helpdesks isn't an option, FCC should have made it mandatory for any US signalling number, but baby steps. A little patience required.
Title: Re: US FCC requires implementation of STIR/SHAKEN protocol to combat Robo-calls
Post by: Kasper on October 09, 2021, 04:37:58 am
I used to get spam from the same numbers over and over. I put them in contacts, made a group for them and gave the group a special ringtone.

Then I found koodo in Canada has some nice features. Callers who aren't in your list hear a number and have to enter it before they get through. Haven't had 1 spam call since I enabled that.