Slashdot Mirror
AT&T, Comcast Announce Verification Milestone To Help Fight Robocalls (usatoday.com)
"The fight against robocalls can even bring telecom rivals together," reports USA Today:
AT&T and Comcast said Wednesday that they can authenticate calls made between the two different phone providers' networks, a potential industry first and the latest in the long-running battle against spam calls... The system, which uses a method developed in recent years, verifies that a legitimate call is being made instead of one that has been spoofed by spammers, scammers or robocallers with a "digital signature." The recipient network then confirms the signature on its side. The companies said consumers will get a notification that a call is verified, but exactly what that will look like is not yet known.
Both AT&T and Comcast will roll out the system to home phone users later this year at no extra charge. AT&T also said it will introduce the feature to its mobile users this year... Other major wireless and traditional home voice providers have pledged support for the verification method, including Verizon, T-Mobile, Sprint, Charter, Cox and Vonage, with several announcing plans to roll out or test the feature in 2019.
The day Comcast and AT&T made their announcement, AT&T's CEO was giving a live interview that was interrupted by a robocall.
Both AT&T and Comcast will roll out the system to home phone users later this year at no extra charge. AT&T also said it will introduce the feature to its mobile users this year... Other major wireless and traditional home voice providers have pledged support for the verification method, including Verizon, T-Mobile, Sprint, Charter, Cox and Vonage, with several announcing plans to roll out or test the feature in 2019.
The day Comcast and AT&T made their announcement, AT&T's CEO was giving a live interview that was interrupted by a robocall.
I'm interested how they'll handle legitimate use cases. I call my patients via calling service that spoofs my number to look like my office. If I have to use my genuine cell number I will simply stop communicating this way.
Watched Maddow cry like a little girl. Her ratings will surely drop now that she is implicated in the lies and distortions.
Prison is too good for evil media creatures. Time for purge.
I don't want my phone to ring with a little alert that something is a scam. My phone already tells me when something is a potential scam. In fact if its a number I don't recognize, I know that 99 times out of 100 it's a scam. I want my phone not to ring at all. I want the call to get stopped before my phone is even involved. It's not answering a robocall that annoys me, it's having my phone ring in the first place.
Maybe 30 years ago, it would be prudent to roll it out to home first, but today? I know people my parents age, might still have a home phone (85 years old) although they don't, but it should go to mobile first. Why not? Because the mobile carriers make a ton of money off of calls, regardless where they come from.
Because this will probably *break* Google Voice or at least make calls show as unverified.
> will end up reaching a phone number other than the one the caller is actually calling from (if any).
Your proposal will not work because: ...
F) it relies on first solving the problem, then using the results to solve the problem
The receiving end has no way of knowing which "number they are actually calling from", in general. In fact, there are no such thing as the number they are calling from.
in the industry a phone number is called a DID number. DID stands for Direct INWARD Dial. The destination in need number is defined, the call can very well come from a phone that has no number. Consider a company with 1,000 employees, each with a phone on their desk. They need a few phone numbers (inward dial IDs) - tech support, billing, HR, and maybe a "main" number. So four phone numbers, 1,000 phones.
There are a number of apps that do indeed block pam calls from ringing through, two I use are Hiya and NoMoRobo.
I have for a while been mulling over building a regex based one though as it would be lots simpler and probably more effective.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If a call seems to be coming from Telco A to Telco B, A must authenticate and owe a small fee to B. And vice versa. If it does not cost any money or revenue, there is no incentive for Telco A to be vigilant or sincere in the authentication issue.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Wow. Its about time. It's been more than 3 years since I started writing online, everywhere I could, and telling every single service provider's support manager I talked to, that they should standardize this exact technology between all carriers. If all device connections into each telecom network were verified in a standard way, and exchanged during handover, this problem would have been solved years ago.
The biggest problem is with the addition of VOIP, the spammers are able to put whatever they want into a database and thus spoof the number at the other end where it goes back into a telcom network. Enforcement of a digital signatures for each device would fix the problem and with that the exchanged caller id, though much larger in size, would finally be useable for something. So, If you think blocking numbers is useful or effective, you are just wasting time. A blocklist is just blocking random phone numbers of honest people who are not actually calling you anyway.
Let's explore your idea. Maybe there is a kernel of a possible idea there; perhaps you just don't know the terminology to express it clearly.
What information, exactly, are you expecting to get from this reverse lookup? I take it the input is the CID (caller ID).
Do you have some idea of what you plan to send this reverse lookup to?
Here's some background information on how the phone system and CID works, using a real example I did for a Coca-Cola facility. Note, btw, that DIDs and bandwidth connections come from separate companies. Just like you can order a domain name from Verisign and an internet connection from Comcast.
The facility needed to support 200 phones, 20 concurrent internal calls, and at least 10 concurrent calls in and out. So they ordered a PBX (private branch exchange) capable of meeting those requirements.
They ordered bandwidth for incoming / outgoing. A T-1 supports 24 consecutive calls, so that was a good match for their needs. They shipped several local providers for their T-1.
We made a list of how many DIDs (phone numbers) they'd need to list on the POTS, it was about 20. They ordered 20 DIDs.
We configured the PBX to route each DID to the appropriate pool of stations. So for example if a supplier is calling, that's routed to a certain hunt group, job listings get a different DID and go to a different hunt group. The same phone may be in multiple hunt groups, with reception at the end of every hunt group.
We also set an appropriate CID for each station. Note a station (phone) may be in multiple hunt groups, so it has many DIDs, or no hunt groups, so it has no DID. Therefore the DID and the CID cannot possibly match. For one or two stations, the best CID may be Atlanta headquarters, which is served by a different set of companies.
When Coke makes an outgoing call, their PBX sends a CID to the company they bought their T-1 from. Note this isn't the same company they bought their DIDs from. Their T-1 provider includes this DID when they route the call to a regional POTS provider. The regional provider knows that the CID was provided by the T-1 provider and nothing more. They have no way of knowing how I chose the DID or if the local provider changed it. The regional provider hands it to a national backbone, and potentially an international one. Then one of the backbones hands it to Cricket, who sends it to you. Cricket doesn't have any way of knowing which provider added that CID, much less if it's "right" for some arbitrary definition of "right".
It's embarrassing that we're in 2019 and we can't authenticate callers. I think it's amazing that we haven't seen some massive DoS type attack because phone providers just trust each other like "Well, you're in the club, you must be legit". So now they're going to solve the problem which is caused by their inadequate system, and do it free of charge? WTF?
Maybe instead there should be a tax on every call which is NOT end-to-end authenticated, and then let the free market take care of things.
Yes... the number. Essentially, you basically would be making a kind of special "call" to this number from your own phone, effectively performing a reverse lookup that is completely independent of the incoming phone call. This special call wouldn't be identical to a regular phone call, more resembling a "ping", to use tcp/ip terminology, but the idea would be that a phone line that wasn't actually calling you at the time wouldn't even try to respond to this sort of ping, thereby effectively notifying you through a lack of response that a spoofed # is not where the caller is really calling from.
The route that this special kind of call that effectively does a reverse lookup would take cannot be controlled by the original caller, so the caller has no practical way to spoof an arbitrary phone number unless the number they pretend to be from is not only a real one that the recipient has the ability to actually call back, but also a number is directly controlled by the caller as much as they control their own real phone line.
There would have to be some additional work to allow legitimate spoofing, such as showing only the main office number on any outgoing call for a company, even from a direct dial phone anywhere in the building, but since this spoofed number is one that would be directly controlled by the company, the general principle still works.
How I imagine it would work is as follows: The dialout line tells the main line that it is making a call to XYZ, and to act as a proxy for the reverse lookup request from XYZ when it happens. The main line verifies the number that the dialout line claims to be from using the same reverse-lookup protocol that the receiver would use, and if verified as an authentic number that it can proxy for, it would know to be a proxy for that phone call for a brief period... creating a temporary proxy entry in its cache so that it can authenticate a reverse lookup when it happens, and deleting the proxy entry after a short time (maybe 15 to 30 seconds or so, which should be plenty of time for a reverse lookup to happen) so that memory resources are not needlessly wasted.
File under 'M' for 'Manic ranting'
Thanks for the explanation.
You propose to replace the existing world wide phone network with new protocol.
https://craphound.com/spamsolu...
1, 10, 2 & 9 & 10, none, 1
With this setup, there is almost a guarantee, that an outgoing call and an incoming call will have different routes, even if the stations at the end of both connections will be the same.
It gets even more confusing in other coutries. In Austria for instance, any entity can get a number starting with 5 (four to six digits long), which acts like a separate area code reserved for this company. Calls to a 5xxx number are always considered local calls, and the difference to the rate of the actual call has to be paid by the owner of the 5xxx number. On the other hand, an owner of a trunk can have extensions of arbitrary length, it's not necessary to buy DIDs or similar, as long as the total E.164 number is not longer than 15 digits. One of my customers for instance has the extensions -5 and -6 for the call centers, but three digits extension for fixed stations and five digits extensions for internal mobile (DECT) phones. The caller IDs the customer sends to the PSTN thus have lengths between 8 and 12 digits (something totally impossible in the U.S. and Canada, where a phone number always has to have 10 digits, with 3 digits for the area code and either three digits for the local code and four digits for the extension, or seven digits for the subscriber number).
Phone providers in Austria offer online tools to their customers where they can define the routes for their trunks, define overflow destinations or caller ID rewrites, so incoming calls to their locations are routed to the right trunks. Especially if you have a 5xxx number, you can finely tune the actual trunks used for calls to your central 5xxx, depending for instance on the origin of the call, or on patterns in the extension numbers or both.
And the owner of the 5xxx number can have several independent local phone switches in the respective locations, and all of them will use the same 5xxx caller ID (plus extension), and in each case this is legitimate. But your scheme would still fail, as the phone switch at location L, where the call went out, is independent for instance of the phone switch at location C, where the call center is located, and where all incoming calls are routed to. Any "call back" feature you imagine would be answered by the switch C which has no information about the call from switch L -- and still the caller ID switch L is providing is totally legitimate.
Because they spoof numbers outside of their network.
You'll note that this new system doesn't mention anything about verifying the caller ID data being sent by the call originator, it only mentions verifying the networks the call traverses.
No, this article doesn't mention it. AT&T's own press release does.
https://about.att.com/story/20...
No, I'm pretty sure that backward compatibility could be retained while it is being rolled out.
Caller ID didn't work either until at least the source and destination exchanges had been updated, but phone calls continued to work normally.
File under 'M' for 'Manic ranting'
As a factual point, you can actually still use a 1980 phone, to either make or receive calls. I still have a box of 1980s phone equipment that still works fine. Just because you have caller ID capability does NOT require me to update my stations, my PBX, or anything else in order to call you. You just won't get a caller ID frame if I don't send one, sonon your end it will show up as "unknown".
PS if by chance you do network or server admin, you may have a modem you can dial to work on the equipment. (You can't use the network to connect to a router that it down.). If you've ever done that, you've probably used telephone equipment that isn't caller ID capable. Many modems aren't.
The point being - they don't have to be. Caller ID does not and did not require everyone around the world to simultaneously replace everything.
Thanks for the idea, though. We'll put it in the file.
This is why I love the Do Not Disturb mode in Android Pie (9.0) You can tell it things in great detail like "Don't ring or show a text unless the call is from someone on my contacts (or even a subset)"
It makes all the call block apps that were necessary the past couple years completely unnecessary. I'm sure if I was in Sales or had some other reason to have to answer calls from numbers I don't know it would suck, but I identified early on in my career all the reasons I was NOT EVER going into sales.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
Fortunately, I only use Google Voice as the recipient of my voicemail, which lets me do things like having separate responses for separate call groups (such as the " This number is no longer in service" message that telemarketers et. al. get.)
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
To clarify, if I'm understanding your proposal correctly:
In order to make a call and not have it show up as suspicious, the caller would need to both switch their service to handle incoming calls while an outgoing call is ringing, and upgrade their equipment.
The receiving station would otherwise show the call as suspicious. Therefore, upon initial rollout by a station manufacturer, almost all calls would show as suspicious.
Is that correct?
Assuming that's correct, people would quickly learn that all calls they receive show as suspicious. They would stop using it within a week. Callers would have no reason to implement it, given that calllees ignore it.
They only want it would work would be if the whole world pretty much switched over all at once, everyone gets new phones, etc. Experience shows such ideas have not worked.
Btw, if you're going to require a "everyone switch this week", we have PKI, so there is no need for a callback. All callers could simply send their signed certificate, which all calleees would use to authenticate the call.
We've tried for nearly twenty years to get people to upgrade to IPv6. Even given that IPv4 requires goofy hacks, and there are no more IPv4 addresses to issue, people haven't switched to IPv6 - even with strong reasons for both sides to do so.
You need a system where it makes sense for either most callers or most calleees to switch, before the other end has done so.
Caller ID didn't require most callers to get a second line, so no, most calls showed the number.
But let's pretend it had. In every other case, it would show the caller's number - useful information.
A call-back system could only flag an incoming call as suspicious (after the third ring). Before it is widely adopted, it would flag all calls as suspicious.
If you're going to introduce a new protocol and get everyone to start using it, a certificate works after the first ring, rather than the third.
Again, thanks for the idea.
No... most calls did not show the number... the separate call display unit I had at the time either said "unknown" or "no caller info sent", with the the area where the phone number itself would appear on the device being blank. Other times, when the number did show up, in the text area for the display, it only showed the city and province or state that the caller was calling from, and not the caller's actual name. I actually don't remember how long this was the case, but it did it for long enough that even over 20 years later, I still don't pay as much attention to the name that is associated with a number in the caller ID info as I do to the actual number that shows up. Partial info was still moderately useful in the early days of caller ID even without the full name of the caller because the people who made the most use of it still knew the people's phone numbers for their friends and family, and unrecognized phone numbers were just that, unrecognized.
Why do you figure it would take until after the third ring? I'd imagine that this only would add one more ring to the delay for the info, at most. Secondly, even if you answer right after the first ring, before you've got the complete story, that shouldn't stop you from receiving the lookup info that you asked for as soon as you received the call, if it was available. Finally, as technology improved, I'd imagine that the delay before getting the lookup info back would get shorter and shorter, eventually becoming as unnoticeable as the fact that when your phone now first starts to ring, full CID info is shown as soon as it starts to ring... you don't have to wait for the first ring to finish like you used to.
File under 'M' for 'Manic ranting'
[quote]...an exchange of authenticated calls between two separate providers ...[/quote]
What about scam calls made _WITHIN_ AT&T or Comcast? Are they going to be screened or not?
Scammers have so much power (as in admin rights), they can switch their calls thru any switch.
Easy fix. Given that AT&T and Comcast, _ALLOW_ callerID spoofing. Scammers have total control over their victim's caller ID display.
The fix is to _DISALLOW_ spoofing. Switch it off.
Name and area is enhanced caller ID, a separate protocol launched several years later. The additional information is fetched via Analog Display Services Interface. It has a lookup delay and is subject to DIP fraud. Anyway that's a different topic than caller ID, which sends the phone number.
> Why do you figure it would take until after the third ring?
The first ring "wakes up" the receiving station. It is then ready to receive the 1500 baud, 450ms FSK caller ID frame. In your proposal, it would then call back that number. After the first ring of the second call (second ring of the first call), it could send the "did you call me?" query. Then it would await the response coming back.
> as technology improved, I'd imagine that the delay before getting the lookup info back would get shorter and shorter
There are 10 billion phones, which all have to interoperate. Any phone can call any other phone. For that reason, POTS ring protocol doesn't slowly improve. It doesn't gradually change. That's what you seem to be missing. It's not like Facebook Messenger, where a company can decide to switch up the protocol. The last major change was over 50 years ago, in the 1960s, when we started introducing touch tone dialing. It took 20 years after that to get rid of pulse dialing.
Btw before even trying to figure out a technical protocol, don't forget you need to fix the logic. A station is not a DID and a DID is not a station. It *may* be that your station (phone) has a phone number, only one phone number, and you never use call forwarding, and no other phone uses that number. Those things might be true for you today, but those are absolutely not rules in the phone system. Some people DO have call forwarding, and a a lot more.
It's a lot like the name Google.com - that does NOT identify a particular server. A dialed number doesn't identify a particular phone any more than Google.com identifies a particular computer. There are many buildings full of servers, and any request for Google.com will use several randomly selected servers from among thousands.
For example, I volunteer to receive calls for a crisis hotline which gets a few calls per month. The person in need of help calls the crisis number. They know which service they are trying to reach. They have no idea which phones will ring, and they don't care. They are asking for a service (1-800-help), not for a specific device (an IMEI or other station ID).
I'm not always able to answer the phone of course, so the crisis line doesn't just forward the call to my mobile phone. It rings my phone, and while it's ringing my phone if I don't answer within 10 seconds it starts also ringing another volunteer, ten seconds later it adds a third, etc, until someone both answers and presses 1 to accept the call.
Now suppose my phone were to call the person back, asking "did you call Ray's phone?" Their phone has no idea whether they called my phone or not! They called 1-800-help, not "Ray's LG phone, the one he just bought". Their phone has no way of answering that question.
The number you dial doesn't identify a device. "Did you call Ray's mobile" isn't an answerable question.
Similarly, if I miss a call that rings my mobile, I don't know if the caller was calling the crisis line, my business number, or my personal number. Any of those three numbers, identifying three different services, might ring the same device.
So get it out of your head that there is some fixed relationship between a phone and a number that someone can call. There isn't.