T-Mobile, Comcast Turn on Call Verification Between Networks in Latest Robocall Fight

pgmrdlm shares a report: Calls between T-Mobile users and Comcast's Xfinity Voice home subscribers will now be "verified," the latest move in the ongoing fight against robocalls. The two companies announced Wednesday that they have launched cross-network verification, allowing users to know that the calls they are receiving is from an actual person and not a spammer or robocaller.

They use a handoff system recommended by the FCC where the caller's network verifies that a legitimate call is being made with a "digital signature." The recipient's network then confirms the signature on its side. A number of major wireless and traditional home voice providers have pledged support for the verification method, including Verizon, AT&T, Sprint, Charter, Cox and Vonage, with several announcing plans to roll out or test the feature in 2019.

took them long enough

This seems like something that should have been done...forever?

Re:took them long enough

Except what constitutes a "legitimate call?" All it would take for this to be rendered ineffective is an agreement that certain calls be considered "legitimate."

Plus who verifies these signatures? It's completely useless to the public if it's just between the companies involved behind closed doors. Hell it may not even exist, and be just yet another PR stunt so they can still claim they are "improving" their infrastructure and get more money from their subscribers / taxpayers.

Yet more proof that slapping a chain of trust on something does not make said thing actually secure. Context is important and far too often those who have the greatest need for security are completely out of scope for the design of the security being implemented.

Re:took them long enough

[XXongo]

You know, yes, you can come up with problems, but the existing system has totally failed due to robocalls spoofing phone numbers.

Pretty much all my friends now tell me that they never answer their phone unless the calling number is on their contacts list, simply because the number of fake calls so outnumbers the real calls that it's worth the fact that sometimes you miss calls from somebody who actually does need to get hold of you.

(but... I did manage to keep the Microsoft repair guy, who cold called me at about 2:30 today, on the phone for 17 minutes. I think that's a record for me.)

Re:took them long enough

[dj245]

You know, yes, you can come up with problems, but the existing system has totally failed due to robocalls spoofing phone numbers.

Pretty much all my friends now tell me that they never answer their phone unless the calling number is on their contacts list, simply because the number of fake calls so outnumbers the real calls that it's worth the fact that sometimes you miss calls from somebody who actually does need to get hold of you.

(but... I did manage to keep the Microsoft repair guy, who cold called me at about 2:30 today, on the phone for 17 minutes. I think that's a record for me.)

It's not that difficult for me. I have a Wisconsin area code but live in Texas. I don't know anyone in Wisconsin anymore so any Wisconsin area code calling me might as well be screaming "I am definitely a robocall!"

Much ado about nothing?

[Lab+Rat+Jason]

How many robocalls were transiting between these two networks? Personally, I'd prefer if Verison would simply verify calls that were supposedly coming from their OWN network.

Re:Much ado about nothing?

[110010001000]

Exactly. Also, does every network need to add call verification between each network separately? This will take forever. The spammers will just use a network that doesn't have call verification setup.

Re:Much ado about nothing?

I suspect it has nothing to do with calls being made from the networks, rather it's about explicitly marking calls as verified. As they prove the system works, they can increase the scope of the effort so that it verifies calls between all of the major networks.

Until, one day, you'll be able to reasonably assume any call that lacks the "verified" tag is a robocall and autoblock it.

Re:Much ado about nothing?

The trust systems that were built against spam are slowly being assembled here.

If I could just disable receipt of international calls then most of the headache goes away. The ones originating in the US can either fall to the trust system or some agents will come take the bad men away.

Re:Much ado about nothing?

[LostMyAccount]

They already *know* which numbers belong to which networks, it's a necessary database that allows number portability so when someone calls a number they know which destination network to switch the call to.

All they need to do is use this database in reverse on calls entering their network to see if the ANI info for the call matches the network it's *supposed* to be coming from.

If ANI on an incoming call says it belongs to the ATT network but its entering from some carrier other than ATT, then it should be dropped as spoofed.

Carriers don't want to do this because they like selling trunks to low-rent VoIP providers who in turn will sell capacity to anyone with a credit card number.

Re:Much ado about nothing?

[dissy]

Also, does every network need to add call verification between each network separately?

Of course not.
Networks can choose to send verification certificates or not.
Your phone, eventually, will gain the ability to see if the originating network sent a certificate or not.
Your phone - ok, hopefully - should eventually gain the ability to act on that information.

This will take forever. The spammers will just use a network that doesn't have call verification setup.

Apple and Google both have stated they will be implementing the shaken/stirprotocols in their OSes.
For Apple and Google made or stock Android using phones, which they claimed last month would be within a year.

After that you can choose what to do with unverified calls, very likely with the same options as for the caller ID "private" bit, or when no caller ID is sent usually called "unknown"

If it takes any longer, that would likely be the fault of your carrier not pushing an android update, or having an old un-updatable phone.

Just keep in mind this particular verification only works with IP based calls, such as cell phones, voip, and carriers utilizing fiber/docsis cable.
TDM carried calls can't even support this verification protocol, so if you block instead of flag, that will be all of the worlds landlines in one swath.

Re:Much ado about nothing?

Likely none of them, they are probably coming from some unheard of Voip provider from India. Pretty much the only way to stop these robo calls is to block all incoming calls that are not authenticated by this method.

Re:Much ado about nothing?

[nitehawk214]

Sounds like a good plan to me.

Re:Much ado about nothing?

[kingbilly]

The spammers will just use a network that doesn't have call verification setup.

Ideally, software will evolve to let us 100% ignore calls from networks that don't have call verification setup. Just like you can choose to only allow mail into your system that passes DMARC. It doesn't require everyone have DMARC setup for it to be useful. What makes you think this is has to be 100% participation to become effective? I don't you didn't come out and say that outright, but can see that is where you are going with that.


If you aren't familiar with DMARC, check it out. Pretty good stuff. It is basically the analogous setup for email. Raises the bar even though the spammers don't participate in it.

Re:Much ado about nothing?

They do not want to do this because the carrier makes money from terminating calls, no matter where they come from. If they only accept calls where the caller-id matches the ANI and where they perform validate that the incoming call is coming from the network owning the calling number, then they will lose money (by not terminating the call). Therefore there is no interest on behalf of any carrier to ensure the validity of the call.

This is just snake oil designed for theatrical purposes that will actually do nothing whatsoever.

Re:Much ado about nothing?

I would like the option to have a voice-generated 3 digit random number presented to the caller in the following message:

Please enter the following number on your keypad to prove that you are human. If you do not respond to this request within 10 seconds you will automatically be forwarded to law enforcement. Please enter five hundred thirty four on your keypad. BEEP.

If the correct number is entered within 10 seconds of the BEEP the call is allowed to complete (ring my phone). If the number is not entered within 10 seconds the call is routed to 911.

Re: Much ado about nothing?

It's worse than that. The robocallers make money just by getting the caller ID displayed even if nobody answers. And in some cases they hope you don't as it's cheaper.

Re:Much ado about nothing?

One of the issues we've had with spam protection is that it required a significant number of different parties to implement the measures in order to be effective. Things like DKIM had issues due to the lack of support. If one server did it, then it didn't really do anything, but if everybody did it, then it would largely solve spam as you could discard anything not using the set up.

This is the same sort of thing. It doesn't solve the problem per se, but it should help tie the calls back to some party that can be blocked or subjected to sanctions. Preferably with extreme prejudice.

Re:Much ado about nothing?

LOL, some broke and butthurt loser modded you down. Or maybe it was one of those Indian IRS/Microsoft phone scammers.

Re:Much ado about nothing?

[FictionPimp]

Of course there is a much easier fix. A simple option to send all callers not in my contact list directly to voice mail. I don't need to talk to strangers. I've made this happen with a 'hack'. I have a blank ring tone that is my default, each contact list user has a real ring tone. I might get a half dozen spam calls a day, but I never notice.

Too Little Too Late

I've pretty much learned to live without answering my phone at all now...as have so many other people. Phone is dying. It'll be a long slow death for sure, but this whole unmitigated explosion of spam calls is just speeding it along.

What about the small carriers ?

[psergiu]

What if the large carriers all implement FCC's SHAKEN/STIR between them but then refuse to do the same thing for all the small carriers ?
Then start marking all non-verified calls as SPAM ?
Don't say it could not happen.

Re:What about the small carriers ?

[SuperKendall]

It wouldn't identify them as spam, it just wouldn't say they were verified (as this new T-Mobile link up appears to do).

T-Mobile does also identify scam callers in some cases, but it uses a variety of techniques to do that (and a master list updated every six minutes), so it also would not arbitrary mark all calls from a small carrier as spam.

An easier, proven solution:

Germany has made it illegal, for anybody but private people to call or mail somebody that you don't already currently have business with.
(E.g. politicians count as businesses.)

Combined with other data protection laws, that also means nobody contacting you in the name of somebody else.

Since that makes contacting somebody and making money off of them mutually exclusive, we simply don't have a robocall problem.

I wonder if we also have some form of verification for caller phone numbers. ... Given that we only had state-based telecom services (now privatized as Telekom, owner of US T-Mobile), until the 90s, it's highly. likely.

Re:An easier, proven solution:

Germany has made it illegal, for anybody but private people to call or mail somebody that you don't already currently have business with.

The US already has the Do not call list thing and the things you state also apply in the US. It simply doesn't work. Not when people are making robocalls with spoofed ANIs.

Please Report All US Scams to the FBI

[BrendaEM]

We also need make our politicians to be tougher on robocalls.

Re:Please Report All US Scams to the FBI

I got an IRS scam a while back during the government shutdown. So, I was unable to report it. Also, they(the feds) wanted a bunch of my personal info. as well. And, I wasn't comfortable with that.

US-/nerd-centric world vew.

Normal people without traumata or anxiety illnesses, always prefer to talk in person. Since people generally have a harder time being cowardly psychopaths when having to look somebody in the eyes, and risk getting their assey kicked.
And if that is not possible, a phone call is the next best thing. Including a voice mailbox for asynchronicity.
Everything else is only for emergencies, way too crippled and causes miscommunication and loss of the ability to empathize.

Re:US-/nerd-centric world vew.

No...I'm not any of those things that you're assuming I am (which says more about you than me).

I talk to people and will call them if I need to (especially businesses), but usually that's not the best way to get ahold of anyone anymore. But I don't answer the phone. 9 times out of 10 it's not someone I want to talk to (IRS scammer, Microsoft scammer, medicare scammer, roof repair in my neighborhood, the local dealership trying to get me into a new vehicle, someone who wants to sell my house for me even though I'm not selling my house, etc.) so that 1 in 10 can leave a voicemail or send an email. I just don't talk to people on the phone much anymore. If I need to talk to someone and it's not urgent or I know I'm going to see them later, it can wait until then.

Re:US-/nerd-centric world vew.

what about people who work in call centers who talk on the phone all day and don't want to when they get off from work.

Too easy to get access?

[ruddk]

It seems like that if robocalls are a problem, it is too easy to get access to the phone network without anyone to hold accountable?

Also, it seems like a phone number is becoming more and more irrelevant these days. It's more like a node number, an IP address for your device. :D

Re:Too easy to get access?

I got a call from "Microsoft" a few days ago, and the caller ID was listing my own phone number. All I could think was, "Well, that took long enough."

Re:Too easy to get access?

[ruddk]

I had someone from SUSE, Sweden calling me. Didn't answer the first two times because they had inserted my own number as the one calling, so I didn't bother answer. The third time I answered and suggested that it wasn't really a good method to build trust when trying to sell me something.

Wouldn't help much for me in Canada

95% of the robocalls I get are in Chinese(always the same message, never the same number), 4% had a heavy indien accent and the last 1% is fraud related, like someone claiming to be from CRA or a mortgage or some other crap.

A bit more complicated. Cincinnati Bell & AWS

[raymorris]

> so when someone calls a number they know which destination network to switch the call to

Yes, and TO is the operative word. A phone number is technically known as a DID number - Direct Inward Dial. A DID (phone number) indicates which service (not station aka phone) a call is being placed to. There is no such thing as a DOD, Direct Outward Dial number. Consider this very simple case:

You are logging in to your bank web site, Second National Bank.com. Your bank doesn't suck, so it has multifactor communication. The web server triggers a call to your registered phone number. The logical caller ID of the call would be the bank's customer service or security phone number, a number you can call back.

The call is coming from a server in one of four data centers the bank has, based on a web request. You're not going to have customer service reps in the datacenter. Customer service reps are in a different state, with a different regional phone company. The call is coming from the bank's rack in a Level 3 data center, or maybe their servers are in AWS. In any event, they aren't likely to be in the same place as the customer service department.

Customer service gets their phone service from Cincinnati Bell. The servers are in AWS Oregon and Virginia.

A call comes FROM a station, it doesn't come from a DID. The networks used to call into a company (Cincinnati Bell in this case) are very often not the networks they use for all of their communications. Even my three-person company had two separate service providers for DIDs (numbers) and bandwidth (used for outgoing calls).

So it's possible to detect callerid spoofing?

[Locke2005]

The FCC should step up and make this MANDATORY!

Re:So it's possible to detect callerid spoofing?

I'm guessing this is related to why calls to Google Voice numbers recently started showing "Unknown" callerID (with no name or number) on T-Mobile.

Google "spoofs" the callerID to show the originating caller's callerID when they forward the call to your mobile number.

Re: So it's possible to detect callerid spoofing?

I don't know why the FCC simply doesn't mandate that all trunk providers restrict the outbound DIDs to those owned by the subscriber.

If you're on a trunk that isn't pure analog it is necessary to set the outbound DID if the channels being used for an outbound call are pooled. That way the cid the called party gets matches the extension being called from. There really isn't any other way to do it because once you get over a certain size you are not buying individual lines for individual users.

The headend can reject calls with outbound cid that doesn't match the subscriber's pool of numbers.

The functionality already exists, it's just not typically implemented. It's been around since at least the early 2000s and probably longer.

The mainstay of the problem users are using sip trunks on providers that allow outbound spoofing. It is possible to turn this off.

Re: So it's possible to detect callerid spoofing?

[Locke2005]

They probably get the majority of their revenue from scammers spoofing caller ids, so they have no real incentive to disable it, do they? That's why I'm suggesting the government needs to get involved, and fine every provider that allows this so heavily they go out of business. Not sure how that affects calls originating from outside the country though -- can't they still use any caller id they want?

Re:A bit more complicated. Cincinnati Bell & A

[nitehawk214]

Then don't fucking spoof your own customer service number into the call.

What inward dial number would you prefer?

[raymorris]

What direct inward dial number would you prefer?
Web servers don't take incoming phone calls, they take incoming web requests; they don't have DIDs, they have names like www27.1stbank.com

Re:A bit more complicated. Cincinnati Bell & A

[kingbilly]

Interesting, the DID vs DOD information. Is email in this same boat? I've always wondered why phone spam couldn't be fixed with a hybrid of things that resemble DMARC for email, and Autonomous systems for networks.

Email has a from, though both are services, not

[raymorris]

Email has from and to addresses, in the envelope as well as the headers. So it doesn't have the same issue in terms of fundamental logic. Emails from from some address, phone calls don't come from a "phone number" (DID). So that's a fundamental difference.

Note that like the phone system, email addresses can be something like customerservice@acme.com - a role or service, NOT a device, and certainly not a person.

So you can't identify a particular device as customerservice@acme.com, and similarly you can't say a certain phone is 979-580-6540.

On my phone, I can check three different email addresses. I can also check the same email from my laptop. So we recognize that an email address doesn't identify a device.

What some people don't realize is that my phone I'm typing on right now can be reached from three different numbers, and one of those numbers can also be answered from a different device. My phone isn't identified by a phone number any more than it's identified by an email address.

For PRACTICAL purposes, some of the same issues apply. An email from your bank doesn't necessarily come from the same place they answer emails. Consider password reset for the web site. The web server can send email, it can't receive email. So you can't verify the From by reversing the route.

Email has mechanisms such as SPF to verify the From address. Phone has no such mechanism and can't because fundamentally there is no from phone number. You'd need to switch the world 's 10 billion phones to a different protocol in order to introduce a "station from" or "service from" identifier.

Re:Email has a from, though both are services, not

E-mail and telephone (with SIP) have essentially identical guarantees about "From". An email does not come from anywhere either -- the from field in an email is informative only and has no impact on routing (I think it may even be optional in the standard). Instead, an email appears on a mail server somewhere and is relayed to its destination by a series of mail servers potentially unrelated to the sender.

In SIP, there is also a "From" field that identically exists only for informational purposes -- like the email, you can set it to absolutely anything you like without affecting routing of your call. Just like an email, the only meaning of "From" is that it is displayed on the receiving user's device and, presumably, is how replies/callbacks are intended to be routed by the sender.

The problem is thus completely identical. And the solution being employed here is largely identical, too: SHAKEN/STIR uses certificates on the outbound voice server to sign the message header, including the From address. This is identical in concept, and largely identical in implementation, to the DKIM system used for email. The issues are basically the same, as well, namely that you can't rely on it until 100% of servers implement it, which will take until the end of time, and it breaks some legitimate use cases involving forwarding or the example in the parent where you want to send mail/calls through a gateway with the return address/caller ID set to something unrelated to the gateway.

need to disable unassigned phone #'s.

In addition, they need to do a lookup of a telephone # and if the phone companies dbms says its not in service (that is being subscribed to by a real person) then the phone # can't connect to the phone network.

Both the digital signature and the phone # active lookup need to be done not just in the US, but worldwide.
So if I get a phone call from another country, that countries phone company does digital signature and makes sure the phone # has been subscribed and paid for by a live person. If a company does subscribe, I should have the ability to prevent any company from calling me since that other phone is marked as commercial and not non-commercial. This also applies to people in foreign countries using call back #'s to US phone numbers to reduce their charges.

Re:need to disable unassigned phone #'s.

The next problem is blocking robo callers where one can text a smart phone using the email software on ones computer let alone a fake google or yahoo email address and spaming from them to a persons phone via texting.....How does the digital signature work in this case?

SIP yes, as opposed to

[raymorris]

I was speaking of PTSN, vs SIP.

The SMTP standard, RFC 5321, states that the sender initiates an email with the line:

MAIL FROM email@address

The email address used in MAIL FROM (the envelope) is specified as the route for errors to be returned.

Also RFC 2822 requires a From address in the message itself.

Re:A bit more complicated. Cincinnati Bell & A

[jon3k]

Yes, and TO is the operative word. A phone number is technically known as a DID number - Direct Inward Dial. A DID (phone number) indicates which service (not station aka phone) a call is being placed to.

DID is actually the service, not the individual BTN/WTN being forwarded into a PBX, but a lot of people use the term interchangeably.

There is no such thing as a DOD, Direct Outward Dial number.

Actually, there is.

Meanwhile underneath the public eye

[edris90]

0 day telephony signature exploit for sale. Outfarm your robocall competitors and avoid Auto screening by interfacing thesame way illegitimate call would.

Re: Meanwhile underneath the public eye

[edris90]

Correction legitimate .not illegitimate call