Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile, Comcast Turn on Call Verification Between Networks in Latest Robocall Fight (usatoday.com)

Posted by msmash on from the step-in-right-direction dept.

pgmrdlm shares a report: Calls between T-Mobile users and Comcast's Xfinity Voice home subscribers will now be "verified," the latest move in the ongoing fight against robocalls. The two companies announced Wednesday that they have launched cross-network verification, allowing users to know that the calls they are receiving is from an actual person and not a spammer or robocaller.

They use a handoff system recommended by the FCC where the caller's network verifies that a legitimate call is being made with a "digital signature." The recipient's network then confirms the signature on its side. A number of major wireless and traditional home voice providers have pledged support for the verification method, including Verizon, AT&T, Sprint, Charter, Cox and Vonage, with several announcing plans to roll out or test the feature in 2019.

29 of 58 comments (clear)

  1. took them long enough by Anonymous Coward · · Score: 3, Insightful

    This seems like something that should have been done...forever?

    1. Re:took them long enough by Anonymous Coward · · Score: 1

      Except what constitutes a "legitimate call?" All it would take for this to be rendered ineffective is an agreement that certain calls be considered "legitimate."

      Plus who verifies these signatures? It's completely useless to the public if it's just between the companies involved behind closed doors. Hell it may not even exist, and be just yet another PR stunt so they can still claim they are "improving" their infrastructure and get more money from their subscribers / taxpayers.

      Yet more proof that slapping a chain of trust on something does not make said thing actually secure. Context is important and far too often those who have the greatest need for security are completely out of scope for the design of the security being implemented.

    2. Re:took them long enough by XXongo · · Score: 2
      You know, yes, you can come up with problems, but the existing system has totally failed due to robocalls spoofing phone numbers.

      Pretty much all my friends now tell me that they never answer their phone unless the calling number is on their contacts list, simply because the number of fake calls so outnumbers the real calls that it's worth the fact that sometimes you miss calls from somebody who actually does need to get hold of you.

      (but... I did manage to keep the Microsoft repair guy, who cold called me at about 2:30 today, on the phone for 17 minutes. I think that's a record for me.)

    3. Re:took them long enough by dj245 · · Score: 1

      You know, yes, you can come up with problems, but the existing system has totally failed due to robocalls spoofing phone numbers.

      Pretty much all my friends now tell me that they never answer their phone unless the calling number is on their contacts list, simply because the number of fake calls so outnumbers the real calls that it's worth the fact that sometimes you miss calls from somebody who actually does need to get hold of you.

      (but... I did manage to keep the Microsoft repair guy, who cold called me at about 2:30 today, on the phone for 17 minutes. I think that's a record for me.)

      It's not that difficult for me. I have a Wisconsin area code but live in Texas. I don't know anyone in Wisconsin anymore so any Wisconsin area code calling me might as well be screaming "I am definitely a robocall!"

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  2. Much ado about nothing? by Lab+Rat+Jason · · Score: 5, Interesting

    How many robocalls were transiting between these two networks? Personally, I'd prefer if Verison would simply verify calls that were supposedly coming from their OWN network.

    --
    Which has more power: the hammer, or the anvil?
    1. Re:Much ado about nothing? by 110010001000 · · Score: 1

      Exactly. Also, does every network need to add call verification between each network separately? This will take forever. The spammers will just use a network that doesn't have call verification setup.

    2. Re:Much ado about nothing? by Anonymous Coward · · Score: 1

      I suspect it has nothing to do with calls being made from the networks, rather it's about explicitly marking calls as verified. As they prove the system works, they can increase the scope of the effort so that it verifies calls between all of the major networks.

      Until, one day, you'll be able to reasonably assume any call that lacks the "verified" tag is a robocall and autoblock it.

    3. Re:Much ado about nothing? by LostMyAccount · · Score: 1

      They already *know* which numbers belong to which networks, it's a necessary database that allows number portability so when someone calls a number they know which destination network to switch the call to.

      All they need to do is use this database in reverse on calls entering their network to see if the ANI info for the call matches the network it's *supposed* to be coming from.

      If ANI on an incoming call says it belongs to the ATT network but its entering from some carrier other than ATT, then it should be dropped as spoofed.

      Carriers don't want to do this because they like selling trunks to low-rent VoIP providers who in turn will sell capacity to anyone with a credit card number.

    4. Re:Much ado about nothing? by dissy · · Score: 2

      Also, does every network need to add call verification between each network separately?

      Of course not.
      Networks can choose to send verification certificates or not.
      Your phone, eventually, will gain the ability to see if the originating network sent a certificate or not.
      Your phone - ok, hopefully - should eventually gain the ability to act on that information.

      This will take forever. The spammers will just use a network that doesn't have call verification setup.

      Apple and Google both have stated they will be implementing the shaken/stirprotocols in their OSes.
      For Apple and Google made or stock Android using phones, which they claimed last month would be within a year.

      After that you can choose what to do with unverified calls, very likely with the same options as for the caller ID "private" bit, or when no caller ID is sent usually called "unknown"

      If it takes any longer, that would likely be the fault of your carrier not pushing an android update, or having an old un-updatable phone.

      Just keep in mind this particular verification only works with IP based calls, such as cell phones, voip, and carriers utilizing fiber/docsis cable.
      TDM carried calls can't even support this verification protocol, so if you block instead of flag, that will be all of the worlds landlines in one swath.

    5. Re:Much ado about nothing? by nitehawk214 · · Score: 1

      Sounds like a good plan to me.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    6. Re:Much ado about nothing? by kingbilly · · Score: 1

      The spammers will just use a network that doesn't have call verification setup.

      Ideally, software will evolve to let us 100% ignore calls from networks that don't have call verification setup. Just like you can choose to only allow mail into your system that passes DMARC. It doesn't require everyone have DMARC setup for it to be useful. What makes you think this is has to be 100% participation to become effective? I don't you didn't come out and say that outright, but can see that is where you are going with that.


      If you aren't familiar with DMARC, check it out. Pretty good stuff. It is basically the analogous setup for email. Raises the bar even though the spammers don't participate in it.

    7. Re:Much ado about nothing? by Anonymous Coward · · Score: 1

      They do not want to do this because the carrier makes money from terminating calls, no matter where they come from. If they only accept calls where the caller-id matches the ANI and where they perform validate that the incoming call is coming from the network owning the calling number, then they will lose money (by not terminating the call). Therefore there is no interest on behalf of any carrier to ensure the validity of the call.

      This is just snake oil designed for theatrical purposes that will actually do nothing whatsoever.

    8. Re:Much ado about nothing? by FictionPimp · · Score: 1

      Of course there is a much easier fix. A simple option to send all callers not in my contact list directly to voice mail. I don't need to talk to strangers. I've made this happen with a 'hack'. I have a blank ring tone that is my default, each contact list user has a real ring tone. I might get a half dozen spam calls a day, but I never notice.

  3. What about the small carriers ? by psergiu · · Score: 4, Insightful

    What if the large carriers all implement FCC's SHAKEN/STIR between them but then refuse to do the same thing for all the small carriers ?
    Then start marking all non-verified calls as SPAM ?
    Don't say it could not happen.

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
    1. Re:What about the small carriers ? by SuperKendall · · Score: 1

      It wouldn't identify them as spam, it just wouldn't say they were verified (as this new T-Mobile link up appears to do).

      T-Mobile does also identify scam callers in some cases, but it uses a variety of techniques to do that (and a master list updated every six minutes), so it also would not arbitrary mark all calls from a small carrier as spam.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Please Report All US Scams to the FBI by BrendaEM · · Score: 2

    We also need make our politicians to be tougher on robocalls.

    --
    https://www.youtube.com/c/BrendaEM
  5. Too easy to get access? by ruddk · · Score: 1

    It seems like that if robocalls are a problem, it is too easy to get access to the phone network without anyone to hold accountable?

    Also, it seems like a phone number is becoming more and more irrelevant these days. It's more like a node number, an IP address for your device. :D

    --
    L'Idiot
    1. Re:Too easy to get access? by ruddk · · Score: 1

      I had someone from SUSE, Sweden calling me. Didn't answer the first two times because they had inserted my own number as the one calling, so I didn't bother answer. The third time I answered and suggested that it wasn't really a good method to build trust when trying to sell me something.

      --
      L'Idiot
  6. A bit more complicated. Cincinnati Bell & AWS by raymorris · · Score: 1

    > so when someone calls a number they know which destination network to switch the call to

    Yes, and TO is the operative word. A phone number is technically known as a DID number - Direct Inward Dial. A DID (phone number) indicates which service (not station aka phone) a call is being placed to. There is no such thing as a DOD, Direct Outward Dial number. Consider this very simple case:

    You are logging in to your bank web site, Second National Bank.com. Your bank doesn't suck, so it has multifactor communication. The web server triggers a call to your registered phone number. The logical caller ID of the call would be the bank's customer service or security phone number, a number you can call back.

    The call is coming from a server in one of four data centers the bank has, based on a web request. You're not going to have customer service reps in the datacenter. Customer service reps are in a different state, with a different regional phone company. The call is coming from the bank's rack in a Level 3 data center, or maybe their servers are in AWS. In any event, they aren't likely to be in the same place as the customer service department.

    Customer service gets their phone service from Cincinnati Bell. The servers are in AWS Oregon and Virginia.

    A call comes FROM a station, it doesn't come from a DID. The networks used to call into a company (Cincinnati Bell in this case) are very often not the networks they use for all of their communications. Even my three-person company had two separate service providers for DIDs (numbers) and bandwidth (used for outgoing calls).

  7. So it's possible to detect callerid spoofing? by Locke2005 · · Score: 1

    The FCC should step up and make this MANDATORY!

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re: So it's possible to detect callerid spoofing? by Locke2005 · · Score: 1

      They probably get the majority of their revenue from scammers spoofing caller ids, so they have no real incentive to disable it, do they? That's why I'm suggesting the government needs to get involved, and fine every provider that allows this so heavily they go out of business. Not sure how that affects calls originating from outside the country though -- can't they still use any caller id they want?

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
  8. Re:A bit more complicated. Cincinnati Bell & A by nitehawk214 · · Score: 2

    Then don't fucking spoof your own customer service number into the call.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  9. What inward dial number would you prefer? by raymorris · · Score: 1

    What direct inward dial number would you prefer?
    Web servers don't take incoming phone calls, they take incoming web requests; they don't have DIDs, they have names like www27.1stbank.com

  10. Re:A bit more complicated. Cincinnati Bell & A by kingbilly · · Score: 1

    Interesting, the DID vs DOD information. Is email in this same boat? I've always wondered why phone spam couldn't be fixed with a hybrid of things that resemble DMARC for email, and Autonomous systems for networks.

  11. Email has a from, though both are services, not by raymorris · · Score: 1

    Email has from and to addresses, in the envelope as well as the headers. So it doesn't have the same issue in terms of fundamental logic. Emails from from some address, phone calls don't come from a "phone number" (DID). So that's a fundamental difference.

    Note that like the phone system, email addresses can be something like customerservice@acme.com - a role or service, NOT a device, and certainly not a person.

    So you can't identify a particular device as customerservice@acme.com, and similarly you can't say a certain phone is 979-580-6540.

    On my phone, I can check three different email addresses. I can also check the same email from my laptop. So we recognize that an email address doesn't identify a device.

    What some people don't realize is that my phone I'm typing on right now can be reached from three different numbers, and one of those numbers can also be answered from a different device. My phone isn't identified by a phone number any more than it's identified by an email address.

    For PRACTICAL purposes, some of the same issues apply. An email from your bank doesn't necessarily come from the same place they answer emails. Consider password reset for the web site. The web server can send email, it can't receive email. So you can't verify the From by reversing the route.

    Email has mechanisms such as SPF to verify the From address. Phone has no such mechanism and can't because fundamentally there is no from phone number. You'd need to switch the world 's 10 billion phones to a different protocol in order to introduce a "station from" or "service from" identifier.

  12. SIP yes, as opposed to by raymorris · · Score: 1

    I was speaking of PTSN, vs SIP.

    The SMTP standard, RFC 5321, states that the sender initiates an email with the line:

    MAIL FROM email@address

    The email address used in MAIL FROM (the envelope) is specified as the route for errors to be returned.

    Also RFC 2822 requires a From address in the message itself.

  13. Re:A bit more complicated. Cincinnati Bell & A by jon3k · · Score: 1

    Yes, and TO is the operative word. A phone number is technically known as a DID number - Direct Inward Dial. A DID (phone number) indicates which service (not station aka phone) a call is being placed to.

    DID is actually the service, not the individual BTN/WTN being forwarded into a PBX, but a lot of people use the term interchangeably.

    There is no such thing as a DOD, Direct Outward Dial number.

    Actually, there is.

  14. Meanwhile underneath the public eye by edris90 · · Score: 1

    0 day telephony signature exploit for sale. Outfarm your robocall competitors and avoid Auto screening by interfacing thesame way illegitimate call would.

    1. Re: Meanwhile underneath the public eye by edris90 · · Score: 1

      Correction legitimate .not illegitimate call