Phone companies slammed for lousy robocall efforts

[SlapHappy]

https://nakedsecurity.sophos.com/2018/1 ... l-efforts/

Phone companies slammed for lousy robocall efforts
08 NOV 2018
0
Law & order, Mobile

Previous: Voting machine manual tells officials to reuse weak passwords
Next: Google warning: Fix your dodgy ads within 30 days or get banned
by Lisa Vaas
Federal Communications Chairman (FCC) Ajit Pai wrote to telephone service providers on Monday, slamming them for their lousy efforts on blocking robocalls and saying that a year from now, he expects that we can all get back to actually answering our phones without finding we’ve been tricked by illegally spoofed caller IDs.

Here’s Pai, quoted in an FCC release:

Combatting illegal robocalls is our top consumer priority at the FCC. That’s why we need call authentication to become a reality – it’s the best way to ensure that consumers can answer their phones with confidence. By this time next year, I expect that consumers will begin to see this on their phones.

What the FCC wants to see is a robust call authentication system to combat illegal caller ID spoofing. Some phone service providers are “well on their way” to implementing such, Pai said, thanking AT&T, Verizon, T-Mobile, Comcast, Bandwidth.com, Cox, and Google for their efforts.

But there are laggards, and that includes seven big names. On the list of Pai scoldees are phone providers that apparently don’t yet have “concrete plans to implement a robust call authentication framework,” Pai said. His letters asked those carriers – CenturyLink, Charter, Frontier, Sprint, TDS Telecom, US Cellular, and Vonage – to answer a series of questions by 19 November.

Those companies are dragging their feet when it comes to implementing the new STIR (Secure Telephone Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) protocols, Pai said. Those are frameworks that service providers can use to authenticate legitimate calls and identify illegally spoofed calls.

There has, actually, been progress on this front.

In September, the Alliance for Telecommunications Industry Solutions (ATIS) announced the launch of the Secure Telephone Identity Governance Authority (STI-GA), designed to ensure the integrity of the STIR/SHAKEN protocols. That move paved the way for the remaining protocols to be established, and it looks like STIR/SHAKEN is going to be up and running with some carriers next year.

Last month, 35 state attorneys general told the FCC to please, by all means, pull the plug on robocalls. The AGs said that the situation is beyond what law enforcement can handle on its own. The states’ respective consumer protection offices are receiving and responding to tens of thousands of consumer complaints every year from people getting plagued by robocalls.

DEEP LEARNING FOR DEEPER CYBERSECURITY
Watch Video
Reuters reports that robocall blocking service YouMail estimated there were 5.1 billion unwanted calls last month, up from 3.4 billion in April.

SHAKEN/STIR isn’t expected to be a cure-all, but it could be a big help. From Pai’s press release:

Under the SHAKEN/STIR framework, calls traveling through interconnected phone networks would be ‘signed’ as legitimate by originating carriers and validated by other carriers before reaching consumers. The framework digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is from the person supposedly making it.

The questions that Pai put to the carriers that don’t yet have a concrete STIR/SHAKEN plan:

What is preventing or inhibiting you from signing calls today?
What is your timeframe for signing (i.e., authenticating) calls originating on your network?
What tests have you run on deployment, and what are the results? Please be specific.
What steps have you taken to work with vendors to deploy a robust call authentication framework?
How often is Charter an intermediate provider, and do you intend to transmit signed calls from other providers?
How do you intend to combat and stop originating and terminating illegally spoofed calls on your network?
The Commission has already authorized voice providers to block certain illegally spoofed calls. If the Commission were to move forward with authorizing voice providers to block all unsigned calls or improperly signed calls, how would you ensure the legitimate calls of your customers are completed properly?
Ars Technica’s Jon Brodkin notes that some of these carriers have registered reservations about SHAKEN/STIR.

Sprint, for one, told the FCC in October that the protocols will be helpful in fighting illegal robocalls, but it’s not a “complete solution.” Nor is it cheap. From its letter to the FCC:

Sprint is also concerned about the costs of implementing the certificate management requirements of SHAKEN and encourages the Commission and industry to explore more cost-effective alternatives to the central repository process originally contemplated in the development of SHAKEN.

Carriers have also complained that SHAKEN doesn’t tell them anything about the content of a call or whether it’s legal. From Sprint’s letter:

It just authenticates origination of the call path and the Caller ID information of individual calls.

Nor will it be useful without universal adoption, Sprint wrote:

Without universal adoption of SHAKEN from originating carrier to completing carrier, call authentication will not be passed to the terminating carrier.

T-Mobile concurred, among other carriers. From its filing to the FCC:

First, SHAKEN/STIR can only provide a positive affirmation of the source of a given call. It cannot provide confirmation of the opposite – that is, that a call is definitively ‘bad’ or fraudulent. This is particularly true where calls are carried by international providers that do not participate in SHAKEN/STIR and send calls to the United States through wholesale partners.

T-Mobile also touched on an issue raised by the 35 state AGs, who noted that it’s tough to prosecute calls that travel through a maze of smaller providers: If the caller can be found at all, they’re usually located overseas, making enforcement difficult. On the part of the carriers, T-Mobile said, protocol adoption has to happen outside the US to include international carriers in order to have a real effect on the “onslaught of fraudulent calls.”

In spite of these points, Pai is threatening action if SHAKEN/STIR isn’t implemented within a year:

I am calling on those falling behind to catch up… If it does not appear that this system is on track to get up and running next year, then we will take action to make sure that it does.