from Hacker News

Understanding STIR/SHAKEN – New Anti-Robocalling Protocol

by randomdrake on 3/21/19, 1:59 AM with 74 comments

  • by th0ma5 on 3/21/19, 3:49 AM

    Always want to fill out the old https://craphound.com/spamsolutions.txt form with these ideas. Like the open world / closed world AI problem.

  • by Animats on 3/21/19, 5:36 AM

    This clearly wasn't designed by telephony people. It's very web-like. The authentication info is bigger than the call data required to set up a call.

    Mostly this is for VOIP. Telcos with TDM or CDMA transmission have serious backwards compatibility problems. Ones who peer only with SS7 have problems but those can probably be overcome.

    One big problem is that there are off-brand telcos who specialize in services for call centers. "The Dialer Hardware is being hosted in our premises at Los Angeles - USA, where we have our own switch and termination facility with over 100 Carriers. We also have a redundant switch in New York connected to LA through a fat Fibre pipe."[1] Do those guys get to sign calls? Or what?

    [1] http://www.callcentersindia.com/showall-orig.php?value1=1126...

  • by Barrin92 on 3/21/19, 5:48 AM

    Instead of all these fancy technical counter-measures I think this really ought to be a matter of the law. Why not ban cold calls, like in Germany? Is there anyone on this planet who actually enjoys constant advertisement and harassment on their phone?

    >According to Sec. 7 (2) UWG; telephone calls to consumers for sales purposes are illegal if the calling company is not in possession of an explicit and effective declaration of consent by the consumer. If the call is made to another business, it is sufficient to prove presumptive consent.

  • by MagicPropmaker on 3/21/19, 5:07 AM

    A little trick that will work for "geeks" but won't scale is:

    - My personal phone number is in a remote area code, of a sparsely populated state, from where I don't know anybody.

    - Any phone calls that come from this area code are blocked (well, actually, they have a silent ring tone.)

    This gets rid of about 90% of the spam/robocalls because these days, 90% of them spoof a local areacode/exchange.

    Of course, if everyone did this, they'd stop doing it. But it works for now and makes my personal cell phone useful. I did have to do some finagling to get my carrier (T-Mobile) to give me a phone with an area-code of a different state.

    I don't have a lot of faith that STIR/SHAKEN will help in any real way. They'll just have to rent numbers from people who don't care about the law, and/or registered with bogus information so it won't be worth anyone's while to find them.

  • by alphabetter on 3/21/19, 10:38 AM

    Several people have asked about the management of certificates for this solution. There is indeed a seperate certificate management body created called the Secure Telephone Identity Governance Authority (https://sites.atis.org/insights/secure-telephone-identity-go...).

    The Governance Authority will define policies on how certificates are to be issued.

    Any old certificate from a web CA won't be accepted by the system.

  • by stendinator on 3/21/19, 6:13 AM

    I'm from Switzerland and I only ever get spam calls from the US or India - how come?

  • by Latteland on 3/21/19, 2:53 AM

    Sounds like a nice improvement. It appears to be a web of trust scenario, where you trust anyone else who is verified. Eventually I'm sure some spammer will break through into the circle. I hope that if there is some spammer penetration (so much money here it's inevitable) every phone company should be able to track back where that last phone call came from and block them then.

  • by patrickg_zill on 3/21/19, 6:24 AM

    I read through a summary from a different source and I was not impressed.

    Any voip phone, and of course smart phone, can be easily set up for client side certificates.

    Landlines and anything else that can be accessed via SS7 methods are already secure in terms of identity.

    And that's it. Client side certs and you are done...

  • by thosakwe on 3/21/19, 8:28 AM

    I’ve noticed two main things about the many robocalls/spamcalls I’ve received (my carrier actually has spam blocking, and I haven’t received very many since activating it)

    1. Most calls I receive from numbers not in my contact list are spam. They also usually just call once, whereas if it’s a legit call that I was expecting, but neglected to pick up, they’ll call again within a few minutes. 2. I’ll get robocalls from one area code at a time. I remember getting calls from 772 one week, 727 the next, 643 a few days later, etc.

    Obviously it won’t crush spam entirely, but I can imagine that fixing even just these two things would filter out a boatload if spam from reaching consumers.

    Oh, and calls from “Scam Likely” should never reach my phone to begin with.

  • by m0zg on 3/21/19, 5:25 AM

    I do the following: I never give my real phone number to anybody other than people I directly know. Everybody else gets my Google Voice number, which is set up to directly go into voicemail without ever ringing. As far as I can tell, I receive 2-3 robocalls a day, so GV just blackholes them for me. Every now and then someone leaves a voicemail, and I read that, but it's very rare that a robocall leaves a voicemail because Google call screener requires them to enter a number to do so.

  • by _underfl0w_ on 3/21/19, 12:42 PM

    Hopefully this CA process will have a better threat model - that is, one in which they're prepared for state-level malicious actors such as DarkMatter.

  • by nerdbaggy on 3/21/19, 3:24 AM

    Anybody know who the CA is now for these? Couldn’t find much