American telecoms will fight phone spam
In the US, subscriber authentication technology is gaining momentum — the SHAKEN / STIR protocol. Let's talk about the principles of its work and the potential difficulties of implementation.
/ Flickr / Mark Fischer / CC BY-SA
Unwanted robo calls are the most common cause of consumer complaints to the US Federal Trade Commission. In 2016, the organization recorded five million hits , a year later this figure exceeded seven million.
')
Such spam calls take away from people not only time. Automatic telephone services are used to extort money. According to YouMail, last September, 40% of the four billion robo calls were made by scammers . During the summer of 2018, New Yorkers lost about three million dollars in remittances to criminals who called them on behalf of the authorities and extorted money.
The problem drew attention to the Federal Communications Commission (FCC). Representatives of the organization made a statement in which they demanded that telecommunications companies introduce a solution to combat telephone spam. This solution was the SHAKEN / STIR protocol. In March, its joint testing conducted by AT & T and Comcast.
Telecom operators will work with digital certificates (they are built on the basis of public-key cryptography), which will verify the callers.
The verification procedure will be as follows. First, the operator of the person making the call receives a SIP INVITE request to establish the connection. The provider authentication service checks the call information - location, organization, data about the caller's device. Based on the test results, a call is assigned to one of three categories: A - all information about the caller is known, B - the organization and location is known, and C - only the geographic location of the subscriber is known.
After that, the operator adds to the request header an INVITE message with a time stamp, a call category and a link to an electronic certificate. Here is an example of such a message from the GitHub repository of one of the American telecoms:
Further, the request goes to the provider of the called subscriber. The second operator decrypts the message using the public key, compares the content with the SIP INVITE and verifies the authenticity of the certificate. Only after that the connection between subscribers is established, and the "receiving" party receives an alert about who is calling it.
The whole verification process can be represented by the scheme:
According to experts, the caller verification will take no more than 100 milliseconds.
As noted by the USTelecom association, SHAKEN / STIR will give people more control over the calls they receive - it will be easier for them to decide whether to pick up the phone.
But in the industry there is an opinion that the protocol will not become a “silver bullet”. Experts say that fraudsters just take advantage of workarounds. Spammers will be able to register a “fake” PBX in the name of an organization on the network of the operator and carry out all calls through it. In the case of blocking PBX can be simply re-register.
According to the representative of one of the telecoms, simple verification of the subscriber using certificates is not enough. To stop scammers and spammers, you must allow providers to automatically block such calls. But for this, the Communications Commission will have to develop a new set of rules that will regulate this process. And this issue in the FCC may be addressed in the near future.
From the beginning of the year, congressmen are considering a new bill that will oblige the Commission to develop mechanisms to protect citizens from robo calls and to follow the implementation of the SHAKEN / STIR standard.
/ Flickr / jack sem / cc by
It is worth noting that SHAKEN / STIR was implemented in T-Mobile - for some models of smartphones and they plan to expand a number of supported devices - and Verizon - its operator’s customers can download a special application that will warn about calls from suspicious numbers. Other US operators are still testing the technology. They are expected to complete the trials before the end of 2019.
/ Flickr / Mark Fischer / CC BY-SA
Problem with calls
Unwanted robo calls are the most common cause of consumer complaints to the US Federal Trade Commission. In 2016, the organization recorded five million hits , a year later this figure exceeded seven million.
')
Such spam calls take away from people not only time. Automatic telephone services are used to extort money. According to YouMail, last September, 40% of the four billion robo calls were made by scammers . During the summer of 2018, New Yorkers lost about three million dollars in remittances to criminals who called them on behalf of the authorities and extorted money.
The problem drew attention to the Federal Communications Commission (FCC). Representatives of the organization made a statement in which they demanded that telecommunications companies introduce a solution to combat telephone spam. This solution was the SHAKEN / STIR protocol. In March, its joint testing conducted by AT & T and Comcast.
How the SHAKEN / STIR protocol works
Telecom operators will work with digital certificates (they are built on the basis of public-key cryptography), which will verify the callers.
The verification procedure will be as follows. First, the operator of the person making the call receives a SIP INVITE request to establish the connection. The provider authentication service checks the call information - location, organization, data about the caller's device. Based on the test results, a call is assigned to one of three categories: A - all information about the caller is known, B - the organization and location is known, and C - only the geographic location of the subscriber is known.
After that, the operator adds to the request header an INVITE message with a time stamp, a call category and a link to an electronic certificate. Here is an example of such a message from the GitHub repository of one of the American telecoms:
{ "alg": "ES256", "ppt": "shaken", "typ": "passport", "x5u": "https://cert-auth.poc.sys.net/example.cer" } { "attest": "A", "dest": { "tn": [ "1215345567" ] }, "iat": 1504282247, "orig": { "tn": "12154567894" }, "origid": "1db966a6-8f30-11e7-bc77-fa163e70349d" } Further, the request goes to the provider of the called subscriber. The second operator decrypts the message using the public key, compares the content with the SIP INVITE and verifies the authenticity of the certificate. Only after that the connection between subscribers is established, and the "receiving" party receives an alert about who is calling it.
The whole verification process can be represented by the scheme:
According to experts, the caller verification will take no more than 100 milliseconds.
Opinions
As noted by the USTelecom association, SHAKEN / STIR will give people more control over the calls they receive - it will be easier for them to decide whether to pick up the phone.
Read in our blog:
But in the industry there is an opinion that the protocol will not become a “silver bullet”. Experts say that fraudsters just take advantage of workarounds. Spammers will be able to register a “fake” PBX in the name of an organization on the network of the operator and carry out all calls through it. In the case of blocking PBX can be simply re-register.
According to the representative of one of the telecoms, simple verification of the subscriber using certificates is not enough. To stop scammers and spammers, you must allow providers to automatically block such calls. But for this, the Communications Commission will have to develop a new set of rules that will regulate this process. And this issue in the FCC may be addressed in the near future.
From the beginning of the year, congressmen are considering a new bill that will oblige the Commission to develop mechanisms to protect citizens from robo calls and to follow the implementation of the SHAKEN / STIR standard.
/ Flickr / jack sem / cc by
It is worth noting that SHAKEN / STIR was implemented in T-Mobile - for some models of smartphones and they plan to expand a number of supported devices - and Verizon - its operator’s customers can download a special application that will warn about calls from suspicious numbers. Other US operators are still testing the technology. They are expected to complete the trials before the end of 2019.
What else to read in our blog on Habré:
Source: https://habr.com/ru/post/446120/
All Articles