The upshot is that when you see the number of an incoming call, you have no way of knowing if the number displayed on your caller ID is legitimate or spoofed.
xxx
Spoofing happens because the carriers don’t verify that a phone number is real before a call crosses their networks.
From How to stop robocalls spamming your phone | TechCrunch:
xxx
xxx
One authentication system would make call spoofing nearly impossible, known as Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using Tokens — or STIR/SHAKEN. The system relies on every phone number having a unique digital signature which, when checked against the cell networks will prove you are a real caller. The carrier then approves the call and patches it through to the recipient. This happens near-instantly.
From How to stop robocalls spamming your phone | TechCrunch:
xxx
companies on each end of a phone call.
Photo: Dan Saelinger
The Internet Engineering Task Force (IETF), which works on issues related to secure telephone identity, began work on STIR in 2013. The IETF designed the STIR protocol to be very flexible. The basic mechanism is a certificate issued to authenticated callers. However, STIR requires individuals to be proactive about authenticating themselves and managing their personal key, which confirms their identity. STIR’s downside is that very few people have the expertise to do either. The good news is that STIR’s flexibility allows phone companies to implement it in their network with minimal hassle.
In 2015, ATIS also began studying mechanisms to reduce unwanted robocalls. A joint task force between ATIS and the SIP Forum, an industry association, built upon the IETF’s work on STIR.
As it turned out, STIR’s extreme flexibility was a problem. Indeed, the protocol’s flexibility made it easy for each phone company to implement it in its network. However, as a general rule, the more flexible a protocol is, the more likely it is that different implementations won’t play well together. So when two different service providers implement the protocol on each of their networks, a caller ID sent from one to the other might not make it through intact. The task force’s goal was to create a precisely defined subset (known as a profile) of STIR, called SHAKEN. Because the task force specified the SHAKEN profile of the STIR protocol, you might see it referred to as “STIR/SHAKEN.”
From How Your Phone Company Aims to Stop Robocalls – IEEE Spectrum:
xxx
xxx
What Carriers Know
Phone companies don’t always know everything about a call. STIR/SHAKEN uses levels of attestation so that carriers can classify what they do know about each call.
A–Attestation B–Attestation C–Attestation
Originates on carrier’s own network Originates on carrier’s own network Originates on some other network
Carrier has confirmed who the caller is Carrier has confirmed who the caller is Carrier has NOT confirmed who the caller is
Carrier has verified caller’s right to use the phone number Carrier has NOT verified caller’s right to use the phone number Carrier has NOT verified caller’s right to use the phone number
From How Your Phone Company Aims to Stop Robocalls – IEEE Spectrum:
xxx
31st March 2020
FCC Mandates STIR/SHAKEN to Combat Spoofed Robocalls all originating and terminating voice service providers to implement
STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021,
From FCC Mandates STIR/SHAKEN to Combat Spoofed Robocalls | Federal Communications Commission:
xxx
xxx
Earlier this year, networking services firm Transaction Network Services reported that just 10% of “high risk” robocalls originate from tier 1 carriers (AT&T, CenturyLink, Comcast, Sprint, T-Mobile and Verizon), even though they account for 75% of total call volume. Instead, hundreds of smaller, non-tier 1 networks are the source of most robocalls.
From Approach aims to authenticate calls and deter illegal caller ID spoofing.:
xxx
OFCOM
The Internet Engineering Task Force (IETF) has developed a new technical standard to support CLI
authentication, so that valid numbers can be identified and marked from the beginning of a call and
passed along the ‘call chain’ to the recipient.8 The Federal Communications Commission (FCC)9 set a
deadline for December 2019 for the implementation of CLI authentication. In Canada, the deadline is
September 2020. Implementation of CLI authentication in the UK will take more time, as not as
many calls are currently carried on VoIP systems. We expect CLI authentication to be introduced
when voice services are migrated to IP platforms, away from the copper-based network, by mid-
2020s.
Snippings 