On Mon, 8 Jul 2019, Keith Medcalf wrote:
The solution is to disallow spoofing. If the "pretty overlay information" does not equal the "billing information" then do not permit the call to be made. Easy Peasy.
This assumes that all calls from a phone number originate from the carrier of record for that phone number. This assumption is false. For calls made by Verizon Wireless customers that originate FROM Verizon Wireless's network, STIR/SHAKEN will enable Verizon to tag the call with a crypto sig that we can all verify came from Verizon, thus increasing the trust that the call originated from Verizon Wireless. However, Verizon not-Wireless also does other telephony business, such as termination. Verizon not-Wireless customers can and likely do terminate calls to them with CallerID of phone numbers that may or may not be registered with Level3, Onvoy, Bandwidth or another carrier. However Verizon not-Wireless has NO IDEA if their customer truly owns/leases the value in the CallerID field from another carrier. Thus Verizon not-Wireless may sign the terminating call using STIR/SHAKEN but have *NO IDEA* if their termination customer actually owns/leases/controls the CallerID value. And the absence of a STIR/SHAKEN header also means nothing. While we do LRN lookups for calls, we do not currently use that information to ensure that the originating party owns/leases that number legitimately. As a Tier 2 or 3 carrier, our carrier does not publish anywhere that we lease numbers from them, and our customers are not required to terminate calls using their phone numbers as CallerID with other carriers. The presence of STIR/SHAKEN increases the trust in the CallerID value ONLY when the phone number owner of record in the LNP database matches the signor of the call. The absence of STIR/SHAKEN is where we are already today. And small carriers can implement STIR/SHAKEN without concern for whether or not the CallerID value is their phone number or not. Though if the bad-actor does sign the call, I can distrust or block all of the bad-actor's calls. At least until they stop signing the calls, or they start a new contract with a new cert leaving all of us to play whack-a-mole some more, as we do now. DKIM-signed and SPF approved for all the good it will do, Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------