Carriers need to independently verify LOAs
On Sat, 17 Apr 2021, Eric Kuhnke wrote:
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
All carriers should independently verify any LOAs received for account changes. Documents received from third-parties, without independently verifying with the customer of record, using the carriers own records, are just junk papers. Almost no carriers verify LOAs by contacting the customer of record. Worse, they call the phone number on the letterhead provide by the scammer for "verification." The U.S. Postal Service used to let random people change mail forwarding orders, without verifying with the original and new addresses. As you can guess, there were lots of fake forwarding orders and criminal activity. After USPS begin verifying mail forwarding orders by sending a letter to the ORIGINAL address and NEW address, mail forwarding fraud declined. Not zero, but declined.
On Mon, Apr 19, 2021 at 01:20:22PM -0400, Sean Donelan wrote:
On Sat, 17 Apr 2021, Eric Kuhnke wrote:
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
All carriers should independently verify any LOAs received for account changes.
Documents received from third-parties, without independently verifying with the customer of record, using the carriers own records, are just junk papers.
Almost no carriers verify LOAs by contacting the customer of record. Worse, they call the phone number on the letterhead provide by the scammer for "verification."
Presumably we're kinda talking about a problem parallel to the Internet ASN/IP space LOA problem here. It would be awesome if there were a nice easy way to identify the responsible parties, so you could figure out WHOIS the appropriate party to contact. If you've ever tried Googling a company with a hundred thousand employees, calling their contact number on the Web, and getting through to anybody who knows anything at all about IT, well, you can spend a day at it and still have gotten nowhere. It's too bad that this information is so frequently redacted for privacy. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
US/Canada (ideally all of NANPA) Carriers need to standardize the porting process. Right now, I have an anecdotal database for each carrier which requires a slightly different process. For Verizon Wireless, you have to generate a Port Out PIN for each number, which expire after 7 days. Excellent! But only if there isn't a Freeze on the number. For another, you have to call to get your account number and PIN, as you cannot get it without calling the carrier, and it is different. For some carriers, the address on file isn't the End-user's address, which causes regular and constant rejections. Must request a CSR. For Google Voice, pay $3 first, then unlock. For $random_carrier, provide anything and they release the number, without notice to anyone. Many carriers do not require an LOA to Port, usually where porting is automated, and the automated carriers require a PIN and Account Number and service/billing address to ensure numbers don't get "accidentally" ported, either due to fraud or a typo. And while it would be nice if everyone "independently verified every LOA" the cost of doing so in the far-too-many edge cases is business-endingly high. It is the lack of a standard that all carriers share that cause these problems. In Europe, you generate a UUID, give the UUID and number to Port to the new carrier, and it's done. If every NANPA carrier allowed the End-User to generate a UUID for Porting Out that expired after 7 days, all of this inconsistency would go away. Mostly. Probably. Beckman On Mon, 19 Apr 2021, Joe Greco wrote:
On Mon, Apr 19, 2021 at 01:20:22PM -0400, Sean Donelan wrote:
On Sat, 17 Apr 2021, Eric Kuhnke wrote:
Anecdotal: With the prior consent of the DID holders, I have successfully ported peoples' numbers using nothing more than a JPG scan of a signature that looks like an illegible 150 dpi black and white blob, pasted in an image editor on top of a generic looking 'phone bill'.
All carriers should independently verify any LOAs received for account changes.
Documents received from third-parties, without independently verifying with the customer of record, using the carriers own records, are just junk papers.
Almost no carriers verify LOAs by contacting the customer of record. Worse, they call the phone number on the letterhead provide by the scammer for "verification."
Presumably we're kinda talking about a problem parallel to the Internet ASN/IP space LOA problem here.
It would be awesome if there were a nice easy way to identify the responsible parties, so you could figure out WHOIS the appropriate party to contact. If you've ever tried Googling a company with a hundred thousand employees, calling their contact number on the Web, and getting through to anybody who knows anything at all about IT, well, you can spend a day at it and still have gotten nowhere.
It's too bad that this information is so frequently redacted for privacy.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On Mon, 19 Apr 2021, Peter Beckman wrote:
And while it would be nice if everyone "independently verified every LOA" the cost of doing so in the far-too-many edge cases is business-endingly high.
If carriers faced legal liability, with appropriate incentatives, I'd bet they would solve the verification problem -- quickly, cheaply. No liability -- no reason to solve the problem.
Nothing is stopping the perpetrator of a BGP hijack as a result of a forged or otherwise illegitimate LOA from facing civil litigation as a result of revenue loss or other harm done. This thread and others like it highlight that there is absolutely some negligence here and could very well find itself in an evidence pile at some point in the future. So there IS liability, but the lack of solid precedent means that the bean counters can't assign a dollar amount to the risk associated with blindly accepting LOAs, and therefore it might as well not exist. Someday, somebody will have the pants sued off them because they let their new customer hijack the hell out of a government entity, bank, oil company, etc. and we'll start to see better processes. -Matt On Mon, Apr 19, 2021 at 11:59 AM Sean Donelan <sean@donelan.com> wrote:
On Mon, 19 Apr 2021, Peter Beckman wrote:
And while it would be nice if everyone "independently verified every LOA" the cost of doing so in the far-too-many edge cases is business-endingly high.
If carriers faced legal liability, with appropriate incentatives, I'd bet they would solve the verification problem -- quickly, cheaply.
No liability -- no reason to solve the problem.
-- Matt Erculiani ERCUL-ARIN
participants (4)
-
Joe Greco -
Matt Erculiani -
Peter Beckman -
Sean Donelan