12

I have recently read about attacks using Caller ID spoofing technology. Criminals used it to impersonate bank or police employees and asked to install malware or transfer money to a given account. A person receiving a call could see a bank phone number. So if you had a bank number in your phone book or are using apps like Google Phone that display the name of a caller linked to a phone number in their database, you could think this is a real bank employee calling you.

When surfing online, I can verify identity of a web site thanks to SSL.

I've read introducing similar verification for caller ID is hard:

But still, I wonder if there is any promise of such technology? Or any research on that?

The one thing I've heard about is Google Verified Calls solution for companies, so their customers can trust calls received from them. However:

  • it is present only in some countries
  • only for companies that joined that platform
  • little is known how Google verifies business phone number
dzieciou
  • 233
  • 2
  • 9
  • 6
    As the other answers you link explain: every country handles phone networks differently. It would require international cooperation, and in some cases, massive upgrades in core phone switch networks. – schroeder Jul 25 '21 at 16:25
  • @schroeder I understand that, solving that globally is hard. However, somehow Google has built Verified Calls solution on top of that heterogeneous infrastructure. For sure, activity from different parts is required: local telephony providers have to integrate with Google APIs, businesses have to join the platform and end-users have to install Google Phone app, but this can be done. At least, on a small scale. – dzieciou Jul 25 '21 at 16:38
  • 2
    Small scale is insufficient. We can use WhatsApp on a small scale. Any solution must be universal, else there is little benefit for the effort. – schroeder Jul 25 '21 at 16:52
  • Lots of things *can* be done, but each has to be weighed against the existing alternatives, the impact, and whether or not it can be universal. If not universal. then criminals can use the non-participant carriers. – schroeder Jul 25 '21 at 16:55
  • 4
    It's important to note that the phone infrastructure is not end to end **digital** everywhere. There is still lots of analog (POTS) equipment/gateways that are blissfully unaware. Hence the issue of worldwide standardization. – Kate Jul 25 '21 at 16:56
  • @Anonymous and even in digital networks, there are analog trunks and spars. So, when you say "everywhere", it's not just some countries or remote areas (in case anyone interprets it that way). – schroeder Jul 25 '21 at 17:00
  • The technology is actually not that much of a problem - telephony providers know which lines or VoIP accounts of *their own customers* are associated with which numbers. Thus they could technically prevent spoofing done *by their own customers*. And if every telephony provider would do this it would prevent the problem. But, giving a different phone number or display specific information can actually have valid use cases, like using VoIP to be more mobile but giving the land line number as sender and have call forwarding setup. Preventing all caller spoofing also prevents these use cases. – Steffen Ullrich Jul 25 '21 at 17:04
  • @SteffenUllrich I do understand that spoofing has business reasons. But that does not exclude possibility of Caller ID verification. Same way, like proxying/load-balancing/etc. traffic on the Internet: I can talk to x-bank.com without knowing that my request is actually handled by some specific server behind this URL. This is fair as long as those servers are authorized to represent x-bank.com. – dzieciou Jul 25 '21 at 17:09
  • There are political reasons why a TLS/SSL equivalent which is not controlled by governments will never be allowed. Most governments have laws that require telecoms operators to be able to intercept and decrypt the voice traffic. – André Borie Jul 26 '21 at 09:57
  • @AndréBorie I guess I was unclear here. I meant only authenticity feature of SSL/TLS, not confidentiality. – dzieciou Jul 26 '21 at 09:59
  • 1
    A few weeks ago I received a call from a laywer's office (Google Dialer ID said so). Eventually, that was yet another alleged online trading broker. The number didn't exist: probably the lawyer changed number, gave up landline for mobile, retired, etc. – usr-local-ΕΨΗΕΛΩΝ Jul 26 '21 at 11:34

2 Answers2

17

It sounds like the thing you're interested in here that's related to SSL and TLS is authenticity, although TLS also provides confidentiality and integrity. The latter two are difficult in standard telephone environments due to laws mandating the ability to wiretap calls.

However, there are protocols for authenticity of caller ID information called STIR and SHAKEN. The use of the protocols is required by telecommunications regulators in the United States and Canada, and the protocols should be usable elsewhere. The protocol causes a digital signature of the caller ID information to be attached. According to Wikipedia, there are three levels of attestation:

  • "A", indicates that the provider recognizes the entire phone number as being registered with the originating subscriber;
  • "B", indicates that the call originated with a known customer but the entire number cannot be verified; or
  • "C", indicates the call can only be verified as coming from a known gateway, for instance, a connection to another service provider.

There's no technical reason why a telephone provider cannot sign invalid information, but of course a provider who did that would quickly find themselves distrusted, in addition to the possibility of legal action by governments or other parties.

As far as I'm aware, there isn't any ability of major mobile phone platforms to block all calls that are unverified, although of course demand for that may increase in the future.

bk2204
  • 8,695
  • 20
  • 19
  • 9
    Great naming for the protocols – qwr Jul 26 '21 at 03:07
  • 10
    From Wikipedia: STIR having existed already, the creators of SHAKEN "tortured the English language until [they] came up with an acronym.” – Ken Y-N Jul 26 '21 at 06:56
  • 5
    SHAKEN: **S**ignature-based **H**andling of **A**sserted information using to**KEN**s. That is not how acronyms are usually made indeed... But damm is a good one – bradbury9 Jul 26 '21 at 10:23
1

Answering about the plans part.

It takes victims, press, regulators and money. Technology exists already.

Phone providers do not like to spend money if they are not required to or if it doesn't give them a marketing advantage. Call your phone provider and complain to them "I am getting calls every day from unknown spoofed number" and they will tell you to pay more attention to where you submit your phone number.

The phenomenon and the risks is known to all authorities. Following is my opinion. Once vishing will make enough victims by draining them large quantities of money, the media will start talking a lot more about the phenomenon and pressuring regulators. And somebody may ask "who can mitigate this? Telcos of course". Then one day a regulatory agency will rule "it's time to stop this" dangerous habit. Finally, telcos will be obligated to spend money on implementing new security.

This is kinda different from domain/IP spoofing on the internet. Luckily, the internet rule is the following:

  • If you (ISP) route rogue packets, we (other ISPs) could disconnect your ASN and leave you offline, out of business
  • If you (domain holder) do not implement appropriate measures and someone abuses your domain name, your mail will never get to anyone and you may be out of business

The second above is the reason why domain administrators do configure DKIM/SPF thoroughly. You'll never want to tell your CFO no mail is being delivered to Gmail and Outlook neither. That you are not reaching your customers

usr-local-ΕΨΗΕΛΩΝ
  • 5,361
  • 2
  • 18
  • 35