Thanks to the VoIP we can link remote places and communicate with us at the lowest cost possible. VoIP companies know that, and it is one of the biggest reasons why this industry has been growing.
If you are already educated about VoIP, you have for sure read about SIP and RTP. There are other protocols, but I will focus on these two as they are the most common. The SIP is used to do the signalling while the RTP carriers the sound; SIP has many functions in the VoIP but the main one is the related to the INVITE action. The INVITE action is the one responsible to initiate the calls, it carriers all details about the call, including the Caller ID Number.
Sadly for use, the SIP does not provide any mechanism to prevent spoofing the Caller ID. This means I could (but I will not) call someone and act on someone behalf from the Parliament of Canada by setting my Caller ID to 1 866 599 4999. If you do a little search, you will find there are many frauds. Many of them related to revenue agencies.
The Government of Canada through its telecommunication body, the Canadian Radio-television and Telecommunications Commission, recognizes this danger and it has published a communicate about Measures to reduce caller identification spoofing and to determine the origins of nuisance calls.
The CRTC suggest the use of STIR and SHAKEN; however, in my experience, I believe this is not enough and it is just a poor try to cover the real risk. I will explain my line of thinking.
Blocking the Caller ID spoofing between SIP endpoints is not that hard. You can use STIR or SHAKEN for that. If you are SMTP educated, you will find that they work somehow similar like DKIM and SMIME; some headers are added in the SIP payload, and then those headers are then verified against a central authority. Personal speaking, I do not like the idea of using a central authority, especially because it involves many manual procedures related to certificate management.
Although the SIP-to-SIP scenario could be more than enough for some big companies, I will not let you forget about small ones. In this scenario, it is very likely that a call goes through the PSTN. The thing of routing a SIP call through the PSTN is that at some point the call will jump from SIP to PSTN, and later from PSTN to SIP. This SIP-PSTN-SIP jump makes the SIP payload to lose any custom or non-essential header. There it is where the STIR or SHAKEN become useless.
There should be another way!
First of all, my proposal does not discover anything new. I am just applying well-known technologies in a better way. The proposal involves the following:
The first thing you need to do in my proposal is to sign-up. The sign-up process is nothing than a verification process to be 100% certain you own the DID number you are claiming to have.
The sign-up process is as follows:
No better way to explain it than with an example: Alice is a customer from VoIP Company A with an assigned phone number. She is calling Bob who is a customer of VoIP Company B. Bob has his own phone number assigned. Both companies are aligned with my proposal.
In a quick think, I enumerate some pros and cons. First the cons:
This is a very good question. As you see, this is just the first attempt. I will get soon a website up and will start doing some proof of concept. The idea is having an easy and reliable way to reduce the risk of caller id spoofing.
All comments are welcome.
Good luck!blog comments powered by Disqus