1、 ATIS-0300114 ATIS Standard on - Next Generation Interconnection Interoperability Forum (NGIIF) Next Generation Network (NGN) Reference Document Caller ID and Caller ID Spoofing As a leading technology and solutions development organization, the Alliance for Telecommunications Industry Solutions (AT
2、IS) brings together the top global ICT companies to advance the industrys most pressing business priorities. ATIS nearly 200 member companies are currently working to address the All-IP transition, network functions virtualization, big data analytics, cloud services, device solutions, emergency serv
3、ices, M2M, cyber security, network evolution, quality of service, billing support, operations, and much more. These priorities follow a fast-track development lifecycle from design and innovation through standards, specifications, requirements, business use cases, software toolkits, open source solu
4、tions, and interoperability testing. ATIS is accredited by the American National Standards Institute (ANSI). The organization is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a founding Partner of the oneM2M global initiative, a member of and major U.S.
5、 contributor to the International Telecommunication Union (ITU), as well as a member of the Inter-American Telecommunication Commission (CITEL). For more information, visit www.atis.org. Notice of Disclaimer however, 14GR-31-CORE, CLASS Feature: Calling Number Delivery. 15ATIS-1000067, IP NGN Callin
6、g Name (eCNAM). 16GR-1188-CORE, CLASS Feature: Calling Name Delivery Generic Requirements. 17A SIP INVITE is a request code that indicates a client is being invited to participate in a call session. 18The Truth in Caller ID Act 2009 amends Section 227 of the Communications Act of 1934 (47 U.S.C. 227
7、). ATIS-0300114 5 this clause points out techniques that are being developed within the industry, and discussed in various industry groups: certification and verified tokens. 5.1 Certification Work is underway in the Internet Engineering Task Force (IETF) Secure Telephone Identity Revisited (STIR) w
8、orking group to develop RFC4474bis for IP-based Caller ID certification. Figure 5.1 is an example of a basic use case for a SP implementation for Caller ID certification.19Figure 5.1 Basic Use Case for Service Provider Implementation for Caller ID Certification 5.2 Verified Token Proposal In additio
9、n to the IEFT STIR work underway addressing certification in RFC4474bis, that work has recently been augmented to include consideration of a Verified Token as a certification method. 19IETF RFC 4474bis, Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP). DRAF
10、T version only. ATIS-0300114 6 Figure 5.2 Authenticate/Verify Service - Basic Call Flow Originate call on user equipment (UE) and authentication constructs one or more signatures using one of the following options: 4474bis signature and adds identity header to SIP INVITE. 4474bis signature with full
11、 Verified Token added to identity header of SIP INVITE. Verified Token is applied to Message Body as a multi-part MIME.20 Terminating network receives INVITE, fetches (likely highly cached) public key certificate from x5u claim, and uses validation service to validate signature. In addition, other m
12、itigation techniques can be used to perform SPspecific call validation treatment (CVT). Figure 5.3 Originating Service Provider Certificate Management Each SP will create a public key/private key X.509 certificate pair. It will generate a certificate signing request (CSR) to the chosen Trust Anchor
13、or authority that can validate with absolute certainty that the requestor is an authorized PSTN SP. The SP will receive back a signed public key and certificate chain with the public key of the Trust Anchor. 20Multipurpose Internet Mail Extensions ATIS-0300114 7 The SP will use the certificate chain
14、 as the public key certificate and distribute this public key via HTTP Secure (HTTPS) and/or Domain Name System Security Extensions (DNSSEC) as indicated in the “x5u” claim used in the verified token. The validation of the signature and the certificate chain back to the Trust Anchor will be the trus
15、t mechanism for authenticating the originating SPs certificate. As a precursor to the token proposal, trusted SPs need the ability to authenticate the end users authority to use the TN resource. 6 Relationship between Caller ID Spoofing Increase in consumer complaints; Increase in call center contac
16、ts; Potential billing issues. 8.1.1 Network Congestion SPs networks are engineered to minimize network congestion conditions which could impact the ability of the consumer to make and receive telephone calls. The engineering of these networks is based on the theory that the future behavior of the ne
17、twork will be similar to past behavior and include a small margin for network growth. SP network congestion will occur whenever actual conditions exceed these assumptions and an alternate route is not available. The magnitude and scope of the network congestion depends on the magnitude and scope of
18、the associated event. Table 7.1 illustrates the potential for illegitimate Caller ID spoofing to negatively impact SPs networks and cause network congestion. 8.1.2 Blocking E911 Calls Illegitimate Caller ID spoofing of a PSAPs legitimate TN could result in undesirable impacts, including a total tele
19、phony denial of service (TDoS) for the PSAP. Such events could occur if a number of the called parties return the call to the PSAP. This could be prevalent when a PSAPs 911 trunks are limited in size. The operational problem is exacerbated in the event of a true emergency situation wherein legitimat
20、e 911 calls fail to reach a PSAP due to a TDoS attack or loss of service event. This hinders SPs ability to fulfill the legal requirement of restoring all emergency services impacting national security in a timely fashion. 23M3AAWG. Best Practices to Address Online, Mobile, and Telephony Threats, Ju
21、ne 1, 2015, p. 48 . 24U.S. Senate Committee on Commerce, Science, Financial loss; Loss of confidence in SP; Loss of confidence in telecommunication industry; Safety concerns. Since Caller ID spoofing is not always illegitimate, consumer education is important to minimize confusion and understand pot
22、ential impacts. 8.2.1 Consumer Education from SPs Call Spoofing Best Practices for Consumer Interactions: Provide education to personnel on the feature of Caller ID, the legitimate use of call spoofing as allowed in the Telephone Consumer Protection Act of 1991 (TCPA), as well as the issues associat
23、ed with the illegitimate use of call spoofing. Ensure processes, as well as training, are well documented and in place for front-line personnel to be equipped to easily address concerns regarding call spoofing raised to them by customers. Areas to be considered for this coverage on call spoofing are
24、: the front line business office or other in bound call centers, online access for customers, and repair and technical support in in bound centers. Call center personnel are best prepared to address Caller ID spoofing concerns with the appropriate processes, training, and documentation, allowing per
25、sonnel to offer customers an explanation of spoofing and options they can make use of to address Caller ID spoofing. Potential Documentation for Consumer Training: A simple understandable explanation as to what Caller ID spoofing is, such as “Caller ID spoofing is the practice of using technology to
26、 display a different persons name and number information on Caller ID units when making a call.” It is important for customers to know that there are legitimate uses for Caller ID spoofing, such as domestic violence safe houses, hospital rooms, newspaper reports, law enforcement, and doctors cell ph
27、ones. Telemarketers and call centers will also show a telephone number different from the calling number to provide consumers with an appropriate call back number. It is important to provide information that the misuse of call spoofing happens when the calling number changes the Caller ID to a rando
28、m number or the dialed number in order to increase the probability that the call will be answered. SPs will want to consider in the training that it is not possible currently for the SP to prevent callers from spoofing Caller ID information, and, if appropriate, advise that the SP does not sell cust
29、omer names and numbers to third-parties. SPs may also want to advise their customers of various services available to them (e.g., no solicitation service, *5725, selective call denial, third-party applications, online account management, etc.). SPs should advise customers that calling parties that s
30、poof Caller ID generally use specialized Internet software, and a spoofed call can originate outside the customers SPs network or arent carried on the customers SPs network. As a result, spoofed calls are, in those cases, untraceable and SPs face difficulty in working to stop them. 25This is a landl
31、ine, switch-based Class feature. ATIS-0300114 11 Scripted documentation provides front line personnel the best opportunity to correctly address customers concerns and provide them with options to resolve issues. Options will vary by SP, and any costs should be discussed with the customer. Here are s
32、ome options to consider: 1. Change of TN. Not everyone is eager to change their phone number, but this can be a useful solution for some consumers. 2. Use a calling feature to block incoming calls. SPs may offer a variety of privacy-focused calling features depending on SPs service offerings that cu
33、stomers might find useful. 3. If appropriate, offer to trace the harassing calls. It is usually difficult to trace spoofed calls. However, if that is appropriate and is done, SPs may then have other information that leads them to further investigate the harassing calls, including working with law en
34、forcement. 4. Get a non-published (private) listing. If the consumer uses a SP that publishes their TN in a print or web directory, the consumer may wish to request a private listing where the name, address and phone number are not included in the printed or web directory and arent available through
35、 Directory Assistance. Some SPs may have specified Annoyance Call Bureaus or security teams to address issues such as these. Customers who continue to have concerns after their contact with front line personnel or online resources can be referred to that group for additional assistance depending on
36、SPs specific processes. Customers may be asked to share any relevant information such as the dates/times they received spoofed calls and other appropriate specificity for the investigation of the calls. Annoyance Call Bureaus or security teams can provide valuable efforts to address these concerns,
37、such as: Provisioning and monitoring call tracing equipment on customers telephone services. Tracking, translating, and identifying call sources through central office switching locations, network monitoring, and analysis systems. Utilizing billing, address, and facilities systems to identify call s
38、ources when possible. Working directly with long distance, local exchange carriers, wireless, and various other communication SPs and annoyance call bureau departments nationwide and in Canada. Working with law enforcement on releasing identified party information. Contacting identified parties on b
39、ehalf of customers where appropriate to resolve problems ranging from life threatening or harassing calls to computer generated and auto-dialed calls, spoofing, blast faxes, and any other annoyance call types identified by customers. Communicating with customers regarding billing, tariff requirement
40、s relating to areas such as *57 activity, and FCC regulations. 8.2.2 Consumer Education from Other Sources There are many sources other than SPs that provide information to educate consumers on Caller ID and Caller ID spoofing, such as the following government agencies and consumer groups: FTC: http
41、:/www.consumer.ftc.gov FCC: https:/www.fcc.gov/spoofing USTelecom: https:/www.ustelecom.org/news/press-release/caller-id-spoofing-scams-increase-how-consumers-can-fight-back Better Business Bureau: http:/www.bbb.org Consumer Union: http:/consumersunion.org The National Cyber Security Alliance: http:
42、/www.staysafeonline.org FBI: https:/www.fbi.gov/scams-safety/be_crime_smart Internal Revenue Service (IRS): http:/www.irs.gov ATIS-0300114 12 9 Regulatory Environment This clause describes various FCC rules and regulations, as of the date of publication of this document, with the intent to assist wi
43、th investigating and/or mitigating some of the issues addressed herein. Noted references are not all-inclusive, do not intend to provide legal guidance and, based on date of this document, may have been subsequently revised. State commissions may also have issued rules and regulations on the subject
44、 addressed by this document. 9.1 FCC 9.1.1 Telephone Consumer Protection Act (TCPA) Congress has empowered the FCC to enforce the Communications Act of 1934, including the TCPA, and the agencys implementing rules and orders, in several ways. For example, the FCCs most powerful tool to enforce compli
45、ance with the law is to revoke a license for non-compliance, or deny issuance or renewal of the license. The FCC more commonly enforces the TCPA and its other rules and orders by imposing monetary penalties.269.2 FTC The FTC was specifically directed under the Telemarketing and Consumer Fraud and Ab
46、use Prevention Act of 1994 to adopt rules prohibiting deceptive and abusive telemarketing acts or practices, including “unsolicited telephone calls which the reasonable consumer would consider coercive or abusive of such consumers right to privacy.” The body of regulations adopted by the FTC to impl
47、ement the Telemarketing and Consumer Fraud and Abuse Prevention Act is known as the Telemarketing Sales Rule (TSR). The FTC was also empowered generally to address unfair or deceptive acts or practices in or affecting commerce, which the Federal Trade Commission Act of 1914 declares unlawful.27Howev
48、er, the FTCs jurisdiction does not extend to common carriers, which are subject to the regulatory authority of the FCC. For reasons described below, pertaining to both common carrier and privacy obligations, those companies must complete phone calls. When the TCPA was passed in 1991 to address telem
49、arketing robocalls, its primary function was to protect the privacy and public safety interests of telephone subscribers by placing restrictions on automatic dialers, fax machines, and unsolicited automated calls. The TCPA amended Title II of the Communications Act of 1934 to add a new section (227) entitled “Restrictions on the Use of Telephone Equipment”. The nature of the technology being used in 1991 is well-illustrated by the following consumer complaint: “The automated
