Hello, I'm looking for guidance/feedback on the impact of STIR/SHAKEN on the call center and answering service industries. Very few are interconnected VoIP service providers themselves. Specifically, customers of these industries often desire the call center utilize their company phone number when contacting their employees or customers for an improved end-user experience. The worry is that STIR/SHAKEN will be implemented in a way that causes these "spoofed" calls (that have legitimate business relationships in place) to be marked as such or eventually blocked as STIR/SHAKEN tightens it's grip on malicious intent. Here is my understanding of the situation: As a customer of an Originating carrier, the Call Center's outbound calls will be signed by their Originating carrier's STIR/SHAKEN certificate - so as long as the SIP Identity header isn't modified in transit and the certificate is validated on the Terminating side, everything should continue to work normally for us as end users. So this is largely the carrier's problem, and not the call centers. However, it's not clear (to me) how the Attestation aspect of things will work (and if it even effects the typical customer): - Does just being a customer of the Originating Carrier give the Call Center's calls Full Attestation? - As a call center, if spoofing a number not owned/in inventory, would that be Partial Attestation? - Does the owner/location of the spoofed number matter, i.e. : - Partial Attestation: Number owned by Originating carrier, but not by customer making call - Gateway Attestation: Number not owned by Originating carrier (and by extension not owned by customer making the call) - Will different Terminating carriers treat Attestation designations differently? - Is this largely a framework that carriers will implement some day in the future? Am I way overthinking this? (Yes.) Thank you in advance for any perspective you can offer, or resources you can direct me to. My personal plan of attack for call centers: - Document permission and business use case for numbers spoofed on behalf of customers - That's it - that's the whole plan. - ???? Aside from making sure my carriers know I exist and that I have permission to use those numbers, what else is there? -Patrick Labbett
On 12/2/20 4:49 PM, Patrick Labbett wrote:
However, it's not clear (to me) how the Attestation aspect of things will work (and if it even effects the typical customer):
* Does just being a customer of the Originating Carrier give the Call Center's calls Full Attestation?
That depends on the originating carrier's policies. They could attest A a number that they've verified to be yours.
* As a call center, if spoofing a number not owned/in inventory, would that be Partial Attestation?
That depends on the originating carrier's policies. They could attest A a number that they've verified to be yours. Otherwise, they would attest B because they could verify the origin of the call, but not the accuracy of the caller ID.
* Does the owner/location of the spoofed number matter, i.e. : o Partial Attestation: Number owned by Originating carrier, but not by customer making call o Gateway Attestation: Number not owned by Originating carrier (and by extension not owned by customer making the call)
We mark forwarded calls as C, paying customers B, and customers we've taken the time to verify their ID as A. Some carriers do only A and C since customers can't specify their own caller ID (such as Comcast residential voice, or cell carriers)
* Will different Terminating carriers treat Attestation designations differently?
Of course! My T-Mobile phone doesn't display signed calls in any specific way, but others may. Our customers get a [V] in front of the caller ID with name data if we verified attestation A, nothing for any other form of attestation or no validation at all.
* Is this largely a framework that carriers will implement some day in the future?
The standards for how we treat this stuff are loose to give carriers flexibility in how they convey it to the customers.
Am I way overthinking this? (Yes.)
Not nearly as bad as many! My personal plan of attack for call centers:
* Document permission and business use case for numbers spoofed on behalf of customers * That's it - that's the whole plan. * ????
Aside from making sure my carriers know I exist and that I have permission to use those numbers, what else is there?
Sounds good to me. For a lot of carriers, a simple explanation they can easily verify (like you call the number, and they answer with your client's name) is probably adequate. -Paul
An HTML attachment was scrubbed... URL: <https://puck.nether.net/pipermail/voiceops/attachments/20201202/14aa7a74/att...>
Thank you Glen and Paul, much appreciated! On Wed, Dec 2, 2020 at 5:19 PM Glen Gerhard <glen at cognexus.net> wrote:
Sounds like a good plan to me. It might help to figure out a few test call paths to verify the verstats directly.
IMHO much of the S/S technology will be overshadowed by the analytics providers in terms of call presentation/blocking.
That said, S/S will be helpful to law agencies in tracking malicious intent groups. This alone makes it worth the effort. A lot of the work /benefit takes place at the vetting of corporate ownership. S/S also provides Rich Call Data which replaces the pathetic CNAM.
The Delegated Certs extension will help with the call center attestations but is still a ways off. Then you need your SBCs and PBXs to support it.
SIPNOC is next week and it's usually helpful. https://www.sipforum.org/news-events/sipnoc-2020-overview/#topics
~Glen
On 12/2/2020 1:49 PM, Patrick Labbett wrote:
Hello, I'm looking for guidance/feedback on the impact of STIR/SHAKEN on the call center and answering service industries. Very few are interconnected VoIP service providers themselves.
Specifically, customers of these industries often desire the call center utilize their company phone number when contacting their employees or customers for an improved end-user experience.
The worry is that STIR/SHAKEN will be implemented in a way that causes these "spoofed" calls (that have legitimate business relationships in place) to be marked as such or eventually blocked as STIR/SHAKEN tightens it's grip on malicious intent.
Here is my understanding of the situation: As a customer of an Originating carrier, the Call Center's outbound calls will be signed by their Originating carrier's STIR/SHAKEN certificate - so as long as the SIP Identity header isn't modified in transit and the certificate is validated on the Terminating side, everything should continue to work normally for us as end users. So this is largely the carrier's problem, and not the call centers.
However, it's not clear (to me) how the Attestation aspect of things will work (and if it even effects the typical customer):
- Does just being a customer of the Originating Carrier give the Call Center's calls Full Attestation? - As a call center, if spoofing a number not owned/in inventory, would that be Partial Attestation? - Does the owner/location of the spoofed number matter, i.e. : - Partial Attestation: Number owned by Originating carrier, but not by customer making call - Gateway Attestation: Number not owned by Originating carrier (and by extension not owned by customer making the call) - Will different Terminating carriers treat Attestation designations differently? - Is this largely a framework that carriers will implement some day in the future?
Am I way overthinking this? (Yes.)
Thank you in advance for any perspective you can offer, or resources you can direct me to.
My personal plan of attack for call centers:
- Document permission and business use case for numbers spoofed on behalf of customers - That's it - that's the whole plan. - ????
Aside from making sure my carriers know I exist and that I have permission to use those numbers, what else is there?
-Patrick Labbett
_______________________________________________ VoiceOps mailing listVoiceOps at voiceops.orghttps://puck.nether.net/mailman/listinfo/voiceops
-- Glen Gerhardglen at cognexus.net 858.324.4536
Cognexus, LLC 7891 Avenida Kirjah San Diego, CA 92037
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
ATIS is hosting ongoing Webinars specific to S/S. The first one is at 2 pm est. today. I?ll try to forward future S/S Webinar links to this site as they become available. Dave <voiceops-bounces at voiceops.org> On Behalf Of Patrick Labbett Sent: Thursday, December 3, 2020 11:53 AM To: Glen Gerhard <glen at cognexus.net> Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] STIR/SHAKEN for call centers Thank you Glen and Paul, much appreciated! On Wed, Dec 2, 2020 at 5:19 PM Glen Gerhard <glen at cognexus.net <mailto:glen at cognexus.net> > wrote: Sounds like a good plan to me. It might help to figure out a few test call paths to verify the verstats directly. IMHO much of the S/S technology will be overshadowed by the analytics providers in terms of call presentation/blocking. That said, S/S will be helpful to law agencies in tracking malicious intent groups. This alone makes it worth the effort. A lot of the work /benefit takes place at the vetting of corporate ownership. S/S also provides Rich Call Data which replaces the pathetic CNAM. The Delegated Certs extension will help with the call center attestations but is still a ways off. Then you need your SBCs and PBXs to support it. SIPNOC is next week and it's usually helpful. https://www.sipforum.org/news-events/sipnoc-2020-overview/#topics ~Glen On 12/2/2020 1:49 PM, Patrick Labbett wrote: Hello, I'm looking for guidance/feedback on the impact of STIR/SHAKEN on the call center and answering service industries. Very few are interconnected VoIP service providers themselves. Specifically, customers of these industries often desire the call center utilize their company phone number when contacting their employees or customers for an improved end-user experience. The worry is that STIR/SHAKEN will be implemented in a way that causes these "spoofed" calls (that have legitimate business relationships in place) to be marked as such or eventually blocked as STIR/SHAKEN tightens it's grip on malicious intent. Here is my understanding of the situation: As a customer of an Originating carrier, the Call Center's outbound calls will be signed by their Originating carrier's STIR/SHAKEN certificate - so as long as the SIP Identity header isn't modified in transit and the certificate is validated on the Terminating side, everything should continue to work normally for us as end users. So this is largely the carrier's problem, and not the call centers. However, it's not clear (to me) how the Attestation aspect of things will work (and if it even effects the typical customer): * Does just being a customer of the Originating Carrier give the Call Center's calls Full Attestation? * As a call center, if spoofing a number not owned/in inventory, would that be Partial Attestation? * Does the owner/location of the spoofed number matter, i.e. : * Partial Attestation: Number owned by Originating carrier, but not by customer making call * Gateway Attestation: Number not owned by Originating carrier (and by extension not owned by customer making the call) * Will different Terminating carriers treat Attestation designations differently? * Is this largely a framework that carriers will implement some day in the future? Am I way overthinking this? (Yes.) Thank you in advance for any perspective you can offer, or resources you can direct me to. My personal plan of attack for call centers: * Document permission and business use case for numbers spoofed on behalf of customers * That's it - that's the whole plan. * ???? Aside from making sure my carriers know I exist and that I have permission to use those numbers, what else is there? -Patrick Labbett _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops -- Glen Gerhard glen at cognexus.net <mailto:glen at cognexus.net> 858.324.4536 Cognexus, LLC 7891 Avenida Kirjah San Diego, CA 92037 _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
I spoke too soon??here?s the registration link: STIR/SHAKEN Webinar Series - ATIS <https://www.atis.org/webinars/stir-shaken-webinar-series/> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Dave Frigen Sent: Thursday, December 3, 2020 12:20 PM To: 'Patrick Labbett' <patrick.labbett at gmail.com>; 'Glen Gerhard' <glen at cognexus.net> Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] STIR/SHAKEN for call centers ATIS is hosting ongoing Webinars specific to S/S. The first one is at 2 pm est. today. I?ll try to forward future S/S Webinar links to this site as they become available. Dave <voiceops-bounces at voiceops.org <mailto:voiceops-bounces at voiceops.org> > On Behalf Of Patrick Labbett Sent: Thursday, December 3, 2020 11:53 AM To: Glen Gerhard <glen at cognexus.net <mailto:glen at cognexus.net> > Cc: voiceops at voiceops.org <mailto:voiceops at voiceops.org> Subject: Re: [VoiceOps] STIR/SHAKEN for call centers Thank you Glen and Paul, much appreciated! On Wed, Dec 2, 2020 at 5:19 PM Glen Gerhard <glen at cognexus.net <mailto:glen at cognexus.net> > wrote: Sounds like a good plan to me. It might help to figure out a few test call paths to verify the verstats directly. IMHO much of the S/S technology will be overshadowed by the analytics providers in terms of call presentation/blocking. That said, S/S will be helpful to law agencies in tracking malicious intent groups. This alone makes it worth the effort. A lot of the work /benefit takes place at the vetting of corporate ownership. S/S also provides Rich Call Data which replaces the pathetic CNAM. The Delegated Certs extension will help with the call center attestations but is still a ways off. Then you need your SBCs and PBXs to support it. SIPNOC is next week and it's usually helpful. https://www.sipforum.org/news-events/sipnoc-2020-overview/#topics ~Glen On 12/2/2020 1:49 PM, Patrick Labbett wrote: Hello, I'm looking for guidance/feedback on the impact of STIR/SHAKEN on the call center and answering service industries. Very few are interconnected VoIP service providers themselves. Specifically, customers of these industries often desire the call center utilize their company phone number when contacting their employees or customers for an improved end-user experience. The worry is that STIR/SHAKEN will be implemented in a way that causes these "spoofed" calls (that have legitimate business relationships in place) to be marked as such or eventually blocked as STIR/SHAKEN tightens it's grip on malicious intent. Here is my understanding of the situation: As a customer of an Originating carrier, the Call Center's outbound calls will be signed by their Originating carrier's STIR/SHAKEN certificate - so as long as the SIP Identity header isn't modified in transit and the certificate is validated on the Terminating side, everything should continue to work normally for us as end users. So this is largely the carrier's problem, and not the call centers. However, it's not clear (to me) how the Attestation aspect of things will work (and if it even effects the typical customer): * Does just being a customer of the Originating Carrier give the Call Center's calls Full Attestation? * As a call center, if spoofing a number not owned/in inventory, would that be Partial Attestation? * Does the owner/location of the spoofed number matter, i.e. : * Partial Attestation: Number owned by Originating carrier, but not by customer making call * Gateway Attestation: Number not owned by Originating carrier (and by extension not owned by customer making the call) * Will different Terminating carriers treat Attestation designations differently? * Is this largely a framework that carriers will implement some day in the future? Am I way overthinking this? (Yes.) Thank you in advance for any perspective you can offer, or resources you can direct me to. My personal plan of attack for call centers: * Document permission and business use case for numbers spoofed on behalf of customers * That's it - that's the whole plan. * ???? Aside from making sure my carriers know I exist and that I have permission to use those numbers, what else is there? -Patrick Labbett _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops -- Glen Gerhard glen at cognexus.net <mailto:glen at cognexus.net> 858.324.4536 Cognexus, LLC 7891 Avenida Kirjah San Diego, CA 92037 _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
participants (4)
-
dfrigen@wabash.net -
glen@cognexus.net -
patrick.labbett@gmail.com -
ptimmins@clearrate.com