I'm looking for ideas on how to provide (reasonable) authentication over the PSTN. CID is too readily spoofed (usually by the very folks that you want to "avoid"!).
A simple scheme might be to use unique identifiers from a large, sparse ID-space -- providing the ID (DTMF or voice) would provide an indication of the user. This has the advantage of being tied to a USER and not a line/device. It sucks because it requires users to remember a specific ID (for *each* party that they intend to call!)
A more elaborate scheme could rely on voice-print identification. Ideally, obtaining a voice print from the party at some "registration" time. To address "playback" attacks, the caller could be required to make a statement indicated at the time of the call.
Any sort of call-back scheme falls down because of the possibility of theft of service that it presents. (It also assumes the user would be at a fixed "location")
Then, there are a whole set of "class identification" schemes (i.e., where the type of caller is needed, not the actual identity -- robocall prevention, etc.). I figure anything interactive will beat them ("Press now", "How much is plus ?" etc.)
My goal, here, is to provide an "automated attendant" function -- sort of an "electronic secretary" that can screen calls intelligently:
- route all calls from political parties to /dev/null
- don't even let the phone *ring* if it's a telemarketer
- when I am asleep, take a message from any of these callers
- whenever calls, *find* me!
- if Bob calls, tell him I am on my way
- if *I* call, give me access to etc.
Obviously, the cost (inconvenience?) to the caller can vary as the "value" of the service he/she is expecting.
I'd settle for a reasonable-cost system that required the caller to enter some 4-digit code such that robo-calls would be snuffed... I'm tiring of the crap. ...Jim Thompson
--
| James E.Thompson | mens |
| Analog Innovations | et |
| Analog/Mixed-Signal ASIC's and Discrete Systems | manus |
| San Tan Valley, AZ 85142 Skype: skypeanalog | |
| Voice:(480)460-2350 Fax: Available upon request | Brass Rat |
| E-mail Icon at http://www.analog-innovations.com | 1962 |
I love to cook with wine. Sometimes I even put it in the food.
I've considered doing this in a way that would not be rude or even obvious. Being a business line, my answering machine should appear to be a business. Your suggestions above are basically what I came up with. A short intro saying "Hello, you have reached Arius, Inc. Please press xy to speak with a representative." This will stop the robo calls. As you suggest only then will the phone actually ring, not the phone really as that requires more expensive circuitry to generate a ring voltage. Rather this unit would sound its own ringer. That might not be so great with my cordless phone, but the unit's ringer can sound in multiple location so I won't miss it.
I've never received a political call that wasn't robo so that is dealt with. I'm not sure how the unit will know you are asleep... If the phone is not answered it will pass the call to the regular answering machine... which will require the ringer circuit, darn!
Find you? lol I guess you can train the dog to come get you when the ultrasonic ringer sounds. Won't work so well if you are out in the car somewhere...
If Bob calls answer the phone and tell him you are on the way yourself!
If you are calling you know to press "abcd" before the machine prompts you for "xy".
I would build this but I have other things on my list.
Apparently, it is good enough for (e.g.) *banks* to rely on it (at least as a first-stage "convenience" feature):
Note that you don't have to treat it as an authoritative indicator! Rather, you can use this in conjunction with other "data" to decrease the chance of a false positive to a level appropriate for the level of "access" you are granting.
E.g., every scheme has some level of confidence/uncertainty: a single digit "access code" has a 10% chance of being guessed correctly; two digits are 1%. Of course, if a caller can freely *retry* callingand trying a *different* code...
Similarly, CID might *not* be spoofed so disregarding it as an input is foolish. (RELYING on it might be, though!)
A true robot would be stymied by "Please press now".
A "telemarketer", OTOH, would not ("OK, I'll press that!"). (nowadays, it seems like a robot dials and hands off to a human when the callee "answers")
If the was "canned" (i.e., the same for every/many instances of this device), a robocaller could just blurt out the code unconditionally to bypass that mechanism.
If it was a *single* changeable (or "random") digit, then pressing all keys, sequentially, unconditionally, would eventually hit upon the correct digit (i.e., you would have to allow perhaps *two* attempts and REQUIRE no more than two before validating the input)
Any code that requires legitimate callers to remember it is an inconvenience. If you could be assured a "timely" response by the callee ("device"), I suspect you could program the code as a part of the actual phone number -- just "delayed" (e.g., 555-1212%%%123456 where '%' forces an unconditional 1 second pause)
But, I want caller *identification*, not *just* "is this a human"...
Note that the challenge can be unique to each caller. For example, having an inclination that "Penny" is calling (by characterization of her speech pattern -- or, because she provided the *three* digit code that has been assigned to Penny), you can query her as to the name of her firstborn child; the weather in her known location (which you can independently verify via a trusted source), etc.
And, it might NOT take the (typical) form of a "shared secret"! You could, for example, prompt her to speak a particular set of words that allow you to more accurately characterize her vowel sounds, etc. This would defeat a playback attack because the caller wouldn't know *which* words he/she would be asked to speak! (there are ways around this but the bar gets set a lot higher)
"xy" has to be more than a single digit as a robocaller could "press" 1234567890.
If "xy" was canned (or even The Default) for The Device, then there would be a high probability of a robocaller "guessing" it.
You also have to allow for it to be spoken in case the caller can't emit DTMF during the call.
It will stop the calls whereby a robot dialer AND TALKER deliver the message. But, if the dialer is automated and hands off the call to a human once the circuit is complete (answered), then the human can listen to your message and comply.
If I'm in my bedroom and haven't moved from there for 10 minutes, the chances are: I'm asleep!
Similarly, if I am in the bathroom, I *probably* don't want to take the call.
If I'm in the back yard, I probably don't want to be disturbed for "just anyone".
And, I sure as hell don't want *every* phone ringing if it knows I'm "at" a particular phone!
Regardless, the "automated attendant" (need a better term :< ) is desirable. Letting the phone ring and eventually falling back to an answering machine (or any other secondary processing) is a poor compromise, IMO.
If I am not "in the house", it can deduce if I'm in the back yard or "somewhere out front" (based on the manner by which I left the building. If it suspects I am nearby, it can attempt to alert me "page"). If it sees the cordless phone has been taken from its base, it an assume I am "within the neighborhood" and ring that "extension". If/when I pick up, it can *announce* the caller to me thereby giving me an opportunity to instruct it to "take a message" (or, record a voice message to dispatch AS IF it had been left or that caller).
[Think: good secretary!]
If I left the house via the garage, the garage door opened AND closed and the car is not within, then it can assume I have driven off. (of course, if I took the cordless phone with me, then I am implicitly telling "it" that I expect to be reachable ON that phone -- give it a try, I may just have driven to another residence in the subdvision)
I'm not *at* the phone that Bob has called! Or, I *may* be yet don't want to get drawn into a conversation with Bob which will delay everything *else* I may have planned.
[Again, think: good secretary!]
Too easy for someone to notice. I much prefer spending extra effort "training" it to my voice and then engaging in an authentication dialog (even the number of words required for me to command it to perform a specific action increases the chance of it verifying *my* speech characteristics)
Use a one-time-pad for challenge-response. Give each caller their own pad. If it's generated using a good random source, and the responses are not re-used, it will keep out even the NSA. That is, assuming they don't steal your physical copy of the pad, or just make you give it to them through coercion. I briefly considered doing something like this as a commercial product, but then I realized all of my customers would be drug dealers.
Duh! That is why I wrote xy and not x. I have received robocalls that automatically send one or even two DTMF tones. I think they are shooting for the most common single button press codes.
No, there is a *low* probability of it being guessed. 1 in 100 to be exact.
I don't. I can't remember the last time I couldn't send a DTMF tone.
I find very few of those. They usually listen for someone answering the phone and many start their own blurb before asking you to wait for the handoff. Do you really need to stop all the annoying calls or just get the 98th percentile?
I think you are designing a secretary. How does your phone know where you are?
I agree.
You do this a lot in your posts. You start going off on what appear to be tangents because you have not explained most of what is going on. So you are going to wire all your doors (and windows so the system knows if you have used a fire escape and call 911)? What else will this system monitor that you haven't mentioned? I think this is going to be a multi-thousand dollar system by the time it is done.
You mean mind reader?
Good luck. I think this will be some time showing up.
Not a 1 time pad, a rolling code. It would be far too easy to mess up using the 1 time pad. It might be something to program into a smart phone. Then it could be a one time pad, secure until your phone is hacked.
Geez. You guys really do over think a simple problem.
I think that puts too much of a burden on callers. And, requires a fair bit of "set up" for each caller.
Consider someone that calls "seldom". They wouldn't want to be bothered keeping track of where they are in the pad -- even a simple "N digit ID" would probably annoy them.
I think any solution has to "feel" natural. The "good secretary" model, I think, is worth considering in developing a solution.
Your "secretary" typically recognizes the voice of frequent callers. Or, their mannerisms. Even for infrequent callers, she allows them to identify themselves in a "natural" manner: "Hi, this is Bob". Perhaps during their initial banter, she refines her idea of who "Bob" actually *is* ("Gee, you don't SOUND like Bob!")
She can do this because she's observant *and* exposed to all of this dialog (imagine how she would fare if she was "first day on the job!")
If the phone can *listen* to your (human) dialog with a particular party, it can conceivably get a good deal of training information regarding how *that* particular caller speaks. If, some months later, it encounters the same individual, it can engage the caller in "seemingly" harmless banter to extract more voice samples from the caller. Even things like, "What number are you calling from, Bob?" will generate more input for analysis ("Gee, that's not the number I have on file for you! Would you like me to update our records? Or, are you just calling from this number temporarily?")
Of course, of the caller is trying to get the attendant to perform some "privileged" action ("Please wake him for me!"), then it seems "fair" to burden the caller a bit more (to get a more certain identification).
The advantage of this sort of scheme is that it is portable and doesn't require the caller to do much more than he/she would do if "forced" to interact with your "secretary"... I.e., it *feels* natural (instead of "please enter the 12 digit identifier that has been assigned to you. Use '#' to start over, '*' to delete the previous digit...")
Read what I wrote: "If "xy" was canned (or even The Default) for The Device..." i.e., if EVERY instance of The Device had "xy" HARDCODED to be "21", then all a robocaller needs to do is *try* "21" when it encounters a device that it SUSPECTS may be this type.
Similarly, if "xy" is The (Factory) Default, then it is highly likely that many such instances will be encountered that will still have the code set to the factory default.
My parents have a *dial* telephone.
Do all VoIP systems alow tones to be generated by the station set? Even after the call has been placed?
If you "borrow" the phone at your MD/Dentist/Retail/etc. location, do they *hand* you the phone? Or, dial for you and hand you the
*receiver* (because the phone is located someplace convenient for
*them* to access, not "guests"/visiors)?
If you are driving, do you want to again bring your eyes to the phone to type in a code number?
[And, why are so many VRT systems replacing the old DTMF interaction with voice response?]
DTMF is for the convenience of the DEVICE implementer, not the user.
Most robocalls, here, wait for the callee to answer. Then, within a second -- perhaps two -- you can hear a human come on the line.They have obviously designed their systems for this handoff to be very quick -- much longer than two seconds and I suspect folks would be in the process of hanging up ("crank call") before they got on the line.
How many calls do you expect your secretary to let "slip through"?
Not germane to the question at hand. Rather, an example of how you can
*use* authentication in a larger context.
How does *your* secretary know where you are? Is she seated outside your office door so she can watch you come and go? Do you regularly tell her where you will be when leaving? Do you work in an "open" floorplan so she can see clear across the building and notice you chatting with the VP 60 ft away? Do you maintain a "pegboard" (or other notification system) to indicate that you are out of the office? Does she know about the 12:30 staff meeting (and naturally *assume* you are there)? Does she know your habits well enough to predict where you are *likely* to be?
[Assume a client had charged you with designing a system that could track and report your "location". Could you do it?]
If you've watched my posts over the past year or so, I've discussed other aspects of this "system".
If you haven't -- or haven't paid attention -- then there is nothing
*missing* from my original post that affects "PSTN Authentication". Do I have to describe how I intend to use a particular capability before it can be considered or designed? Haven't I clearly stated my goal in describing an "automated attendant" and the parallels to a "good secretary"?
If the device has been TOLD to "give Bob the following message", how is that reading minds?
A "good secretary" would know -- from empirical observation ("Sheesh! Every time I get Bob on the phone, I've got to hear about his *kids* for 20 minutes!") -- that calls from Bob shouldn't be passed through when there is a schedule to be met.
E.g., if we receive calls while preparing a meal (or, ABOUT to do so), we don't bother to answer -- because we are BUSY with something "time sensitive" (the food will spoil or our stomachs will complain). The caller can try back later... instead of us answering, engaging in pleasantries for some number of minutes, then begging off so we can get back to a meal that HOPEFULLY hasn't gone cold during the interruption.
I have no goal of it EVER "showing up" -- for anyone OTHER than me! :> Thankfully, I have the money, resources and skills to pull it off without having to wait for a vendor to do a (poor) job of it --- with a "limited imagination"!
Verizon only allows for 5 blocked numbers, and must be "renewed" every
90 days.
So I add the cretins to my contact list... all named beginning Zpam so they're all at the end of the contact list and out-of-sight ;-)
Then I set their "personal ring" to no-ring/no-vibrate >:-} ...Jim Thompson
--
| James E.Thompson | mens |
| Analog Innovations | et |
| Analog/Mixed-Signal ASIC's and Discrete Systems | manus |
| San Tan Valley, AZ 85142 Skype: skypeanalog | |
| Voice:(480)460-2350 Fax: Available upon request | Brass Rat |
| E-mail Icon at http://www.analog-innovations.com | 1962 |
I love to cook with wine. Sometimes I even put it in the food.
TPC has no interest in "serving" their customers -- especially if that "service" reduces their income!
An approach they would *welcome* (if they could get over the shame of doing so) would be to allow a callee to elect to "punish" a caller (press *23 or whatever in the first few seconds -- so YOU can positively ID the caller regardless of CID!) and the caller is automatically billed some small amount (e.g., $1).
Craft the legislation so the caller need not pay it -- but, the originating "service" is billed, instead (e.g., if the call comes from a Sprint subscriber, Sprint is responsible for the payment). Then, the service provider has an incentive to KNOW onto whom to pass the charges; the "incoming" service provider has an incentive (it gets a "cut" of that $1) and the "harmed" callee gets reimbursed.
How do you deal with the folks whose CID is "blocked"?
Or, who spoof their CID? (i.e., first such number on any list would have to be your *own* -- to "obvious" to spoof!)
It is already "illegal" to do what they are doing. So, chances are, they won't legitimately identify themselves. Anything that relies on an identification service that can be spoofed (e.g., CID) is therefore unreliable.
Our current approach is to simply let *everything* go to voice mail. We use email for most of our communications (it fits *our* schedule instead of The Caller's) so our phone strategy doesn't inconvenience others. And, it allows us to "skip" the junk calls by leaning on the ERASE key after hearing the first 2 seconds of their "important message" when we are reviewing our "mail".
Email gives you (The Caller) no guarantee of a response time (e.g., I may answer in a few minutes -- or a few DAYS). So, reviewing voicemails every few days has a comparable outcome -- you've told us you would like to talk to us but we were *effectively* "out"... and are returning your call when it is convenient for us to do so.
[Of course, this strategy works because so many OTHER people carry their phones around like "favored pets" -- so we are reasonably sure they wont be "out" when WE call!]
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.