Skip to content

EricN Publications

Publications by Eric Niewoehner

Menu
  • Non-Fiction
    • A God Thing
      • Rachel’s Prairie
      • Adolescent Meditations
    • Oakland
      • Old Buildings Can be Creepy
      • Food for Thought
      • Dust in the Wind
      • The Arc of Travel
    • Iconium
    • Thinking Out Loud
      • Is Juneau Running Out of Diesel?
      • The Volkmer Effect on Alaska’s Congressional Representation
      • The Tragedy of Russia
      • Are We In A Recession?
      • Where Does Inflation Come From?
      • The Mail-In Ballot Experience
      • The Debt We Owe
      • The Solution to Paying Off Student Debt
      • Student Debt: Are Colleges to Blame?
      • The Problem of Student Debt
      • Fighting Inflation – A Trip to the Grocery Store
      • Ukraine – Poland 1939 All Over Again
      • Broken: Is Public Education Beyond Repair?
      • Transparency and Critical Race Theory
      • The New Wave
      • The Pro Act and YouTube
      • Almond Abstract and the Pursuit of Happiness
      • Open Letter to Major League Baseball
      • Tribute to Rush Limbaugh
      • Why Parler?
      • Adults in the Room
      • The Invisible Hand
      • Transparency
      • Fake News Update
      • Solution to Fake News
    • Old Friends
      • The Ideological Origins of the American Revolution
        • Sources and Traditions
        • Power and Liberty
        • The Logic of Rebellion
        • A Note On Conspiracy
        • Transformation — From Reaction to Revolution
        • The Contagion of Liberty
      • The Road to Serfdom
        • Introductions — Or Before You Begin
        • The Road Once Traveled
        • Are You A Nazi?
        • Are You A Socialist?
        • Individualism
    • The Pandemic Journal
      • When Does Ten Percent Matter?
      • Federalism — Or Intentional Chaos
      • Faith (Part II)
      • Faith
      • The Big Surprise
      • Teleworking
      • The Invisible Hand
      • Unbelievable
      • Rethinking Education
      • Perception
      • Selfie and the Mask
      • China
      • Strategic Globalism
      • Risk
      • Media
      • Unknowable
      • Home Schooling
      • Grocery Chronicles
    • When Few Were Watching
    • The Advent Conspiracy
      • What’s Missing
      • Cash Only Please
      • Worship Fully
      • Give More
      • Christmas — It’s a Tide, not a Day
  • Fiction by Eric Niewoehner
  • Technology Publications
    • Technology Blogs
      • A Play on Words
      • Spam Update — How to Avoid Spam
      • Facebook — A Sickening Feeling
      • Can PayPal Be Trusted?
      • Are You Ready to Rumble?
      • The Alaskan Congressional Rodeo
      • The Gift of Gab
      • Facebook – What Say You?
      • What’s Up with Parler
      • Out of Control? – Security Vulnerabilities in Control Systems
      • The Case of Lorie Smith
      • Facebook — Impersonated Accounts
      • The Case of Josh Renaud
      • SHAKEN, But Not STIRred
      • Can GoDaddy Be Trusted?
      • Ransomware and the Mechanical Pencil
      • Tracking Scams in Phone Messages
      • Disaster Recovery — The Case of Parler
      • CVS Update
      • Why Parler?
      • Computer Vision Syndrome
      • Passwords – the Gremlins of Cyberspace
      • Spam Filtering: Mastering Your E-mail
    • The Facebook Safe Space
    • Technical Documentation
      • Welcome to DOGland
      • Windows 10 and Computer Vision Syndrome
      • Sustainable Printing
    • The Tech Community
    • Introducing Substack and Locals.Com
  • Contact
  • About
  • Lessons Learned
Menu
Smartphone

SHAKEN, But Not STIRred

Posted on January 23, 2022December 30, 2022 by Eric Niewoehner

What to do with those mysterious links in text messages.  There is some hope.  A new protocol may be the first step in ending scam calls and messages: STIR/SHAKEN.

First posted January 23, 2022
Updated February 12, 2022
Updated February 21, 2022

Scam Messages.  Gmail appears to be legit, but the user's name is a bit suspicious.  And the link is odd.
Sample Spam

The Problem

Nothing can be peskier than unsolicited text messages. Most are deliberate acts of fraud. Some are phishing, using techniques to lure you to a website to betray private information. Some are porn sites. For some people, the level of spam is such that it renders the cell phone useless. I am not alone. Robocalls occurred 46 billion times in 2020. What can be done about it? Will this ever end?

A step in the right direction started last June 30, 2020 when a new protocol started to take effect. Called STIR/SHAKEN, it is designed to add digital signatures to text messages and voice calls so that the sender can be verified. This will eliminate the spoofed phone numbers that appear in your caller ID. And it will make text messages traceable.

The problem is only half solved, however. The protocol described above is the STIR part, short for Secure Telephony Information Revisited. The protocol works as long as all the providers have the capability to add signatures. Unfortunately, they not all can. Text messages, in particular, are often generated by computer systems, not by cell phones. And more and more of the spam traffic is coming from overseas from countries that are not yet utilizing the STIR/SHAKEN protocol. Thus, the second part of the protocol takes effect. When the source is not using the STIR protocol, providers can add tokens to at least make the call traceable as much as possible. That is the SHAKEN part, short for Signature-based Handling of Asserted Information. Because of the volume of non-compliant phone traffic is still considerable, major providers have had difficulty delivering on STIR/SHAKEN. Major phone services such as AT&T and T-Mobile act as collectors as much as they do as originators. Calls that originate outside their control have to be SHAKENed. That is easier said than done at this time. To reduce the volume of unsigned messages and calls the FCC has shortened the deadline to smaller providers, moving the deadline up by a year to June 30, 2022.

Hopefully, after June 30th of 2022, any robocall or text message you receive will be from outside the US. It should make it easy for any of us to identify such calls as scams. Theoretically, of course. There are the details to consider. First of all, older phones will most likely not have the capability to handle the added features of STIR/SHAKEN. As phones become capable, expect to see indicators in text messages and calls that assess the verification status of the call. The digital overhead should be minimal for voice traffic. For text messages, however, it may double the storage load. Most text messages are short. The headers containing the signatures will be bigger than the messages.

The second kink in the transition will be the complexity of compliance. It took years for e-mail to get to this level, and spamming is still a major headache. Expect the same for text messages. It will take time.

What About My Hometown?

The FCC maintains a database that lists the implementation status of STIR/SHAKEN with local providers. Since I live in Juneau, Alaska, I focused on the key providers for that community.

  • ACS– Not yet implemented but will provide traceback services upon request.
  • GCI – Partial implementation
  • AT&T – Partial implementation

Since I utilize AT&T, I wondered what “partial” meant. Because of Juneau’s small market, “partial” usually means “last implemented,” but that is not always the case because Juneau serves as a critical fiber optic hub. What “partial” means is as follows:


The filer certifies that it commits to respond to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to originate calls, and that some of the voice traffic that originates on its network is authenticated with STIR/SHAKEN, and the remainder of the voice traffic that originates on its network is subject to a robocall mitigation program. The filer also certifies that the attached searchable PDF details the specific reasonable steps it has taken to avoid originating illegal robocall traffic as part of its robocall mitigation program, and, if applicable, the type of extension or extensions it received under 47 CFR § 64.6304.

You will notice that the missing element is “the customer.” The primary objective of this protocol is to prosecute fraud. The secondary benefit will be to improve the security of your voice and text traffic. Not clearly defined is the “mitigation program.”

In the Meantime, What is to be Done

First and foremost, it isn’t worth your time to call in complaints or attempt to find justice in this matter. I started on this project in August 2020 and sent e-mails to several providers and government agencies. I had absolutely no luck in getting a response from anyone, least of all an acknowledgment. It was interesting to come across an article in MobileSyrup where the writer voiced a similar frustration in getting assistance. Customer service generally had no clue what STIR/SHAKEN was, so it is obvious that providers have not yet trained their personnel in the new protocol because it has not matured as a service and the tools that technicians can use have not yet been perfected.

It probably would not hurt to send a nice letter to your state and federal government representatives. Let them know you are aware of the issue and would appreciate any help their offices can provide. I think it is important for them to know that the average citizen has little or no assistance in protecting themselves from fraud. The sooner that STIR/SHAKEN is implemented, the better.

With all the partisan vitriol in Washington, DC, it is comforting to know that there is a bi-partisan effort to protect consumers from robocalls. Senators Thune (R-South Dakota) and Markey (D-Massachusetts) have introduced the Robocall Trace Back Enhancement Act, seeking to increase penalties to fraud operators. Fifty-one state attorneys have signed up to battle robocalls and fraud.

In the Meantime, What to Do About the Links

Unfortunately, the disadvantage of text message apps is that it is very difficult, if not impossible, for the average user to verify whether the link they receive is actually the real thing. If the same link is delivered in an e-mail message, hovering the mouse pointer over the link in the message reveals at the bottom of the screen the actual link contained in the code. In the example below, pointing the mouse over “Redeem Points” will reveal the link information in the lower left corner of the browser. This sort of important information is not readily available with text messages on your phone.

Sample of Checking Links
Sample of Checking Links

The example I presented at the beginning of the article is quite typical of a spammed text message I recently received on my phone. All I got was a message from abe…07@gmail.com that simply had a link.


U8b5R8.Ab8nCZF0k.bond

Searching for a DNS domain by the name of Ab8nCZF0k.bond proved fruitless. You can do this by going to the WHOIS web site. A second thing I did was double-check the “bond” top-level domain to verify that it is a legitimate top-level domain. It is. This can be achieved by going to the IANA web site (international agency that sets the rules of Internet communication). At this point, an unregistered domain is rather suspicious. It is my first hint that the link posted in the text message is not what it appears to be.

I next conducted a search in Duck-Duck-Go and nothing concrete came up, although the random use of letters and digits produced several Russian sites. That may be due to another trick that is used by scammers – substituting foreign letters for identically appearing English letters. While they may look the same, the universal code that is used to identify linguistics and symbols is different. It is the universal code value that Internet routers read. Again, this is another technique used by scammers and it may explain why my first attempt to locate the domain failed in the example above. It is quite possible that the letter “C” is actually the letter “C” in Russian, which we substitute with the letter “S”.

Now the fun begins. I use Linux as my preferred desktop operating system. So my next step was to get more basic. This is done by opening the command shell and using two Linux commands to compile some relevant data: traceroute and nslookup.

Mycomputer:~$ nslookup Ab8nCZF0k.bond
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: Ab8nCZF0k.bond
Address: 162.255.119.179
Mycomputer:~$ traceroute Ab8nCZF0k.bond
traceroute to Ab8nCZF0k.bond (162.255.119.179), 64 hops max
1 192.168.1.1 4.708ms 2.597ms 2.854ms
2 209.193.63.235 35.581ms 28.393ms 30.576ms
3 63.140.116.226 30.037ms 43.584ms 32.375ms
4 63.140.116.130 58.911ms 59.068ms 59.865ms
5 206.81.81.178 59.652ms 58.847ms 59.925ms
6 10.255.20.17 91.514ms 86.260ms 84.594ms
7 172.20.0.198 1127.234ms 701.891ms 183.532ms
8 100.65.240.35 1129.485ms 734.458ms 164.591ms
9 162.255.119.179 1086.215ms 796.944ms 1269.118ms

Beginning with nslookup, it is clear that there is some sort of data out there regarding the mysterious web site. DNS servers will typically collect and cache any discovered domains, whether they are formally registered or not. traceroute confirms that the website resides at the last address.

Next step is to checkout the 162.255 address. Using the WHOIS web site, we can investigate further the owner and provider of the site.

NetRange:       162.255.116.0 - 162.255.119.255
CIDR:           162.255.116.0/22
NetName:        NCNET-5
NetHandle:      NET-162-255-116-0-1
Parent:         NET162 (NET-162-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16626, AS174, AS3356, AS4323, AS22612, AS32421
Organization:   Namecheap, Inc. (NAMEC-4)
RegDate:        2014-05-14
Updated:        2015-03-24
Comment:        http://namecheap.com
Comment:        for any abuse please use: 
@namecheap.com
Ref:            https://rdap.arin.net/registry/ip/162.255.116.0


OrgName:        Namecheap, Inc.
OrgId:          NAMEC-4
Address:        11400 W. Olympic Blvd. Suite 200
City:           Los Angeles
StateProv:      CA
PostalCode:     90064
Country:        US
RegDate:        2011-01-28
Updated:        2017-01-28
Ref:            https://rdap.arin.net/registry/entity/NAMEC-4

ReferralServer:  rwhois://whois.namecheaphosting.com:4321

OrgTechHandle: TECHT4-ARIN
OrgTechName:   Tech team
OrgTechPhone:  +1-323-375-2822 
OrgTechEmail:  
@namecheaphosting.com
OrgTechRef:    https://rdap.arin.net/registry/entity/TECHT4-ARIN

OrgAbuseHandle: ABUSE2885-ARIN
OrgAbuseName:   Abuse team
OrgAbusePhone:  +1-323-375-2822 
OrgAbuseEmail:  
@namecheaphosting.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE2885-ARIN

OrgTechHandle: EFIME-ARIN
OrgTechName:   Efimenko, Igor 
OrgTechPhone:  +1-323-375-2822 
OrgTechEmail:  
@namecheap.com
OrgTechRef:    https://rdap.arin.net/registry/entity/EFIME-ARIN

First of all, we have our old friends at Namecheap.com (see my previous article on another scam). This is the registration site. What it is registering is still a mystery because the Ab8nCZF0k.bond website is till not coming up in WHOIS. To be sure I retested the URL and this time the WHOIS response was that this was an invalid or unsupported domain name.

What is important here is that throughout the entire listing there is no other information regarding an owner of this IP address range other than Namecheap. So, as before, I sent a note reporting an abusive text to Namcheap. Before doing so, I reviewed their previous response. As noted, I had to give them credit for at least responding. I can’t count how many times the “abuse@” address on a DNS registration comes up empty. But nothing else was forthcoming from my previous report.

Before heading off to the telephone company, we can investigate further the sender’s e-mail address. As with the IP address, we cannot assume that the person listed is actually guilty of spamming and scamming. Addresses can be spoofed. It can be nothing more than a rabbit hole. The address in question is ab…07@gmail.com. Doing a search, the e-mail address comes up with no direct hits, but it is a bit peculiar that once again we get several Russian sites.

Yet it remains – why is it that our cell phones are receiving unsolicited messages, especially ones with nothing but an unknown web-link. In my case, the message was sent to a large group of phone numbers. Reviewing the range of numbers, it appears that this is a range scan, something similar to the bad old days of modems when hackers conducted “war dialing.” You would figure that it would be of interest to AT&T to know that it’s customers are being slammed. But a visit to their website produced absolutely nothing about how to report abusive calls or texts.

As noted above, about the least you can do in these circumstances is send a note to the DNS or cloud center provider. In this case, Namecheap. But I have not found that productive. So the best thing to do is ignore it. I personally find responding to links in text messages is not a good idea unless it is from a sender you expect. If you are to share links with friends, I would recommend using e-mail because links and sources can be traced.

Updates

February 12, 2022

Tracking the topic over the web has produced some interesting results.  First, I am seeing more instructional videos regarding STIR/SHAKEN.   This not only indicates that professionals are getting trained on the topic, but the protocol itself is engaging a larger audience from network technicians to IT managers.  The second discovery is that there is at least one web site that is presenting metrics on whether the new protocol is reducing the number of robocalls.

TransNexus presents data that indicates that robocall traffic has dropped 12% since July.  For non-technical folks, they will find much of the data and the heavy use of acronymns a bit obtuse, but one lesson you can draw from this is the multiple levels that the protocol engages, reflecting the degree to which calls and texts are authenticated.  As noted above in the article, the SHAKEN part of the protocol is designed to at least provide partial information if the originator of the call is using a provider or Internet service that is not yet STIR/SHAKEN compliant.  For folks who are IT savy or involved with IT Security, you may find the data interesting.

February 21, 2022

The FCC has completed its first review of compliance.  They sited two providers who had yet to comply:  Bandwidth and Vonage.  The listing of Bandwidth was a bit of a surprise because they have put together a good presentation on what STIR/SHAKEN is all about.  Recommend you view it.

FCC announces a $45 million fine being proposed  against Interstate Brokers of America over fraudulent marketing of health care plans.

Resources

“Telecom companies appear to miss deadline to ID spam callers”, MobileSyrup, by Nida Safar, Dec. 7, 2021

“U.S. SENATORS THUNE AND MARKEY INTRODUCE THE ROBOCALL TRACE BACK ENHANCEMENT ACT”, TCPA World, by Paul C. Besozzi, Dec. 9, 2021

“FCC Says Two Carriers Failed to Fully Implement STIR/SHAKEN“, Inside Towers, February 21, 2022

“FCC Proposes Largest Illegal Robocall Fine to Date“, Telecompetitor, by Phil Britt, February 21, 2022

© Copyright 2022 to Eric Niewoehner

Read More Technology Blogs

Related

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

EricN Publication Logo
  • Facebook page for EricN Publications
  • LinkedIn page for EricN Publications
  • Twitter page for EricN Publications

Recent Posts

  • Why The Facebook Safe Space
  • Facebook — Impersonated Accounts
  • Individualism
  • A Play on Words
  • Spam Update — How to Avoid Spam

Categories

  • A God Thing
  • Advent Conspiracy
  • Alaska
  • Bernard Bailyn
  • Documentation
  • Economics
  • Education
  • FA Hayek
  • Facebook
  • Faith
  • History
  • Life
  • Missouri
  • Non-Fiction
  • Oakland
  • Old Friends
  • Pandemic Journal
  • Politics
  • Security
  • Social Media
  • Tech Blogs
  • Technology
  • Thinking Out Loud

Archives

  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • September 2021
  • August 2021
  • July 2021
  • April 2021
  • February 2021
  • January 2021
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • November 2018
  • August 2018
  • April 2018
  • February 2017
  • November 2016
  • October 2016
  • July 2016
Copyright Notice

All articles are copyrighted material from Eric Niewoehner.

  • Facebook
  • LinkedIn
  • Twitter
© 2023 EricN Publications | Powered by Minimalist Blog WordPress Theme