Category Archives: Service Providers

Combating Robocalls: a quick primer on how STIR/SHAKEN works

| May 28, 2019

It finally looks like the U.S. is ready to do something to combat unwanted robocalls. The Senate has passed the TRACED Act, which stands for Telephone Robocall Abuse Criminal Enforcement and Deterrence. This new legislation would raise the fines the FCC is permitted to levy on robocallers while also increasing the statute of limitations for violations to three years. The bill would also create an interagency task force to address the problem, and push service providers to implement call authentication systems.

“As the scourge of spoofed calls and robocalls reaches epidemic levels, the bipartisan TRACED Act will provide every person with a phone much-needed relief,” said U.S. Senator Ed Markey. “It’s a simple formula: call authentication, blocking, and enforcement, and this bill achieves all three.”

A key mandate from the bill is the requirement that carriers work together to implement call authentication technology, and it looks like STIR/SHAKEN could be the preferred method. STIR is short for Secure Telephony Identity Revisited, while SHAKEN stands for Secure Handling of Asserted information using Tokens.

What STIR SHAKEN Stands For

 

How does STIR/SHAKEN work?

Essentially what STIR/SHAKEN does is use digital certificates, based on common public key cryptography techniques, to ensure the authenticity of the call. Here’s how STIR/SHAKEN works in the world of telephony:

  1. When a call is initiated, a SIP INVITE is received by the originating service provider.
  2. The originating service provider verifies the call source and number to determine how to confirm validity.
    • Full Attestation (A) — The service provider authenticates the calling party AND confirms they are authorized to use this number. An example would be a registered subscriber.
    • Partial Attestation (B) — The service provider verifies the call origination but cannot confirm that the call source is authorized to use the calling number. An example would be a calling number from behind an enterprise PBX.
    • Gateway Attestation (C) — The service provider authenticates the call’s origin but cannot verify the source. An example would be a call received from an international gateway.
  3. The originating service provider will now create a SIP Identity header that contains information on the calling number, called number, attestation level, and call origination, along with the certificate.
  4. The SIP INVITE with the SIP Identity header with the certificate is sent to the destination service provider.
  5. The destination service provider verifies the identity of the header and certificate.

The complete solution

STIR/SHAKEN is a great start and absolutely should be part of the overall robocall solution, but it is not the end all be all. STIR/SHAKEN only applies to SIP-initiated calls and must be supported by the carriers at both ends of a call. Thus, scammers could conceivably get past STIR/SHAKEN simply by originating their robocalls on a TDM network.

REDCOM’s Personalized Call Screening software already includes full STIR/SHAKEN support, but it goes much further than that. Our “best of all worlds” approach means that we also enable several other layers of protection including:

Reputation Scoring: We integrate directly with TNS Call Guardian, an industry-leading solution that uses real-time crowd-sourced data to identify abusive or unlawful callers.

White list/Black list: We allow carriers and subscribers to create their own white- and black-lists, which gives end users far more control over protecting their phone numbers.

Recorded Greetings: Requires the calling party to record a greeting, which is played to the called party before accepting the call.

Audio CAPTCHA: requires the caller to respond with dialed digits, which stops robocalls dead in their tracks.

Service providers that implement REDCOM’s Personalized Call Screening software will be in full compliance with the pending TRACED Act, with the option of going above and beyond STIR/SHAKEN by implementing any number of these customizable call blocking tools.

VoIP: The transition to Voice over Internet Protocol

| May 15, 2019

The Rise of VoIP

Two decades ago, VoIP was just a popular industry buzzword. Today, VoIP is the de-facto standard. In fact, research projects the VoIP market to grow from USD 20 billion in 2018 to USD 55 billion by 2025.

Advances in Technology

When first introduced, consumers were reasonably uncertain about VoIP. There were concerns over the perceived lower quality of calls. However, thanks to strides in VoIP technology, this is no longer an issue. Given adequate bandwidth, VoIP quality is considered to be equal to traditional lines, and in some cases better.

Today’s consumers – especially small and medium-sized businesses – understand the benefits of VoIP.  For instance, SMBs are particularly aware of the cost savings, portability, flexibility, and multi-functionality that comes with switching to VoIP. These businesses are expected to display an accelerated growth of over 15% in the VoIP market from 2019 to 2025. This marks a sizable opportunity for service providers to seize.

The transition to VoIP

Struggle to Transition

Despite the widespread adoption of VoIP and its growing potential for new revenue streams, the transition from a traditional network can still be daunting for some service providers. Many telcos attempt to get the very most out of their existing hardware. They try to push off the transformation as long as they can. Unfortunately, this can lead to higher costs per customer. As more consumers look elsewhere to mobile or VoIP, overhead costs are spread across a shrinking number of subscribers. Additionally, legacy TDM equipment may no longer be supported by the original manufacturer, greatly increasing the risk for outages and expensive fixes.

REDCOM understands transitioning from TDM to IP can be cumbersome for providers. To get them cut over on their terms, REDCOM’s VoIP systems and softswitch platforms are backed by our 100% U.S.-based sales, engineering, and support services. When you first engage with REDCOM, you’ll speak directly with one of our VoIP experts here at our headquarters in Victor, NY.

A Partner to Help

REDCOM works with you throughout the entire process, from design and planning to installation and training. Any time you call REDCOM, you’ll get direct access to a dedicated Tier 2 customer support expert — no IVR-circles ending in frustration and wasted time.

Migrating to IP doesn’t have to be daunting. Contact sales@redcom.com or call 585.924.6500 to find out how REDCOM can help.

Congress Hoping to Put an End to Illegal Robocalls

| May 6, 2019

If there is one thing that everyone can agree on, it’s that we need to put an end to illegal robocalls. Americans received 47.8 billion robocalls last year alone according to the Federal Communications Commission, and nearly 50% of those calls were from scammers. Not only that, but the reported number of complaints about illegal robocalls has been increasing – from 172,000 complaints in 2015 to 232,000 complaints in 2018.

However, that’s not to say that all robocalls are a problem. There are legitimate uses such as severe weather and school closing alerts, and notifications from your bank or your doctor’s office. However, the barrage of illegal robocalls that we get – coming from scammers hiding behind a false phone number – have made it so people can no longer trust any call they receive from an unknown number.

This onslaught of robocalls has become something Americans deal with on an everyday basis, and Congress wants to put a stop to it. Lawmakers on both sides of the aisle have come together to reintroduce bipartisan legislation called the TRACED Act, or the Telephone Robocall Abuse Criminal Enforcement Defense Act. The hope that this bill would improve enforcement policies as well as coordination between agencies that are policing robocalls.

The TRACED Act would also require all service providers to use a STIR/SHAKEN solution (Secure Telephony Identity Revisited/Secure Handling of Asserted Information using toKENs), which validates the origin of the call and allows for faster tracing of illegal calls. STIR/SHAKEN provides a means of verifying calls and eliminating spoofing, but it only applies to SIP-initiated calls and must be supported by the carriers at both ends of a call. Thus, STIR/SHAKEN alone isn’t the complete solution — but it’s a great start.

REDCOM’s Personalized Call Screening (PCS) is a flexible, and highly-customizable solution for screening incoming calls. This PCS solution utilizes STIR/SHAKEN for call authentication and integrates with TNS Call Guardian to provide real-time analytics to identify robocalls and spoofing. So, with this legislation in the works, REDCOM PCS will allow service providers to meet these requirements and help make it safe for their subscribers to answer their phones again.

Pa$$w0rd C0mpl3xity!

| April 30, 2019

Pa$$w0rd C0mpl3xity!

Password complexity. What type of emotion does that simple phrase invoke? Do you shudder with trepidation at the thought of having to come up with a convoluted string of characters that comply with a myriad of rules? Do you gasp at the shock of not remembering your password to log into your bank account? Passwords can certainly be complex, and not in a good way. Fortunately, the idea of complex passwords is changing, and that’s a good thing.

In 2003 the National Institute of Standards and Technology (NIST) published the NIST Special Publication 800-63. Among other things, this document provided guidelines for password requirements. The recommendations for sufficiently complex passwords included the following:

  • Must be a minimum of eight characters
  • Must include a mix of uppercase letters, lowercase letters, numeric, and special characters
  • Must not contain sequential characters from the username
  • Must not contain sequential characters from the user’s first or last name
  • Must change the password periodically (typically every 90-180 days)
  • Must not reuse passwords (typically within the last eight)

As a result, passwords such as Pa$$w0rd!1 became commonplace. And therein lies the problem. We, as humans, are predictable. To overcome the awkwardness of the rules, we began using recognizable patterns. Worse yet, when it came time to change our password, the natural migration was to change Pa$$w0rd!1 to Pa$$w0rd!2. Again, predictable.

In a recent interview with the Wall Street Journal Bill Burr, the author of NIST SP 800-63, admitted that much of what he did was wrong. To be fair, he was flying somewhat blind. He looked for research data regarding password security and came up empty-handed. Empirical data simply didn’t exist at the time. So, he set about creating the recommendations and did what most of us would likely have done in the same situation. He set about creating some rules that made it sound as if it would result in hard to crack passwords. The unfortunate reality is that this resulted in passwords that were hard for humans to remember, but easy for computers to crack.

In June 2017 NIST SP 800-63 was updated and the password complexity recommendations were completely rewritten and simplified. These simplified requirements emphasize password length and memorability above all else. Longer passwords are harder to crack and we are less likely to use Post-it® notes to write down passwords. The updated password recommendations include:

  • Longer passwords (typically up to 64 characters)
  • A mix of character types is no longer recommended
  • No need to change passwords unless there is evidence that it has been compromised
  • Must be compared to a list of known bad passwords
  • Must not contain the associated username
  • Must not contain the user’s first or last name

Given the new recommendations, the general consensus is that a password should consist of four random words strung together. There is no need for a mix of character types, so the password would be made up of all lowercase letters without spaces. For example, coffeediplomaeaglephone.

Randall Munroe, cartoonist, and author of the xkcd webcomic put together a comparison on the strength of the two recommendations. He calculated the time needed to crack passwords from each of the two methods. He chose Tr0ub4dor&3 and correcthorsebatterystaple as the subjects of the analysis. He calculated that it would take a short three days to crack Tr0ub4dor&3 but a whopping 550 years would be needed to crack correcthorsebatterystaple. His results were verified as accurate by computer security specialists.

Password Strength and Complexity

The good news is NIST recommendations have evolved to allow for passwords that are less frustrating to set up, easier to remember, and harder to crack. The bad news is that it takes time for the word to get out, have the recommendations adopted, and software developers to implement the changes.

What can be done to stop robocalls?

| March 21, 2019

As John Oliver points out, robocalls are plaguing the American public, and the problem is getting worse. According to the FCC, robocalls comprised 60% of all complaints! In fact, 47.8 billion nuisance calls got logged in 2018 alone.

The issue of nuisance calls is reaching fever pitch. It’s hard to go through a day without hearing about the inconvenience caused by so many calls. Today, in the latest in a series of articles about the maddening increase in nuisance calls, the website Gizmodo reports that some US carriers are working to mitigate robocalls even without regulatory guidance.

What can be done to stop Robocalls?

REDCOM gives service providers the opportunity to offer robocall blocking to subscribers with REDCOM’s Personalized Call Screening Solution (PCS). PCS puts an end to the constant bombardment of robocalls plaguing subscribers and relieves the broader issue of nuisance calls. PCS leads to happy customers and has the potential to generate new streams of revenue.

A "Best of all Worlds" solution

REDCOM’s PCS applies the proven STIR/SHAKEN (Secure Telephony Identity Revisited / Secure Handling of Asserted Information using toKENs) method to verify that Caller ID numbers aren’t being spoofed. Of course, while STIR/SHAKEN can help reduce nuisance calls, we also recognize the need to go further. Consumers need a flexible set of tools to protect themselves, especially as the perpetrators innovate new and annoying ways to circumvent protection.

That is why REDCOM PCS was developed as a “best of all worlds” solution, building upon STIR/SHAKEN with reputation scoring and various other tools for providers and subscribers to break through today’s barrage of nuisance calls.

Empowering providers and subscribers with a full toolbox

REDCOM PCS arms providers and consumers alike with a full toolbox of options beyond STIR/SHAKEN and reputation scoring. In that toolbox are white- and blacklists, a caller CAPTCHA, calling party name greeting, and more. Instead of feeling hopeless in a sea of nuisance calls, service providers can offer REDCOM Personal Call Screening to empower and protect their subscribers.

Legislation from Canada

On January 25th of 2018, the Canadian Radio-television and Telecommunications Commission (CRTC) introduced CRTC 2018-32 mandating that by March 31 of 2019, all Canadian telecommunications service providers must implement authentication and verification of caller ID information for Internet Protocol (IP) voice calls.

With more attention being brought to the issue in the U.S., similar legislation is likely to be rolled out in the near future. REDCOM PCS is the “best of all worlds” solution that can position service providers to meet — and exceed — the requirements of future legislation.

‘Everyone Can Be an Innovator’: REDCOM Interviewed by NTCA

| February 6, 2019

The below Q&A was conducted by NTCA – The Rural Broadband Association. Click here to go to their website.

REDCOM Laboratories, Inc., a vendor of various technologies for communications providers and an NTCA–The Rural Broadband Association associate member, recently completed an exciting acquisition of new employees and resources from IMSWorkX. NTCA’s Ashley Spinks took the opportunity to talk with REDCOM Marketing Manager Mike Gerenser about the company, its recent acquisition of IMSWorkX, and how REDCOM can serve rural broadband providers like those in NTCA’s membership.

First, I’m really interested in REDCOM being a woman-owned small business. How did REDCOM get started, and how does its 40-year history influence the current culture of the company, if at all?

REDCOM is currently led by President/Chief Executive Officer Dinah Gueldenpfennig Weisberg, the daughter of the founders Klaus and Brigitte Gueldenpfennig. The company was founded … [to meet] the needs of small service provider customers that were often neglected or ignored by rival incumbents … While the company continues to evolve, the underdog mentality from our roots is still an integral part of our DNA.

Dinah is very focused on building the right culture. … Indeed, here is an actual quote from Dinah herself that I got just last month. I think it really captures the essence of how she leads the company:

“Innovation is at the core of what we do. The challenge — and satisfaction — of solving unique customer problems is what energizes REDCOM each and every day. Innovation isn’t just about R&D, though. It can take many forms, but to me the people within an organization are the ultimate driver. Therefore, if you want to develop game-changing ideas that make the world a better place, take time to develop your culture and empower your team.”

For our ILEC members that may not be familiar with REDCOM, an associate member of NTCA, can you describe in layman’s terms the type of business you run?

I know every company says they are “customer focused” but at REDCOM we take it to the next level. We don’t see ourselves as a giant faceless corporation just looking to make a quick buck — instead, we prefer to position ourselves as trusted advisers, which I think our customers really appreciate. Service providers are not looking to be sold to — they get that from all angles all day long.

We differentiate ourselves by putting ourselves in the shoes of our customers and finding ways to help them solve tangible business problems. For small telcos, that means offering a way forward for an end-of-life switch, or even a way to cut down on crippling maintenance fees. And for service providers of all sizes, it means we can offer a range of flexible/customizable solutions to migrate from the AIN, converge IP/TDM services, or roll out Voice over LTE.

As a vendor, what do you see as your ultimate value to small, rural telecommunications providers like those in NTCA’s membership?

Ultimately, our value is a company based entirely in the United States … All of our engineering, development, sales, support and leadership teams are located in Victor, N.Y. This gives us greater control over our supply chain and product reliability, which ultimately allows us to respond much quicker to customer demands.

For small telcos, that means offering a way forward for an end-of-life switch, or even a way to cut down on crippling maintenance fees.

What does a typical day look like at REDCOM?

Nearly half of our company’s workforce is on the development/engineering side. These folks are constantly working on gathering customer input, developing new ideas, improving existing products and thoroughly testing everything for maximum reliability. Our sales and customer service teams spend a lot of time listening to customers so they can funnel ideas and requirements into the product roadmap. We’re kind of a flat organization, which is nice — it means our leadership team is actively engaged with all departments, and they’re always willing to roll up their sleeves and get involved in all aspects of the business. There’s no ivory tower here at REDCOM: Everyone can be an innovator, and everyone is thinking about the customer.

Let’s talk about the recent acquisition of IMSWorkX. How does this acquisition impact REDCOM?

REDCOM had a strong existing product portfolio of softswitches and call control platforms, but the acquisition of IMSWorkX immediately gives us a robust and proven package of software apps that enhance the service layer of the network. So now not only can we help service providers with core switching needs, but we can help them deploy a huge array of enhanced network services. Things like Intelligent Call Routing, call rating, network migration, and VoLTE. As part of the acquisition, the entire team from IMSWorkX has joined REDCOM, and because we have such a collaborative environment, our teams are already working together on integrating our solutions and developing a roadmap for the future. With our new solution portfolio, we can offer solutions to telcos of all sizes.

Robocalls and call completion are two issues that NTCA regularly lobbies on. Can you explain how REDCOM can help address those issues?

In December alone, it was estimated that nearly 5 billion auto-dialed calls were placed to consumers. That’s just crazy. It has to stop. Our new product set includes a Personalized Call Screening application that will allow carriers to offer a “robocall blocker” to their customers. …It’s very flexible, providing both service providers and subscribers with a number of tools to filter unwanted calls. We’re already getting a lot of traction from a number of service providers who are interested in the REDCOM solution.

REDCOM acquires the assets of IMSWorkX Inc., greatly expanding REDCOM’s solution set for service providers

| December 19, 2018

REDCOM Laboratories, Inc., a leading supplier of the world’s most reliable communications solutions, is pleased to announce it has acquired the assets of Rochester-based IMSWorkX, Inc.

The transaction includes the transition of IMSWorkX employees to REDCOM, including IMSWorkX founder and CEO Shannon Chevier.

“Shannon built an incredible team at IMSWorkX, so one of the things we’re most excited about is welcoming the IMSWorkX employees to REDCOM,” said Dinah Gueldenpfennig Weisberg, REDCOM President & CEO. “Together, we will continue our mission of building the technology that enables the most important conversations in the world.”

Founded in 2012, IMSWorkX has rapidly built an impressive software suite that enhances the network service layer, making it easy for service providers to roll out IMS, VoLTE, and IMS-based enhanced network services in Next Generation networks. IMSWorkX software is mature, stable, and fully deployed in numerous networks worldwide.

The IMSWorkX product set is a perfect complement to REDCOM’s portfolio of softswitches and call control platforms, enabling REDCOM to offer customers a complete solution for the evolution to Next Generation Networks. This technology will also enable REDCOM to immediately deliver a robust set of network services including intelligent call routing, call screening, call rating, and mass notification.

“Our customers know they need to evolve their networks to fully serve today’s demanding consumers. For example, people today want to fully utilize their mobile devices for all their day-to-day activities. They’re also looking for a real solution to stop the deluge of unwanted Robo-calls,” said Bill Ciminelli, REDCOM Vice President of Sales. “The IMSWorkX’s product set provides best-in-class solutions to these problems, which means REDCOM will now be better positioned to help service providers meet and exceed the expectations of their customers.”

“The complementary products, technology, and expert staff at REDCOM and IMSWorkX provide a powerful combination to our customers looking to evolve their networks,” said Shannon Chevier, CEO of IMSWorkX. “REDCOM is a strong organization with a great history. I’m looking forward to our work together and the truly amazing solutions we’ll create to take service providers to the next level.”

REDCOM is looking forward to engaging the marketplace in several industry events over the first quarter of 2019 as the company begins to roll out an integrated solution portfolio for service providers worldwide.

About REDCOM

REDCOM Laboratories, Inc. is a woman-owned small business that specializes in the design and development of advanced communications solutions for service providers. REDCOM’s global customer base includes commercial telecom carriers, private networks, integrators, and government and defense agencies. For additional information, please visit the REDCOM website at https://www.redcom.com.

Protect Your Network Against Fraud

| March 31, 2016

REDCOM recently learned about a massive fraud scheme which was undoubtedly costing an ICT company a small fortune.

The customer, a national carrier, selected REDCOM to replace another vendor’s unsupported softswitch serving as an international gateway, national tandem switch, and PSTN. Upon switching live traffic to the REDCOM, it was discovered that massive quantities of voice calls from overseas had been transiting the former softswitch, bound for the other side of the globe.

Typically, an international gateway should prohibit transit international traffic (that is, traffic coming from outside the country and then going back out of the country). In this case though, the inbound fraudulent traffic was spoofing the carrier’s mobile and gateway IP addresses (which are of course generally considered “safe”) and the calls were allowed to proceed.

Malicious IP-based attacks are nothing new. This case, though, exhibits a new level of ingenuity and complexity in that the IP addresses had to be obtained to be spoofed. In all certainty, these addresses were intercepted from IP-based network communications, indicating that the customer’s IP network has been breached.

Furthermore, immediately upon replacing the old softswitch with the REDCOM, it was observed that an outside entity had identified the IP address used by the new REDCOM softswitch and was repeatedly attempting to gain access to the new REDCOM switch as if it was a mobile switch call. The supposedly mobile packets had non-mobile numbers in the URL as the originator of the calls. With this identification, the REDCOM switch was able to create a white-list to allow only proper mobile numbers. The financial implication, had the intruder been successful, would be critically damaging to the business.

 

Secure Conferencing Solution

How to protect your network from fraud:

 

Conduct a Traffic Audit

It takes a day to lose $100,000 to fraudulent call activity. Traffic patterns should be reviewed daily. What to look for:

  • Suspicious volumes of traffic from an odd location/number
  • Unlikely call origination location/number. If it looks strange, something is probably going on.
  • Suspicious call destinations. Is it likely your customers are calling Ivory Coast or Uruguay? In the case discussed here, the spoofing revealed the source with a URL number and this should be a red flag.
  • Usage at odd hours. Watch for suspicious levels of traffic at typically low traffic periods. In this case, the appearance of non-mobile URL numbers at any time of the day was suspicious.
  • Balance traffic usage with revenue and expenses. They should match! If not, there is a problem.

REDCOM systems have two applications for monitoring traffic, TDMP (Traffic DuMP) and a Source-to-Destination Matrix. These allow traffic managers to monitor historical traffic based on usage, the source country/ core device, and destination. In addition, REDCOM’s server-based General Traffic Metering Package provides an easy to configure traffic analysis that outputs usage graphs for management consumption.

Limit Traffic

The solution is simple: don’t let traffic go where it should not. You have three options:

  • Severely limit transit traffic. End offices should only allow outgoing calls to subscribers and PBXs- not back into the network. International gateways should block international-to-international transit traffic.
  • Limit transit traffic. In some cases a carrier may have inter-country agreements to carry third-party traffic. In these cases, traffic should be tightly controlled. Traffic from legitimate business partners should be limited to that country/company; traffic to these partners should be limited to a set of countries identified by the business partner (or by you, if you have problems with certain country traffic.) Some carriers use a black list as standard; if a customer wants to call one of the countries on the black list, they waive all rights and become responsible for all traffic originating from their device to any of the black listed countries.
  • Throttle traffic. Calls to what may reasonably be considered low volume destinations (e.g., Antigua) should be blocked. If you can’t block the destination due to a customer’s actual need, reduce the number of simultaneous calls to that and other similar destinations.

REDCOM systems have the capability to block transit traffic, calls from given countries, and calls to given destinations. Beyond that, calls to “suspicious” or low-use destinations may be forced to use a limited number of trunks (including SIP trunks) and roll over to All Trunks Busy. This protects carriers by limiting the number of fraudulent calls to given destinations, while the ATB allows administrators to easily identify a probably abuse case.

Secure your IP Network

  • Close down unused ports. This is a standard operation for IT.
  • Block known malicious sources.
  • Watch the IP traffic for obvious criminal activity, such as that from SIPVICIOUS. We use Wireshark, which is free.
  • Install a Session Border Controller. It’s imperative. We recommend the ACME Packet devices; ACME was bought by Oracle, so you can go to Oracle. Unless your technical staff has experience with the SBC they will also need training.

As can be seen, monitoring malicious and fraudulent traffic involves many people, often working in unity. Defense includes a comprehensive audit of voice and data, OA&M access, SIP packet inspection, network design, and financial records. But more than anything, it requires a strategy to avoid and terminate fraud.

REDCOM’s staff has extensive experience detecting and deflecting fraudulent traffic, and are willing to contract to audit your traffic and network, either one-time or on an ongoing basis.