Today, I just ran into a new spin on this old scam that gave me a chuckle. On reddit's /r/cybersecurity, someone, who may be romance scammed, wrote that someone, who claimed to be in the (US) army, sent her something he claimed to be a STIR verification code, "to verify you exist".
Clearly, this is a scammer who tried to do the "verification code scam", but this STIR angle is new.
So what is STIR? It has nothing to do with verification code, at least the type you send via SMS.
STIR/SHAKEN is a protocol that was being implemented by phone carriers to "authenticate" callers, to combat the spam call problem. Similar to a website using HTTPS instead of regular HTTP, each phone carrier for a business is supposed to link a certificate to the main phone number. So when that caller calls out, the recipient's phone service can look up the certificate, verify it with public key encryption, and thus authenticate that the call did indeed came from that business. STIR is the outbound phase, and SHAKEN is the reverse-lookup/authenticate phase. Once the caller was authenticated, you get a "caller verified" checkmark as your phone receives the actual call. Obviously spammer who spoofed their caller ID cannot pass this authentication, and thus, no checkmark.
Needless to say, we advise her to drop the scammer like a hot potato. The verification is nonsense and a lie.
No comments:
Post a Comment