Carriers need to independently verify LOAs

All carriers should independently verify any LOAs received for account changes.

Documents received from third-parties, without independently verifying with the customer of record, using the carriers own records, are just junk papers.

Almost no carriers verify LOAs by contacting the customer of record. Worse, they call the phone number on the letterhead provide by the scammer for "verification."

The U.S. Postal Service used to let random people change mail forwarding orders, without verifying with the original and new addresses. As you can guess, there were lots of fake forwarding orders and criminal activity. After USPS begin verifying mail forwarding orders by sending a letter to the ORIGINAL address and NEW address, mail forwarding fraud declined. Not zero, but declined.

Presumably we're kinda talking about a problem parallel to the
Internet ASN/IP space LOA problem here.

It would be awesome if there were a nice easy way to identify the
responsible parties, so you could figure out WHOIS the appropriate
party to contact. If you've ever tried Googling a company with a
hundred thousand employees, calling their contact number on the Web,
and getting through to anybody who knows anything at all about IT,
well, you can spend a day at it and still have gotten nowhere.

It's too bad that this information is so frequently redacted for
privacy.

... JG

US/Canada (ideally all of NANPA) Carriers need to standardize the porting
process.

Right now, I have an anecdotal database for each carrier which requires a
slightly different process. For Verizon Wireless, you have to generate a
Port Out PIN for each number, which expire after 7 days. Excellent! But
only if there isn't a Freeze on the number.

For another, you have to call to get your account number and PIN, as you
cannot get it without calling the carrier, and it is different.

For some carriers, the address on file isn't the End-user's address, which
causes regular and constant rejections. Must request a CSR.

For Google Voice, pay $3 first, then unlock.

For $random_carrier, provide anything and they release the number, without
notice to anyone.

Many carriers do not require an LOA to Port, usually where porting is
automated, and the automated carriers require a PIN and Account Number and
service/billing address to ensure numbers don't get "accidentally" ported,
either due to fraud or a typo.

And while it would be nice if everyone "independently verified every LOA"
the cost of doing so in the far-too-many edge cases is business-endingly
high.

It is the lack of a standard that all carriers share that cause these
problems.

In Europe, you generate a UUID, give the UUID and number to Port to the new
carrier, and it's done. If every NANPA carrier allowed the End-User to
generate a UUID for Porting Out that expired after 7 days, all of this
inconsistency would go away. Mostly. Probably.

Beckman

If carriers faced legal liability, with appropriate incentatives, I'd bet they would solve the verification problem -- quickly, cheaply.

No liability -- no reason to solve the problem.

Nothing is stopping the perpetrator of a BGP hijack as a result of a forged or otherwise illegitimate LOA from facing civil litigation as a result of revenue loss or other harm done.

This thread and others like it highlight that there is absolutely some negligence here and could very well find itself in an evidence pile at some point in the future.

So there IS liability, but the lack of solid precedent means that the bean counters can’t assign a dollar amount to the risk associated with blindly accepting LOAs, and therefore it might as well not exist.

Someday, somebody will have the pants sued off them because they let their new customer hijack the hell out of a government entity, bank, oil company, etc. and we’ll start to see better processes.

-Matt