It should be relatively easy to identify the bad actors here and I don't mean the spammers, I mean the telcos that make this possible, deliberately so, by essentially "laundering" spam calls.
My response to picking up a number is to answer the call and say nothing. Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
A human calling will wonder what is happening and fill the silence by saying something. A machine will not.
I hang up within 6 seconds of this in the hopes that it affects some metric somewhere of this being a low-quality or spam call. I don't know if it does. I think I read somewhere once that it did. I could be wrong.
If a real human is on the other end and does say nothing in this window, they'll generally just call right back. You get the exact same number again then this time I'll answer it.
It is nice to filter contacts vs non-contacts but there are too many things on non-contacts. Businesses you deal with, primarily.
In the email world where obviously spam is a huge problem zombie relays that allow this (which I believe is the primary source?) can get blacklisted. Why don't telcos who do this also get blacklisted? Or at least identified? This isn't AT&T or Verizon. It's the little telcos that connect to them.
But is this all too little too late? I think we've discovered over the last 20 years that we're all pretty much over open networks. It's all opt-in now with the likes of Whatsapp, FB Messenger and so forth.
Oh and while we're at it, can we get rid of this stupid exemption to robocalling restrictions for political campaigning? It's defended as "political free speech". To me, this is nonsensical. Free speech doesn't mean that I should be forced to listen to it.
EDIT: Found an example [1] of the bad actors I'm talking about.
> Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
I work with phone systems. It's usually determined by how long they hear a continuous sound at the start of a call. If it's relatively short (and it can be adjusted by settings), it assumes it's a live voice (like someone saying "Hello?" is usually pretty short). If it's continuous for a certain period of time, it assumes it's a voicemail.
For our speech applications we have different behaviors depending on which call disposition is detected (that's the term for this, also determines things like invalid phone numbers).
Sometimes when testing speech applications I'll pick up and scratch the receiver continuously or speak without taking a pause until the voicemail disposition is triggered so I can test a voicemail message without having to check voicemail.
We make these calls on behalf of health insurance companies for health reminders and surveys, so our calls are more legitimate than most, but we do use an autodialer to reduce the load on our live agents.
Question you might know the answer to: I've noticed it's a pretty common practice to get appointment reminders with caller ID from the doctor's office. I like that feature. I'd imagine there are plenty of other legitimate use cases for caller ID spoofing as well. Do you have any idea how that's going to work with STIR/SHAKEN?
I'd guess it's going to be some kind of oauth for your phone number, where you own it and can grant spoofing access to other entities?
It's going to be a problem for some systems for sure, but as the STIR framework is used to attest the number, the caller itself doesn't need to do anything. The originating carrier then attests with a level certainty A, B or C who the caller is, and adds a crypto signature to the signaling.
The key here is the attestation. If the calling carrier (usually the provider of the DID in retail but in commercial, not necessarily the same carrier) can attest by the caller, then the call will go through regardless. So tele-center company can agree with the calling carrier that, basically, tele-center company really owns the number (A) or it's more or less certain of it (B) and the call will be sent attested.
The case you are citing is not the one I would be most concerned about -- it is the spoofed numbers that should have been top priority. I get calls for different numbers (almost like they have been selected randomly) every single day selling cruises.
If you call the missed call back, you realize the person picking up didnt make the call.
Be careful calling the numbers back. There's another scam where they use the equivalent of a 900 number to do billing to anyone who calls. The scammers use country codes with 3 digits to try and trick you into thinking it's a US number and hope that you attempt to return the call.
Good thing we replaced career lobbyist Tom Wheeler with someone who would actually do something, right? Are we so looking at the FCC through our worldview that we can't even acknowledge positive action?
Wheeler was born on April 5, 1946 in Redlands, California. He attended Ohio State University.[7] From 1969 to 1976, Wheeler led the trade group Grocery Manufacturers of America.[8] He then went on to work at the National Cable & Telecommunications Association from 1976 to 1984, becoming president of the trade group in 1979. For a year until its closure, Wheeler was president of NABU Network, before spending a number of years creating or running several different technology startups. In 1992, he became the CEO of the Cellular Telecommunications & Internet Association, a post he held until 2004.
I'm from the Netherlands (born and raised) and have received several robocalls, until I registered my phone number on the bel-me-niet.nl web site.
Since then, I only get such calls from companies that got my details in exchange for some freebie. I tell them I'm not interested, and would they please stop calling me, and they do.
The only calls I got recently were in English with a heavy Indian accent, "Ilse Smid" or another stereotypically Dutch name, claiming to be from Microsoft Windows, and that my computer had alerted them that it had a virus... These scam calls all came from nonexistent Dutch phone numbers.
I live in Belgium. I receive such a call on average twice a (week) day. Sometimes it's just blank call (nobody answers) sometimes they're offering gifts if I go to shop X, they ask if I want to compare my phone/energy bill.
The funniest one is when my fixed line provider (let's call it P) calls me on my mobile phone (which is another provider) and ask me if I'm one oh their (P) customer :-)
(the explanation is that the mobile/fixed businesses are separated to avoid monopoly and, since they can't share customer data ('cos of data protection rules), they have to ask them again :-))
Seconded for the P. They call me every 3 months. Every single one promises they'll note in their CRM how I wont be contacted again. None can answer why they didn't read the note from all their previous calls.
The deep level of suffering is very obvious in your post. Everything will be okay, but you really don't know the joys of relentless robocall spam that you're missing out on.
There is alot of people that do not have a proper understanding of what free market is, and misdirect the failing of the current markets from their proper blame point (government) to what they have associated with "free markets", failing to understand the influence that existing regulations have had on those markets including elimination of competition in the market.
Such a disingenuous argument. The government quite frankly ties the free-market with weird regulations that essentially prevent competition. And then we get snarky comments such as this that say "oh wow, look how badly the free-market failed". For an example of free market trying to solve this, albeit not in a great way, have a look at TrueCaller and similar software.
The regulations are not "weird". Before telcos were required to route all calls without discrimination, they didn't. And as soon as telcos are no longer required to route their competitors' calls, they stop. A recent example is the new area code for VOIP calls introduced in Germany in 2009. Major telcos just didn't route them, citing "technical reasons" despite being able to route local area numbers with the same mechanism without problem.
Competition is only a solution for problems where the telcos' interest and the consumers' interest align. And that's very rare.
? Telecom is one of most regulated industries in the United States. Not sure why this pattern ("look how bad the free market is" @ highly regulated market) is so common here and on reddit.
Because apparently every discussion on every message board needs to be hijacked to talk about one of the internet's four favorite political narratives, if there is any marginal relationship whatsoever.
Someday we'll have A.I. to screen calls for us, and hopefully it can also screen this highly-upvoted-but-worthless tripe from message boards for us.
"An independent U.S. government agency overseen by Congress, the commission is the United States' primary authority for communications law, regulation and technological innovation."
You can have arguments until forever about what they should or shouldn't do, but their raison d'être is to set policy according to these overarching objectives.
Oh, and just to be clear, the lack of an Oxford comma in that quote is inexcusable :)
Ahem, the authority comes from Title 2 passed in 1934.
In 2005, the FCC decided that ISPs should be regulated by them. From 2005 - 2012, Congress failed to pass new bills granting the FCC this authority. It was denied by congress. In 2015, the FCC decided that they didn't congress to grant that authority.
So yeah, the FCC website claiming they have an authority is not an impartial source. Two years later, the FCC reverted back to the Title I classification.
So for 2 years, the FCC claimed a power that they were not authorized to claim.
If Congress wants the FCC to have this power they can easily pass a bill granting them that authority, they have repeatedly failed to do so.
The very first sentence of the communications act of 1934 says the FCC exists to regulate communication by wire, congress need not pass a law granting it[1]. And what wording could the new law possibly use that is more explicit than the existing "for the purpose of regulating interstate and foreign commerce in communication by wire"
It's inexplicable that the same party that claims the act establishing the FCC is more limited than the wording states while the federal arbitration act is continuously expanded to cover cases that neither the authors nor previous courts ever tolerated.
The GOP lays out an obviously slanted view about why they are opposed to the "utility-style" regulation that Title II entails.
However, this assumes that the market is functional when it's been clear since the '96 Telecom Act that it has been anything but. The idea that the FCC can't claim this authority without Congress acting first is FUBAR.
From pricing (generally higher for lower speed) to barriers to entry (the upfront cost for infrastructure is enormous), time has shown that carriers and ISPs will refuse to behave unless they are forced to.
Legislation is needed, but Republican arguments that a light touch will "preserve innovation" or some other nonsense doesn't work. 1993 was a long time ago and almost anyone who cares about this issue will tell you that Internet access is a utility (essential service, widely available, for reasonable cost) but the incumbent providers don't act like one.
(Save for maybe Google/WebPass, Sonic, and any number of municipal broadband initiatives)
My strategy has been to do the exact opposite. I've claimed to have had the accident, spoken to the real person, asked them to hold the line whilst I finish something off some "urgent" work, received the follow up call after they hang up and asked them to call me back in a couple hours, again kept them waiting a few minutes. It really wastes their time and turns me in to an expensive call for them. Yes, it's wasted my time, but if we all did this they'd quickly run out of money.
I employ one of two strategies. Either I answer with “911. What’s the location of your emergency?” or similar. If it’s a live person calling it usually gets them nice and confused. I then get to yell at them for calling an emergency line. My favorite was the guy I talked to when I pretended to be “Shepard Sharp, deputy director of the NSA”. “How did you get this unlisted number? Where are you located, we are dispatching a team to your location now.” This person seemed to believe me.
The second and more common is to simply ask for their company name, their name and employee number, and their boss’s name. By the time I get to the third question they hang up and often don’t call back again. In my state you can sue for unwanted cell phone calls and the max you can get is something like $1200/call, which I am happy to inform them of. No clue how to actually do this but if someone automates the process of filing a suit, I will split the profits :)
https://donotpay.com is an automated service that will collect the information you obtain from illegal robocallers and allow you to craft a demand letter.
Source: I've sent demand letters to vehicle extended-warranty robocallers using DoNotPay
Yes when I'm getting a spoofed caller ID I like to ask where they're calling from, or just innocently, "who am I speaking to? what is your company name?"
I've never gotten enough information to file a complaint
A friend of mine used to actively enjoy doing this. Most of the calls he got were of the "we hear you've had an accident" variety, and he would start with a generic story about something like a car accident. The story would slowly get more and more bizarre until he's eventually telling them a story like how he hit a lorry full of miniature circus animals, with loads of tiny tigers and giraffes bouncing off his windscreen. He'd see how deep he could get them into the story before they realise they'd been had.
If it was actually a real person calling me about the accident, I'd love to respond with a furious "no it's YOUR fault' and try to convince them I'd literally just had an accident answering the phone whilst driving.
The time I told the robocall bot that this was very worrying because I was on my way to a driving test was actually true though. :D
I did something similar to this a while ago, but the scam was happening via text messages.
I spent a full weekend texting back and forth with the scammer.
Although I never went as far as your lorry of circus animals, I did give _many_ hints to him that he was being played with.
Now, the more interesting part is that I was particularly fed with scammers and wanted to see if I could out scam one, which I did.
On the Monday after that weekend, I managed to get my scammers to provide me with his bank account username and password.
Once I got this information, I checked that they were correct credentials and stopped all and every contact. I also did nothing with it as I didn't want to myself be on the wrong side of the law, nor did I want to mess too much with a scammer and get myself in trouble.
I don't see how people can sit there and watch this live with him trying but normally the clipped/edited videos are pretty funny how much he can waste their time
I was livestreaming about a month ago and kept getting spam calls, so I decided to try to see what I could find out.
A website they pointed me to had a multidomain SSL certificate gave me a list of other scammy domains, and one that appeared to sell robocalling software. On that site I found a phone number to call to get started. I called the number and somebody immediately answered! I pretended to be an interested customer for a while, and he claimed to be the author of the software. I wasted his time for about 10 minutes asking questions about how it worked, and where i could get lists, etc. Then told him I wanted him to add a patch to prevent my number from being called again, and that I'd be calling him again if i got anymore calls.
I mute the mic and mash the keypad until the other end disconnects, no matter how long that takes. I find I get far fewer such calls than I did when I started, and the occasional hopelessly snarled-up IVR system is a nice bonus.
Basically, he walks through the history of the phone system and how it never really considered bad actors, and then what they are working on now and what it'll take to deploy it.
I'd noticed that initial silence thing as well, but mostly because I answer and speak immediately. The spammers generally have a lag on their software and connect shortly after my greeting. Then while I'm waiting in silence, they've missed that sign of life and sit there doing nothing.
So again, I don't really have a provable basis for this, but I don't want to give positive proof that they've reached a live human. I feel like that's a recipe for getting continually called.
> My response to picking up a number is to answer the call and say nothing. Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
I do the same thing. I moved and my old number is forwarded through google voice. Everytime i get a call from my old area code I know it is a neighbor spam call as no one calls me from that area code anymore.
It's gotten so bad i let my calls go to voicemail now.
The iPhone has a setting that has you route unknown callers to VM ("silence unknown callers"). I used to do the silent-answer trick, but this is so much better. If it's important,I get a vm and I'll call right back.
The times it has failed me is, actually, right now. I put in a call to have a delivery, maybe the last four digits are 4700- I've plugged that number in. But the guy calling me back calls on 4709 and gets VM. So I have to remember to turn this off if I'm expecting a delivery.
>> A human calling will wonder what is happening and fill the silence by saying something. A machine will not.
I've encountered robots in the last 6 months that have started with "Hello?" when I didn't say anthing. It tripped up my Turing Test at first, but eventually hit an ALICEBot-like moment that crashed the whole thing down.
Telephone numbers are a synchronous interactive channel. If someone calls you to have a chat, they pay for your attention with their own. They can say something to you, and you can in turn say something back to them.
Robocalls shove someone else's voice into your ear, without offering you an ear in return. They signal a synchronous communication, and then reneg on that promise with a spammed asynchronous message.
"Political speech" is the same as every other kind of speech. There should be no exemptions for policy just because someone running for office is involved. They have the same duty of courtesy as everyone else, and we have the same right to block our ears from their spam messages as businesses and scams.
um... cuz they get paid per call. So, just like ISP guys or Google or anyone else who is happy to irritate the fuck out of you for $.0001 per whatever useless crap that yields one in a million sales of some crap people don't need.
While I haven't taken the time to research further, I figured I'd try to brick the algorithm by speaking absolute gibberish. I also tell everyone else I know. Since machine learning is still "dumb", I figured that enough people babbling incoherently would require the spammers to hand-scrub the data or make more training rules, both requiring more work.
No idea if it worked, but it was the least I could do to halt progress in the wrong direction.
Regarding robocalls from political campaigns: I removed my phone number from my voter registration, because honestly I don't want any calls or texts from campaigns. I left my email address in case they want to spam that. I recommend doing the same (although at least with Gmail I find that several of the political emails end up in the spam folder...)
I know nearly nothing about telco software but after working at enough big places I suspect one likely answer is "because it's monstrously complex for both technical and human reasons, moreso than it might seem at first".
I really hope so. I stopped answering calls from unknown numbers until a year ago when I got a call from the same number twice and it was a paramedic calling to let me know my wife was in a car accident. She was awake enough to remember my number but her phone was lost.
So now I can't help but answer calls from unknown numbers even though I know 999 out of 1000 of them will be spam. It's abusive and an incredible waste of everyone's time and energy, not to mention in my case I wasted 10 minutes of critical time I should have been with her at the hospital.
I have a feeling the fake emergency calls are much more obvious than a real one, though. I will say, however, that emergency family calls are probably successful in the older generations.
Most of those services use a different network, or their devices are flagged as emergency numbers and get some priority. Why doesn't the call from a paramedic or other emergency number go through as a high-priority call and indicate as such? When I call 911 my cell goes all nuts telling me about how it's got priority service and the UI changes to an emergency-colored UI with some additional information, so when they call me when my wife is in the ER, why not have the phone go nuts and force me to answer it?
That nightmare scenario is the only thing that makes me answer unknown numbers. Also, a family member has a job in health and often calls from a withheld number so I end up answering a lot of spam.
In Australia a lot of it seems to target Chinese international students for some sort of visa-related scam ('Your visa is out of date, the police are coming, you need to pay your fees immediately in gift cards').
It basically asks the telecom operators to implement
digitally signed certificates.
So it would work, if I understand it conceptually, like your web browser, when it receives https traffic unsigned certificate, or https traffic from a domain that's not part of the certificate chain.
Therefore, this mandate will prevent 'spoofing'.
And without spoofing, the spammers would necessarely have
to reveal their identity, and there are already bunch of
existing legislation to prevent them from doing this type of business.
I missed important business calls when in US. Because they were calling using same area code where my sim card was registered, so I thought it was from the area local to me.
It is horrible, I am sure people actually lost not just business value, but also had negative health impacting incidents, due to this abuse of telecommunications.
> I missed important business calls when in US. Because they were calling using same area code where my sim card was registered, so I thought it was from the area local to me.
I just ignore calls from my prefix. There's literally nobody in my contacts that has the same prefix I have, and I consider it extremely unlikely that any legitimate calls will come from there. 90% of spam calls come from my prefix, and most of the rest come from out of state (different area code entirely).
Another way is to just ignore all calls not in your contacts, and use Google voice's voicemail transcription (I think I've read about some way to do this with Twilio or another service, but I might be wrong).
Seems like the scammers may already be using smaller service providers which means you have at least two more years of not answering your phone. I like voicemail, if its important they'll leave a message.
As long as there's no spoofing, shared client-side software-level blacklists (i.e. the same "adblocking" we do elsewhere) can handle the rest.
It would solve 99% of the problem just to be able to block all the calls that either 1. originate directly in other countries, or 2. that originate from number-ranges leased to carriers known to exist solely for the purpose of leasing numbers to VoIP/softphone/"app calling" providers; or 3. that originate from numbers that refer to the PBXes of companies whose business is to proxy foreign numbers to appear as local numbers. (Heck, once there's no more spoofing, we'll notice how big of a problem those are, and we'll probably get a law against them.)
After 15 years of cell phone spam, anything that shows up as a number on my personal phone, and not a contact, is reflexively ignored. I don't think I'll ever shake this habit: if it is important, they will leave a message.
I just wish various Doctors and Dentists could jump on the text/email bandwagon. Those two groups are responsible for nearly all of my phone usage - with a slim minority (that is itself mostly spam) being calls from my bank.
> I just wish various Doctors and Dentists could jump on the text/email bandwagon.
Mine have already, and I assumed it was becoming ubiquitous already.
I'm frustrated with it because I get multiple texts, multiple emails, and multiple voice calls & voice messages for every appointment I make. I want maybe one text reminder the day before or a couple of hours before and no more, just in case I forgot to set my own reminder. But usually I do have it in my calendar reminding me anyway, just two more notifications on top of the 10 the doc/dentist sends me... :P
More precisely an over-cautious interpretation of HIPAA that happens to annoy patients and is specifically called out by HHS.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.
There's something in HIPAA saying how the provider is to contact you? Over which channels?
I'm sceptical. I get texts from my dentist and in-app notification from doctor.
You have to ensure a channel that doesn’t gratuitously leak. Email took a very long time to be accepted, especially after things like hotmail and especially gmail arrived.
This is why fax is still so common in medicine and law (in law there’s also a belief that a fax confirmation says it’s been delivered, if not read, while email is considered less reliable / more easily deniable.
Yup, my voicemail box is constantly full of spam messages to the point where, my voicemail's regularly full, I couldn't be bothered to listen to any of them any more and it's too much effort to clean it out. My last carrier used to send a text if I got a voicemail. If I got a text saying I got a voicemail from someone I knew, I'd call back, if it was a random number, I'd just delete the text.
While this is a possible scenario- in my experience most people know to call multiple times - especially if they know that the recipient won’t recognize the number.
I don’t usually answer my phone from unknown numbers, but when I get three calls from the same number within 3 minutes I’ll pick it up.
I’m not getting into ALL the details but the “repeatedly calling” back and forth between two numbers quite honestly kept me out of jail overseas due to an embarrassing miscommunication and unintended breaking of a local law (backpacking in college, drinks were had, a friend made an ass out of himself if you must know)
I called a local friend, he didn’t answer. I called his wife she didn’t either. Both follow the “don’t answer unknown numbers” rule. As do I.
It wasn’t until I called friend a second time that he answered the phone. His response? “When my wife got a call from the same number back to back is when I started thinking this must be worth my attention.”
I wonder if it would be possible to set up something like this more rigorously. Give everyone unrelated two phone numbers. The first never rings the phone. The second only rings if the first was called within the last minute.
With a creative dialplan design one could do this with a private Asterisk installation (asterisk is behind so many of these cheap disposable phone number/voip providers anyway), though I suppose if one wanted to use someone else’s platform and infrastructure it’d be probably less effort with twilio or plivo
>While this is a possible scenario- in my experience most people know to call multiple times - especially if they know that the recipient won’t recognize the number.
Especially with a service like Google Voice that will transcribe your voicemails. I will look at those; it takes a fraction of a second to dismiss the spam.
Fortunately, I only get a few of those a week, so far.
I'm struggling with the decision of whether to automatically block anyone not in my contact list and leave a message in my voicemail explaining why. Don't want to be unfriendly, but it's only getting more ridiculous.
Given my experience with robocall and stuff, I _do_ want to be unfriendly. I hate to guts that a lot of people assume that they can interrupt you at any given moment. One guy called me when I was driving and wasn't having any of that, kept on complaining that I didn't pick up.
My current plan right now is to have a landline number from my internet provider (that's SIP essentially). Whenever anybody requires a phone number give that.
Now, there will be an voice mail device on my side with message: "Hello, you've reached p2t2p and his wife. We _DO_ _NOT_ appreciate your call. If you think your message is important, leave a message and we maybe, just maybe call you back. Otherwise, use email please".
And that is not even for bloody robocalls. Every single bloody prick think they are important enough to steal my time. Hey, I wrote you an email so respond to email, dumbass, don't call me. There were one windows installation company that stopped interacting with as soon as I told them that I won't pick up the phone and asked them to use email.
I guess the ultimate solution is to have my iPhone in permanent "contacts only" mode.
I’ve been paying for Vonage for 10-15 years now so I can keep my old landline phone number active to give out to businesses. Haven’t had a phone hooked up to it for nearly all that time. Voicemail + transcription works great.
You can get that for free with a google voice number. If you can’t port directly, the indirect method is to sign up for a PAYGO mobile phone and port your number there as an interim hop.
Recent versions of Android have an option to automatically screen callers who are not in your contact list. The caller gets a robot asking them why they're calling, and you can view the transcript of their response in real time and decide whether or not to answer.
As I recall this was a Google Voice feature as well.
My mobile carrier puts "scam likely" on calls that its algorithms have determined are likely spam, I wish there was an android option to just not ring the phone if that was the caller ID name.
I've used this feature and each time it occurs to me that the next step for spammers will likely be to simply leave the message, as they will still get an impression via the transcript.
It only bit me once in several years - I was expecting a call-back from a doctor and they weren't in my contacts. Missed their call, which caused a several hour delay and some annoyance (thankfully not for something critical).
This is now a feature on both iOS and Android to mute incoming calls that are not a contact. Voicemails still work fine, and with automatic transcription and all the other digital channels still open, there's no real reason to worry about anonymous calls anymore.
I didn't see anything in there about penalties for carriers not enforcing this. Also willing to bet they beg for extensions claiming they're not ready - or too costly to implement.
New legisation is being enacted around this on an ongoing basise:
e.g H.R. 4998 was introduced about two weeks ago
All the major carriers are implementing a STIR/SHAKEN strategy that should be in effect by next year.
But it is complicated to do and there may still be problems when they do - as others have explained here it's not as simple as it first appears.
I don't have any sympathy for the operators in this. They've profited from this for long enough and ignored the problem. There's a lot of pressure on them to solve it and the impression I have is that there's no appetite for "the dog ate my homework" excuses from regulators so let's see.
The same way USPS is funded by junk mail, a large volume of Telecoms' voice calls is likely robo-caller spam. Still I would have thought either Verizon or AT&T could come up with a competitive advantage of, you know, "the number that comes up on caller ID is authenticated to actually be the person paying for that phone number"
The spoofed caller ID to match your local area code has landed on people in my contact list, and it was extremely jarring to think "why is my best friend's mom calling me out of the blue" and get offered a discount cruise by a robot.
When I got a new phone, I got a text saying that I was on a free trial of Verizon’s spam call blocking service. Needless to say they have every reason to remain complicit
If you’re wondering if STIR/SHAKEN was a James Bond reference, the answer is yes, and SHAKEN stands for “Signature-based Handling of Asserted information using toKENs”
However, I gotta say I like the semantics where the more emotionally positive the title, the worse the actual bill is. Other countries tend to hide that behind uninformative titles or just numbers, so you have to read the actual bill to figure out if it's good or bad. With the US, you can be sure that a ‘GOODTHING’ bill would be something from 4chan.
The name in the post seems pretty emotionally neutral.
Right now, I guess I'm "spoofing" my caller ID by using a VoIP service unrelated to my actual phone provider to make outbound calls. My phone provider has every incentive to sabotage this, since this alternative provider allows me to pay probably something like 1% of the rates I'd be paying to my regular provider.
The VoIP provider verifies that I own the number before letting me use it as caller ID, but towards the network it still relies on the ability to send arbitrary caller IDs. Will this remain possible/will providers controlling someone's phone number be required to somehow enable this?
How will this work for call centers that want to send a central well-publicized inbound number from multiple locations?
Edit: So I read up on the protocol The SIP provider will provide a claim, signed with their key, confirming that they checked my number.
This leaves the possibility of providers having bypassable checks (I think mine e.g. let you set an arbitrary caller ID if you edited a HTML dropdown client-side) and "how to identify which provider is trustworthy", but that seems a lot easier to solve than the original problem.
Can someone explain what this will translate into in terms of the end-user experience? For one thing, authentication will be next to useless (at least to me) if my phone is still going to ring. So does that mean it's not going to ring for a spoofed number? Also, if it results in tons of voicemail then that's still going to be quite annoying. (How) is the actual end-user experience going to be addressed?
From my understanding, it basically means all telecoms will be required to do what T-Mobile already does in the U.S. If I get a call and the reported Caller ID doesn't match the transmitted one, it reads on my phone as "Scam Likely".
Pixels also have their own solution to this: If that condition occurs, the Google Assistant will answer the call and auto-decline if it is actually a robocall.
Some carriers may have the ability to limit calls to customers based on attestation level. Customer could configure they only want to receive i.e "A" attested calls. This means the carrier from where the call originated knows that the customer who made the call owns the number they dialed from.
Right, but I guess I'm asking, are plans for this in the works? Because currently I'm not aware of anything like this, nor of any plans to implement anything like this. None of the announcements suggest it might be happening either, so that's why I'm lost as to what the end-user experience would be.
I can only speak for one carrier, and the answer as of this moment is no. Pretty much everyone is struggling to meet the FCCs aggressive timelines and do interoperability testing with each other. After that is done, maybe. I'm sure the FCC has upcoming requirements based on this, but to my knowledge those aren't out yet. If the FCC doesn't make additional requirements, then it will depend on the carrier's decision. I'm under the assumption that they will introduce those additional requirements though.
iOS also has a feature to send unknown calls directly to voicemail without ringing through [0]. It seems an easy jump to classify numbers into three categories (known, unknown but authenticated, and unauthenticated) rather than two once reliable authentication is available.
It is available to all customers[1] with a supported device (plan doesn't matter, but I suspect prepaid customers are more likely to have cheaper, unsupported devices).
Hmmm. Interesting.. When I was on postpaid, I used to get caller ID with something like "Scam Likely", but since switching to pre-paid, I don't get those anymore. Looking at their page about it, it only mentions post-paid.
I can't be sure about Metro since I don't use them, but I've gone from postpaid to pre-paid on T-mobile and I no longer get the the warning/caller ID saying it. Even on their page, it does not mention anything about pre-paid.
Also, their website doesn't have the option for me like it used to, and here's a thread on their site from 2018 that talks about it not being available to pre-paid users:
The thing this will address is certain classes of scams that rely on spoofing a specific area code. The infamous “Windows support” calls, which generally spoof a Redmond, WA area code. The IRS/FBI/Immigration scam calls that spoof Washington DC area codes. These are scams which defraud people of huge sums of money every year, mostly the elderly and immigrants.
Most of my spam calls originate from a number close to my area code. Now that I live on the other side of the country, it’s easy to tell when I’m getting a spam call from where I first got my number
At least on my iPhone, for numbers that aren’t in my contacts, it shows the location under the number. I’m assuming based on area code. So it will say Redmond, WA right on the screen.
> STIR/SHAKEN enables phone companies to verify that the caller ID information transmitted with a call matches the caller’s phone number.
Seems to target spoofing. If they can eliminate spoofing it should make tracking down bad actors easier which should ultimately put many of them out of business.
I don't think actually tracking down the bad actors is the motivation for this is it? You're still going to be blind to the call behind the originating network; you just won't get attestation as to its identity.
This is the correct answer. Forcing all numbers to be authenticated doesn’t stop scammers from calling you, it just makes it easier for you to make an effective blacklist. (A blacklist around which Apple and Google, etc would be wise to make a good UX.)
Presumably it would reduce the amount of fraud. While it may not deter legal nuisance calls, that should make the phone a more reliable communications medium. That's especially true for businesses and government since, with the current state of affairs, it isn't even worth verifying that an incoming call is legitimate. Not to mention that spoofed numbers make targeted attacks possible.
Off-topic, but your sentence made me realize a useful difference between "lawful" and "legal". I first read "legal" as "relating to matters of law" rather than "lawful", and then realized you meant the latter. Now I see why the word "lawful" might be used!
Regarding your actual reply, though, that basically means we shouldn't really hold our breaths for this to actually stop calls? :\ Just less fraud, which is nice, but from the only thing that makes these calls such a nuisance.
From my understanding, spoofed calls won’t get onto your carrier’a network under this model, let alone ring your phone. All this assumes that sorting out spoofing resolves the problem, which isn’t guaranteed.
Thanks, that link is a much better overview. It seems the calls will still reach the destination network, and the phone then, but with potential for the operator to signal the likelihood of it being an unwanted or spoofed call.
I imagine we will see a tickbox in the operators apps and web settings portals to block or send such calls straight to voicemail (or similar), as they'd be able to be distinguished via the reduced attestation level.
Maybe I'm missing something but if authentication is allowed, it will allow the client or carrier to block calls based on authenticated ID accurately. RN that's effectively impossible.
Yeah I get that, but I'm asking what a user should expect to actually happen by that time, not what a user should expect to be theoretically no longer impossible by that time.
90% of my phone calls are from the same outfit informing me that this is my last chance to renew the extended warranty on my car. Based on my call history that recording is officially my best friend. And a very forgiving one given that it has been my last chance hundreds of times over the past several years. I hope this regulation won't interfere with our relationship.
A non-driver's state ID works for everything you'd use a driver's license for except operating a motor vehicle. Even though people typically say, "Driver's license" when they really mean either kind of state-issued ID card.
Isn't a driver's license nearly as easy to renew as a non-driving state ID? I don't see the point, even if you only need to rent a car on rare instances.
There are people who choose not to drive. If you have never had a license, there is nothing to renew. Then there are people who do not qualify for a driver's license (e.g. medical reasons).
Heck, I've lived most of my (middle-aged) life without ID and probably haven't used it in the past three years.
(Agree that it’s a poor form of primary identification. It is bulky. It is difficult to replace. And it contains more information than you need for identification.)
This is bad advice. You will need it in almost any country when getting stopped by the police. That can happen any time. This will be more of a problem in some countries than others. If you really can't find a way to carry it without getting pick pocketed then a least carry a xeroxed copy with you.
I let the call go through once just to see what kind of extended warranty they were willing to give me on a '93 Ranger with 250,000 miles.
I even hit them with "But YOU called ME with this extremely urgent notification! It's my last chance, you gotta help me!", but sadly I couldn't get her to give me a quote.
It's not Marriott. I feel a little bad for the big hotel chains whose names are used by telemarketing scammers because their reputations get tarnished.
Mine are mostly offers for a pre-approved $250,000 loan, available in less than 48 hours, for my non-existent small business. Curious what stolen mailing list I'm on that makes scammers think I'm a small business owner. Flattering really, that they'd think I have the potential to become one.
I don't even own a car, and I get them all the time. I make sure to very loudly laugh whenever I get one of those calls, even when I'm completely alone (which has been a little over two weeks solid now...).
I'm not saying I never get spam calls, but I certainly have to scroll back quite a bit in my phone call history to see the last one.
Also, on the rare occasion I do get a spam call it's always from some random international country like South Sudan or Oman that I would never expect a phone call from.
What makes this problem uniquely hard to solve for the USA as opposed to anywhere else?
Prior to the quarantine, I was getting 5-10 per day.
The USA's implementation of caller ID does not require telephone providers to verify that the caller ID provided to them is real (prior to this order).
It also lacks the regulatory structure to "trace" (prosecute/fine) calls through the various interlocking copper, cellular, and internet telephony networks, even when each provider in the chain has data.
It also lacks the legal experience in knowing how (and the political will) to prosecute an individual who dials random phone numbers with an app on a cell phone using a prepaid SIM card and conferences whoever they're calling into a spam line to disguise the spam line's phone number.
Finally, our regulatory system is captive to politicians who depend critically on spam calls for political purposes, and continue to fight to have those calls exempt, making it vastly more difficult to stop all robocalls because some are legal and others aren't.
During the last presidential election I got a spam call in an elevator. Like, the emergency phone in the elevator actually rang while I was inside. It picked up automatically and I had to suffer through 20 seconds of Donald Trump shouting about immigrants until the doors opened.
Every time this topic comes up on HN, someone asks that same question.
Then there's a bunch of responses that are lots of suppositions.
Then several people from small European countries chime in saying they've never had a spam call.
Then a bunch of Europeans from large countries show up saying they get spam calls, too, and it's not just an American thing.
"Why is this problem unique to the USA?" is pretty much a meme at this point.
Also...
You start with "Why is this problem unique to the USA?" Then follow immediately with, "I'm not saying I never get spam calls" which means it's not unique to the USA. So your first sentence is invalid.
Oh, I can actually weigh in here. In the past ten years, I've spent significant amounts of time in the US, France and the UK.
In the UK, I get the occasional spam call ("I'm calling with regards to the recent accident that wasn't your fault..."). At its peak, I got about one such call per week. It's been months since I've had a spam call.
In France, I got zero. In the 7 years I lived there, I got exactly zero.
Every time I go to the US, I get 2-5 per day ("last chance to renew the extended warranty on your car").
As is often the case, things are bigger in the US.
Living in France since 2012, I get zero French spam calls on my mobile. I'm getting some immediate-disconnect calls from Algerian numbers though (no idea what those are). I used to get silent calls on a landline though, back when I had one (even if I never gave the number to anyone). One fine day I just disconnected it as it was annoying.
I used to get occasional spam calls on my rarely-used old Polish number, but since beginning this year they somehow stopped (late effect of GDPR perhaps?)
Different people in the US have different experiences. Why is some random anecdote (assuming it's not made up) good enough to define xxx million people? I don't get 2-5 calls per day. My experience is more like what you describe with the UK. But that could be affected by my being on the do not call list on one hand, and on the other, occasionally answering a telemarketer by accident when I'm waiting for another call.
France has actually been the worst for me spam-call-wise - used to get daily calls until recently. I think it comes down to chance (handing over your cell to the wrong hairdresser/gym/restaurant/online shop/whatever) and once you're in the wrong register, the online thing you can do is rotate numbers.
I live in one of the largest countries in the EU and I receive one, maybe two, spam calls a month (and always coming from countries outside the EU). From what I understand from the never-ending list of articles about spam calls in the US, some receive tens, sometimes hundreds of spam calls every day! So yes, this problem is, from our EU perspective, unique to the USA.
I get 5-10 per day in USA these days. I turned on silence unknown callers and it’s not terrible anymore but still ridiculous that it’s allowed to happen.
I would not be surprised if turns out to be a bigger problem in the USA (and perhaps also Canada) than elsewhere simply because the USA is a bigger, easier-to-access pot of honey. It's a large area where everyone speaks the same language, lives in roughly the same regulatory and infrastructural environment, and has a lot of money to be scammed out of.
Europe is also a big pot of honey. But people speak all sorts of different languages, so you'd have to redo the scam in a bunch of different languages, which increases the effort needed to operate it.
China has way more people all speaking the same language, but relatively less wealth per person, which reduces the potential payoff. Also, I wouldn't be surprised if China has already closed off most the holes people exploit to operate these scams, because they seem less inclined than the US government to fart around about silly crap like this for literally decades on end.
Latin America has scads of people all speaking the same language, too, but they're split up among a whole bunch of different countries, which I'm guessing also makes the scam more expensive to operate at scale than it would be in the English-speaking bits of North America.
I'm not sure why your comment is being downvoted. Having THE largest rich homogenous market segment in the world with a weak regulatory environment (aka a free market) is probably a huge factor in scam targeting. See also Amazon fake inventory and fake reviews, which are a much bigger problem in Amazon US than in Amazon Canada, for example.
Is precisely why US get so many Spam calls, and very little in many other developed countries on earth.
And judging from that, it is also no wonder why SMS passcode hijacking is much common in US as compared to many other places.
It reality it really is an US thing, much like how rest of the world have public health care ( Good or not ), and it wasn't until ObamaCare did rest of the world realise public health services is not a standard practice in the wealthiest nation on earth.
> What makes this problem uniquely hard to solve for the USA as opposed to anywhere else?
Starting back in 2018 or so there has been a big problem in Australia with scam robocalls claiming to be from the Australian Tax Office. The area code on the phone number said it came from Canberra (Australia's national capital) which made it look more legitimate–even though in reality the call was coming from an overseas call centre. The robocall started out by saying that you owe a tax debt and the government was about to commence legal action against you. I got several, most people would hang up realising that the tax office would never do that. (It is illegal for them to discuss your tax affairs without confirming your identity first, so they would never begin a call by saying you owed them money.) But, some people (many of whom were older/vulnerable people), stayed on the call until the live operator connected. The live operator would then pressure them to go to a store and buy thousands of dollars of gift cards (such as Apple iTunes gift cards) and then read the gift card details out over the phone.
(Definitely the incidence of these fake calls appears to be falling, in my personal experience, so I think the Australian authorities'/industry's attempts are producing some results.)
There's a bunch of reasons why the US is targetted by spam callers.
a) it's a large market with a large penetration of internationally chargable credit cards. Several countries in the EU have their own payment systems including a bunch on a push model --- it's hard to scam germans over the phone because it's going to be hard to get them to send you funds without a german bank account; and if you have a german bank account, that's going to get you caught. Everywhere can process US visa and mastercard though.
b) large community that can be addressed with a single language; yes, there's a lot of people who would prefer another language, but they can probably be scammed in English (Although, with a bay area number I do get a good amount of scam calls in Chinese).
c) last, but probably most important; outbound calls to the US are incredibly cheap, as long as the number is not in Alaska. It's easy to find retail voip offers for less than 1 cent per minute to US numbers; and it doesn't matter if it's a landline or a cell phone. Calls to most EU mobile phones are at least 10 cents, but many countries are closer to 30 cents. That adds up quickly.
Embedded corporate interests and lobbies fighting against solutions because it'll cost them money to implement or lower their revenue once implemented. The usual.
Don't know about Europe, in Brazil spam calls are common but you can register your number in a consumer protection organ to say that you do not want unwanted commercial calls and if you keep receiving them the companies can be fined, for me it works "ok", there still companies that don't give a shit but at least the amount of calls I receive was reduced a lot...
* Carrier maintainer blacklists and other tools have also been used by providers for a long time.
* My provider, Voip.ms, enforces a provenance whitelist by default. This block all SPIT calls coming from unspoofed caller ids. That may not sound like a lot, but yes, many of those calls are just random poeple picking their phone or mobile apps using the real phone number. Having regulation to track internal sources of SPIT (and enforcing it) helps too.
* In Canada, you can subscribe to a non-telemarketing list. That doesn't help for scammer, but it helps for unsolicited ads, political spam and private surveys. This works when enforced with actual penalties for all parties involved.
Canada's non-telemarketing list that was implemented in 2004 is essentially a copy of the US legislation that was passed the year prior. It doesn't help though, as neither the US nor Canada have jurisdiction in India, et al.
If you were setting up a little scam operation.. who would you target?
Would you decide to set it up to call over 40 different countries in europe? Each with their own way to show phone numbers.. each carrier attempting to block spam calls in different ways.. each country virtually speaking a different language.. most countries having some different banking/credit card systems..
Or would you target the united states which everyone in the country has the same phone prefix, pretty much all speak one language, banking/credit card system is the same, etc.
It just makes sense for scammers to target the US. You can target hundreds of millions of people the exact same way.
As a bonus, the country has a high ratio of people desperate for services who also have enough money to successfully swindle. Many elderly Americans really believe that a stranger on the phone might be their ticket to improved conditions.
That argument just suggests that the US has more scam operations, not that it has all of them. Crowding out is still an effect, so scam operations are incentivized to target other countries as the US becomes fully 'supplied' with scammers.
Same in Greece, I think it's EU-wide. When you tell a spammer you're registered in our do-not-call registry, they get scared pretty quickly and swear they'll never call again. They usually don't.
The US has had a do-not-call registry for 17 years. It still doesn't deter spammers who are not subject to US law.
Back in the early 2000's I remember doing the same thing you're describing: startling spammers by telling them that I was on the list. But today, the people calling don't care because they aren't inside of the US.
This is what anti-spoofing is for - it's trivial to deny calls from India or Russia or whatever if you're not doing any business there, the problem is that currently they're spoofing a local number.
If you're being called from a local number, then this should mean (and outside of USA actually means) that there's somebody who's subject to local law and fully responsible for ensuring that the spam laws are met. If you're a telecoms operator sending in calls to the nework, then you ensure that the fines get paid - the spammers are, naturally, liable, but if you enable access to scammers in an unreachable jurisdiction or insolvent shell companies, well, it's coming out of your pocket and it's your problem on how to recover these losses. In USA, however, telecoms who specialize in providing such access to phone spammers have a legal and profitable business model. This needs to change.
CID spoofing is an entirely different thing from getting a local VoIP number. A lot of spammers just get local VoIP number, that's not spoofing, that's just a real local number.
CID spoofing is when you tell the network to display a different caller ID value than the actual originator. This never had any sort of authentication in the US (until the announcement in the OP)
Most of the spam calls in the US aren't CID spoofed, but some egregious scams are. This is usually used for things like scammers displaying "SOCIAL SECURITY" on the caller ID.
The US just generally doesn't make carriers liable for the crimes of their users. We don't need to change that, and I don't think it's a good idea either because of the unintended affects that could have on accessibility. We just need to require controls that authenticate proper use of the network. The announcement in the OP is one step towards doing that.
But preventing CID spoofing alone is not going to stop spam calls from local numbers, because VoIP.
I think mostly IT scams or falsely representing a tax agency. But these days I mostly get automated calls. I have a way around those which is when I answer a call, I don't speak until the other side says hello. Automated calls just assume the line is dead and hangup. I think these automated called are used by the spammers to identify live numbers a flurry of real call will follow up in a few days.
Until this HN post it never occurred to me that you could spoof phone calls. While landlines used to get lots of spam calls, perhaps I've had just two of these calls to my mobile in my life. Each time I typed the number into google and found reports of that number being spam. And maybe less than 20 spam sms's.
Does this mean that other countries (such as Australia) do not allow spoofing of numbers?
Having lived in the UK and now the US, the problem is definitely more pronounced over here. In the UK I was receiving a spam call maybe once a week at most. In the US I was getting about 2-3 a week on a pretty new number before blocking all unknown calls.
I assume it's simply more worthwhile to create a fraudulent scheme aimed at a larger population with more potential marks.
It's not that the problem has been solved elsewhere, it's that other countries aren't as big of a target so it's not as big of a problem in most other countries (for a variety of reasons). That said, some area codes in Canada are getting bad too.
It’s not, but the scale... in the Netherlands if your number is on the lists you get I’d say about 5 calls from ‘Microsoft’ each month, not multiple calls a day.
I guess I'll be the one to go against the grain here: I might have received 2-3 spam calls in the last year, here in the US. This implies that most spam callers aren't simply dialing random numbers, they're getting lists from somewhere, and by luck or by care my number hasn't ended up on their lists.
Some have provided timelines (such as AT&T), others skirt around it basically saying that they offer call SPAM protection already but that they will go along.
Way more than 10 years. I saw a pretty in-depth demonstration on using this sort of spoofing for social engineering at H2K2, the 2600 HOPE conference in way back in 2002.
There are three big issues. Robocalls and spam were not as severe an issue until relatively recently. Political robocalls in the US are an important part of how some politicians get elected and raise funds. And these solutions cost a non trivial amount of money, without increasing revenue directly.
Spam filtering is based on the content of email. To translate this (partial) success to phones, we'd have to let a private 3rd party monitor phone conversations, record them on its server indefinitely for training their AI, and screen them for us based on what the caller is actually saying to us.
Is this going to impact PBX systems that use ANI Information Elements to route calls and provide caller information to customer service applications, etc? Spoofing is kind of at the heart of those things.
ANIs will still get "spoofed" as there are many legitimate use cases, but you have to "have permission" to use the number you're spoofing, meaning either you own the number or your underlying service provider owns it on your behalf.
The legitimate use case is basically: I am placing this outbound call over VOIP or a different phone line, but I want this ANI to show up on the callee's phone, so when they call back they go to the correct line (dentist's desk, software sales line, whatever)
The issue is when I have a automated answering system (asterisk, for a museum). It rattles off some prerecorded info, possibly with prompting. To talk to a human, I need to forward the caller (I.e. call and set up a voice bridge since the caller is already connected to me) to one of our volunteers, which will be to their cell phone (we are a railway museum and we don't have a staffed office on weekdays). I want to forward the call with the original caller's phone as the caller ID so that if they miss the call our volunteer can call back easily rather than trying some awful game of tag via calling back the PBX.
This should still be available, though it will likely take some work from the underlying software provider to be compliant.
The goal of the regulation is to cut down spam/scam calling, not legitimate uses, and the telecom providers know these uses and lobby heavily to make sure they'll still be allowed to work.
The telecom providers don't like scam calls either, or more specifically they don't like short calls. All the work and compute power in telecom is used to set up the call, then the cost of keeping it going is minimal so the longer the call goes on, the more economical it is for the provider
How will it still be available and what underlying software work in Asterisk is being referred to?
Based on the given situation, the museum won't own the caller's cell phone number that they're trying to legitimately spoof for their staff's cell phone.
I previously worked at a telecom software company, and I know everyone with their shit together has been preparing for this for a long time, which is why I'm not concerned that these common cases should continue working. These softwares are often built on top of or on a branch of Freeswitch/Asterisk.
Good to know; I admit I haven't looked at the technical side of this. Mostly I was just providing my "legit" use case for wanting to spoof numbers since I think a lot of times most people don't realize they exist.
Any ideas on how this will be implemented? I use voip.ms and I can put in my cell phone number as my caller ID so I don't need to pay for a DID (basically, rent a phone number) and calls come back to my cell.
I've thought about some potential SaaS products that would leverage a similar approach. But I would authenticate the number back to the customer before allowing it to be used to avoid spam/malicious use.
I'm guessing this is down a layer at the provider level. So in my case, voip.ms would verify the number I'm using as my caller ID is actually a number that comes back to me. Right now, I just tested by swapping my wife's cell number in, they do not validate this. Now I understand how people are spoofing numbers so easily.
Obvious approach is to voice call or text the number and require the confirmation code to be entered on the website. Just curious though if there are other requirements or if this is up to the provider.
I don't think SHAKEN/STIR will stop robocalls, because the economics won't change. It's too easy for foreign robocalls to cycle numbers once one gets blocked. It will help with impersonation, but I don't believe it will significantly decrease robocall volume.
I think the telecommunications world will need to adopt whitelisting instead of blacklisting. I run a whitelist-based robocall blocking service called CallStop and a lot of customers have straight up given up using their landline, or their personal number with unknown numbers.
People who claim that whitelisting is a bad solution because it could block an emergency call don't realize that many people don't answer unknown calls anymore--and I don't think SHAKEN/STIR will change that.
Can you extend a bit on that, maybe I'm not understanding the problem right. Isn't having calls being authenticated the first step before you have whitelist/blacklist? Once every call can be definitively attached to a given source, then you can ban any foreign provider that let's these proliferate completely, no?
SHAKEN/STIR + Whitelisting is the best solution. SHAKEN/STIR by itself isn't going to change things too much I think. But it is a step in the right direction.
Whitelisting without SHAKEN/STIR is still extremely functional.
There are billions of unique American numbers possible, and with 250-500 average contacts per random dial, contact spoofing is not statistically significant.
That's what I was getting at, S/S seems like a foundational step, before being able to whitelist/blacklist. You first need to be certain about the source of the call before you can actually moderate it. Without authentication, spoofing makes banning numbers meaningless and dangerous.
Good point, if they're calling from a specific number. I see of lot of complaints about companies like FedEx though, where the calls come from random numbers.
I swear to god the number of times I've hung up on people threatening visits from the FBI because I'm behind on my taxes (spoiler: i'm not) has been driving me literally insane. Maybe I can actually turn my ringer on my phone off of silent mode one day.
If you get phonespam whisper at increasingly lower volumes, then out of the blue shout I HAVE ALREADY TOLD TO YOUR MANAGER TO BLACKLIST MY NUMBER WHAT IS YOUR SURNAME AND CUSTOMER SUPPORT ID
...But it will equal-and-oppositely create a market, perhaps a black market, for anonymous voice calls on the other... Perhaps these would be delivered by an open source Voice-over-IP program which uses an anonymizing P2P network as its backbone...
Also... will it make any difference for phone calls that originate outside of our country?
Now, those small observations aside, I think that hard authentication of the source of phone calls, is a great idea to help combat scammers and robocalls... I'd use this service myself, and I know other people that would be immensely benefitted from it...
Sounds like a good first step to solve the problem of how the legacy telecoms systems were designed in a world of trusted peers federating. End result of course being spoofed caller ID spam.
Unless I'm missing something though, these measures don't do anything to address the gaping security hole in mobile networks around roaming interconnects. That seems to still be a pretty good way to do SMS and call interception, which are increasingly valuable as phones become the de-facto 2FA channel for access to banking, cryptocurrency services and more.
I've got a FreePBX/Asterisk VoIP PBX and I've thought about running TeleCrapper2000 (https://hackaday.com/2005/09/08/telecrapper-2000/), but a better solution is to just put Google Voice in front of it and turn on "Screen Calls". It does a very effective (although not 100%) job of eliminating most robo/sales calls.
Finally, although there are still more than a year to wait. Hope there won't be any extension to this deadline.
Before that, I'll keep allowing calls from my contacts only, and bear the miserable inconvenience that sometime my packages may take a month to arrive because of denials of calls from the delivery guy.
I'm guessing they talk with the carriers regularly about being complaint. I asked them about it recently and they said in a response ticket they were following along with progressions in authentication. There may be someone who works for Twilio on this thread that has more info though.
are you asking if this will impact Google Voice? If so, I would imagine the answer is almost certainly that it will not at all impact Google Voice.
Google Voice works by acting as a proxy for outbound calls. You dial your friend's number, your phone dials Google, who in turn dials your friend with your Google Voice number displayed. Since Google is the legitimate carrier for your Google Voice number, I can think of no reason why they wouldn't be able to correctly sign the call.
Additionally, Google is listed as one of the companies that the 14 companies that the FCC appears to be working with (see the table towards the bottom of https://www.fcc.gov/call-authentication), so I assume they are planning to use it for Fi and hopefully Voice as well.
Google voice also acts as a proxy for inbound calls. Your friend dials your GV number, GV dials your other phone number, which does not belong to Google and uses your friend's number (which may or may not belong to Google) as the caller ID. From the point of view of your telco, who services your phone number, Google is spoofing your friend's number unless your friend happened to call using another GV number.
What parties are trusted to spoof? Having a telecom industry group play favorites with who is and isn't allowed to spoof anyone's phone number sounds like it would be bad.
None. You are already in a weak non-repudiation environment with cell phones. This solution will reduce some spoofing, but I doubt it will eliminate it.
It will be interesting to see who will be running the CA for these connections.
These concepts could be applied towards that purpose if the MNOs wanted to rejigger messaging within their networks & for inter-carrier connectivity- but pursuing that solution would likely be more challenging to implement than this solution.
is there any reason to believe this is anything other than the next step in a long, slow-moving process? SHAKEN/STIR has been being rolled out for a few years now, IIRC most major players said they were going to have it deployed by the end 2019 (see response column of table towards the bottom of https://www.fcc.gov/call-authentication), now they're just setting a deadline of June 2021 to start authenticating calls.
It is bad news for the US citizens indeed.
Unauthenticated phone number is the last island of privacy in our modern world.
Think about it: from some point all citizens will carry a geolocation tracking device that is directly linked with their ID. The internet access will also be bound to your ID and so on.
There are better ways to fight spam that do not pose a treat to privacy -- think about email or Facebook. There were tons of spammers, but there are commercial spam filters that do well now.
I live in a country where cellphone carriers are legally forced to authenticate users. And this data is used against political opposition and journalists.
Does this mandate do that? It seems like it just enforcing STIR/SHAKEN to prevent spoofed numbers. It doesn't, at least from what I can see, mandate any tying of identity to number. Your 7-11 burner phone and prepaid AT&T number should be fine.
It should be relatively easy to identify the bad actors here and I don't mean the spammers, I mean the telcos that make this possible, deliberately so, by essentially "laundering" spam calls.
My response to picking up a number is to answer the call and say nothing. Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
A human calling will wonder what is happening and fill the silence by saying something. A machine will not.
I hang up within 6 seconds of this in the hopes that it affects some metric somewhere of this being a low-quality or spam call. I don't know if it does. I think I read somewhere once that it did. I could be wrong.
If a real human is on the other end and does say nothing in this window, they'll generally just call right back. You get the exact same number again then this time I'll answer it.
It is nice to filter contacts vs non-contacts but there are too many things on non-contacts. Businesses you deal with, primarily.
In the email world where obviously spam is a huge problem zombie relays that allow this (which I believe is the primary source?) can get blacklisted. Why don't telcos who do this also get blacklisted? Or at least identified? This isn't AT&T or Verizon. It's the little telcos that connect to them.
But is this all too little too late? I think we've discovered over the last 20 years that we're all pretty much over open networks. It's all opt-in now with the likes of Whatsapp, FB Messenger and so forth.
Oh and while we're at it, can we get rid of this stupid exemption to robocalling restrictions for political campaigning? It's defended as "political free speech". To me, this is nonsensical. Free speech doesn't mean that I should be forced to listen to it.
EDIT: Found an example [1] of the bad actors I'm talking about.
[1]: https://www.theverge.com/2020/1/31/21117477/justice-departme...