As the article mentions, there are some shortcomings. Caller ID spoofing is necessary for some services, as in the VOIP world calls are broken up into termination (dialout) and origination (dialin). If STIR/SHAKEN takes hold, the CID phone number for termination will have to be signed by the origination carrier. It should be fun to watch the carriers handle it. (There are 3 levels of attestation, but that's the gist.)
I just implemented this at a telecom. To expand a bit, the three levels are A, B, and C. There is also of course empty (no attestation). Three levels of attestation are roughly:
A = I know the customer, they own this number.
B = I know the customer, can't confirm they own this number.
C = I'm sending this call out, but I know nothing of the customer or this number.
Carriers sometimes don't want to receive anything other than A, because its probably useless to them. By that I mean, if it's not A, they don't want to be sent the attestation level or identity header at all.
As someone who works with multiple carriers, I doubt anyone outside of the wireless carriers and Inteliquent will implement STIR/SHAKEN soon in the USA.
Inteliquent (aka Neutral Tandem, Onvoy, Exiant, Vitelity, plus 20 other sub-brands) is the only provider implementing this protocol outside the cellular industry, and most of the CLECs they work with are not capable of maintaining SIP with a TLS certificate, let alone their own PKI as STIR/SHAKEN would entail.
Yeah, it's mostly wireless carriers at least for now. Already T-Mobile and I think ATT are rolling this out to consumers, called Certified Caller ID I think. However, the FCC is coming down hard on all carriers for this. I don't know if there's any fines for not having it implemented, but I know Chairman Pai said he expected it to be implemented this year. Obviously, telecom moves slow and it's not possible for all carriers. Even some SBCs I'm sure don't support it (specialized call handling hardware). It will be interesting what kind of legal requirements they put in place with regards to this. I think they will try to strong arm all carriers soon.
On cellphones, no/C attestation can show up with "suspected spam". I believe T-Mobile does this today somehow, possibly a line under the caller ID.
Whether or not it's a premium service will probably depend on the carrier.
As for your original question (blocking), I'm not sure. It's certainly in the realm of possibilities and carriers' fraud departments will have to decide what to do with it.
I've just stopped answering my phone altogether. If something is important enough the person calling should leave a voicemail.
I don't do either, because the spam calls I get are in a language I don't speak, and my voicemail is full of messages in languages I don't speak.
I have to resort to "if it's important, someone will e-mail me or send a letter," which ten years ago used to be the biggest vector for unwanted contact.
You aren't getting the robot voicemails yet? I mean sure I can ignore those too - but it's that much more annoying since I now have to filter through my voicemails to see if anyone left a message that actually matters.
I'd guess about 1/3 of robocallers are leaving me voicemails now. I also very recently started getting obvious phishing attempts via SMS.
Yeah that's going to screw you over at some point, I presume.
I had the California DMV try to reach out to be about some form inconsistencies and they only contacted me by phone and voicemail. (To their credit they left me 3 voicemails through a very busy day I had.)
There was no other way they were going to contact me before letting my car registration expire.
Same thing just happened to me just this week, I wasn't checking voicemails because I get too many spam calls / spam messages and I almost got withdrawn from Graduate School because of it -- (I needed to verify a term break and since I never did, automatic withdraw initiated.)
Sorted it out, but barely. Very frustrating to have that sort of outcome from the root cause of phone spammers.
I always answer the call and then joyfully "block/report spam" the number in the Android dialer. Being able to do something to fight back is satisfying enough that I don't ignore the call.
I did just switch to T-Mobile and they pass "SCAM LIKELY" as the caller name so I may start declining those.
I agree, this only blocks legit numbers since they're spoofed anyway and next spam call will be an auto-generated number anyway (form a similar area code). My solution is to simply not pick up calls that are not in my phone's address book. I still get a lot of annoying calls, from a few a day to dozens. It's frustrating but I refuse to get annoyed, to keep my sanity. Most of the calls that I get are making an announcement in Chinese. I am not Asian and I do not understand Chinese. I've read somewhere that it's scam meant to swindle Chinese citizens in the US for money.
My wife received a call from a person who was angry at some phone scammer and started cursing her and telling her not to call anymore. My wife tried to explain that she did not make the call, that the number was spoofed, but to no avail, the curses continued until they hung up. I find this kind of breach quite problematic and don't really understand how it can proliferate to this extent.
I used a bulk number blocking app to do exactly that, and the amount of spam calls I receive has dropped dramatically. You can also have it make exceptions for numbers in your contacts list. The one I used on IOS is called Wideprotect, but I'm sure there are ways to do it on Android as well.
> Filtering out any number that shares my area code and first three digits and not in my phone book would go a long way to getting rid of spam.
Filtering by number is a lot easier when you have a number with a small state's area code when you have not lived there for some time. All unknown callers from that state are then easily identified as spam with 99% probability.
I’ve found that when I get a robot call, if I type randomly on the numpad it usually gets me on the line with a real person, who’s time I’m happy to waste. I figure this is the most expensive outcome for the caller
I've had decent luck with saying straight out at the start of the call "I know this is a scan. I am on the federal Do Not Call list and will be reporting you. I'm hanging up now" and then hanging up. My intention is to get my number marked as having a low probability of converting; if you lead them along they might think a few more calls will give them a decent chance at profiting. I also feel sympathy for people whose best option is telephone scams.
Note: I'm lying about Do Not Call. It's just another way for people to learn your number has a real person behind it. But the synchronization between the Federal list and internal systems of callers is a shitshow so actually reputable mass dialers will just assume they missed you and add you to their internal list. (Edit: So of course I don't report people. Even if I was really on the list, that takes time and has essentially no return)
Doesn't this signal to the malicious caller that your number is an active line with a human willing to pick up the call? I imagine that information is valuable to malicious callers who probably sell lists of active phone numbers of curious humans willing to pick up.
I heard that advice 10-20 years ago, and I think it made sense then: junk calls were accomplished with autodialers feeding into phone banks with real humans to finish the scam.
With modern VOIP I’d be surprised if anyone compiles lists of possible marks: your outbound traffic can be way more than before, so why not let the computer call everyone and see who bites every time?
Is there some way to implement this as a service with a chat bot or just prerecorded mumbling and confused statements? I guess it could happen by just transferring the call.
The true future of AI is robots sending eachother spam.
This can backfire. Robocallers used my local pharmacy's number so much that I had to tell the pharmacist to add it to my file that I shouldn't be contacted via phone.
That was my old practice, but spoofing means that not only is that ineffective, you're often blocking real numbers that you might want to be able to reach you.
When I used to get a lot of spam calls (because I had to answer my phone for everything), I used to answer numbers I didn't recognize as "Orleans County 911, what is your emergency?" Most spammers got the hint and either hung up immediately or stammered out an apology and hung up.
One person insisted on trying to sell a car warranty so I ramped it up a bit. I'm only a little sorry that the person was apologetically crying about "interfering with emergency services" by the end of the call.
I havent had voicemail in over a decade. I used to fill it up myself, then later I learned you can call the company and they will disable it. I figure if it was important they would have sent a text in the first place.
But I havent gotten any spam calls in over a year ever since tmobile started blocking them for me. Are the other providers not doing this?
Yes, this has been my practice as well, except that voicemail is mostly for unknown callers to get a chance to actually get a message to me (just in case). For people I know, if it's important then they need to SMS me to tell me that they're going to call. If they can't text for some reason, then there's always voicemail.
I wish I could afford to do that. I've got important calls coming in of which I don't always know the number. If I miss the call, it can be a headache trying to get the process going again.
Me too. Although you realize that we will now occasionally miss an important call. In fact this just happened — my credit card fraud team was legitimately trying to get a hold of me and I ignored it. This made my travel this week painful with a hold on my credit card.
This is the real loss... missing calls I would have wanted or needed to answer.
So you get notified you have a few new voicemails and you need to take time checking them, and presumably robocalls leave robo-voicemail, and now each robocall ended up costing you more time than they would if you just hung up?
Both my VM providers transcribe voice mail into text. Glancing at a transcript to identify spam takes a second. More important I am not interrupted by calls and could check them at the time most convenient to me.
This problem doesn't appear to exist at that scale (there exist some spammy call centers of course, and apps to block them...) in Europe.
Not sure if that is legislation, technology or culture/economy related, and whether it's an active solution or it just passively works out.
But what stops the US from doing whatever it Europe is doing to not have tons of robocalls?
For one, making calls costs money. How can robocallers actually do multiple calls at the same time at a reasonable price in the first place? And then this spoofing: isn't the solution against that technological rather than legislation?
EDIT: A thing that gave me the impression the problem is much bigger in the US than Europe, is that the first time I heard about robocalling was in a Simpson's episode from 1996. So autodialers seem to exist for a very long time already in the US, but in Europe they're not really being used (that I know of. If they were used at large scale, I'd have noticed I guess?)
> And then this spoofing: isn't the solution against that technological rather than legislation?
"Spoofing" is just a name for using caller ID you shouldn't. There's no tech solution for it... unless we create a global federated registry that can be queried online, a new phone network which cares about it, and migrate every phone in the world to it. POTS will be alive longer than us.
I never noticed this spoofing ability in Europe though. Can someone make a phone call and appear to have a different number (and is this about mobile or landline numbers)? If so, why isn't it being done at large scale in Europe to get around apps that block known call centers?
Why would there be no tech solution around fake caller ID? The phone company knows who it's billing for this call, doesn't it?
> Can someone make a phone call and appear to have a different number?
I imagine so. It is quite easy to test. Here in Canada, if you verify your phone number with Google Hangouts [0], calls you make using Hangouts Dialer or through Gmail interface will show it originating from your phone number, even though it is originating from Google servers, not your phone. It seems Hangouts Dialer is available throughout EU. Have you tried using it?
As for the capability, in many ITSP companies you can sign a paper saying "I promise that all the calls I'm sending have a valid callerid" and get no restrictions.
iirc, the calling number is reported from the calling device, not the service provider.
I remember playing around with that on my rooted Android phone years ago (around Android 2.0-2.2) in germany.
It would probably be possible to discard this information from the client and overwrite it as the service provider, but they weren't doing that at least back then. It would also be costly (like a MitM proxy overwriting headers)
That was around 10yrs ago though. Might have changed by now.
It's not costly. There's a lot of similar processing already happening, the proxies you mention are not mitm - they're part of the system. Most providers do ignore what you send them about your external caller id - in many cases you don't even know the correct one. Blind forwarding the cid is a bug rather than something people decided to do for cost or other reasons.
This problem doesn't appear to exist at that scale (there exist some spammy call centers of course, and apps to block them...) in Europe.
In a previous HN discussion, it was pointed out by people in Germany that it does exist, and is a big problem in Germany. I don't know about the rest of Europe.
The legislation also pushes providers to implement the technology. The incentives aren't quite aligned for phone companies to stop spoofing on their own initiative. They're still making money on these calls.
I’m one of those people who thoroughly enjoys scam baiting. I answer every robocall I can, and connect to a live scanner whenever possible. Every minute of theirs I waste is a minute they’re not successfully scamming someone else.
I find it amazing to see STIR/SHAKEN[1] mentioned in an act of congress. Rarely does congress mandate specific technology, usually it just grants authority to make rules to agencies or imposes some kind of duty. I wonder why this law goes this route.
It’s because Congress is still stuck in the 1980s and mostly use POTS to do things. This is obvious in how concerned they are about the phone system, but willing to completely gut the Internet (net neutrality) — because they don’t use the Internet so have no idea about it. They still use phone calls for everything, so they’re getting hit directly on their personal devices with these calls. They can’t just ignore all unknown calls like most people do.
> willing to completely gut the Internet (net neutrality)
Oh please. The internet hasn’t been “gutted”. Far from it. It’s getting faster. It’s getting cheaper. It’s becoming more widely available. Do you have any evidence, anything at all, that the internet has been “gutted”?
And you’re going to tell me with a straight face that the internet has been “gutted” for the vast majority of its existence? Don’t be ridiculous.
I wonder if it is possible to forward robocalls to another service that will attempt to keep the robocaller busy as long as possible. It would be great if everyone can just answer the robocalls and press a button to forward to a time-waster service. Hopefully, every busy robocall is one less call to another person.
I have a pretty stupid bot set up with Asterisk. I think the record is 17 minutes, and the bot even repeated the script. When I get bored I put up some calls:
Perhaps allowing people to call via a static IPv6 address routed to their phone would resolve the issue with spoofing. A single range would be reserved for VOIP services such as 2002::/16 and subscribers would be allocated addresses that could be shortened and made to look to like traditional phone numbers.
I feel like any other solution adds yet more complexity and I would argue the only thing that should be necessary to make calls is an internet connection.
Some VOIP applications already accept calling via IPv4/IPv6 addresses.
My recommendation is to get a phone number for with an area code out of state. It'll be pretty easy to avoid spam calls because they'll use your area code.
having a phone number will go the way of the landline
same with email addresses -- this is some combination of your identity and a license to spam you
spam protection is the main feature of gmail because email wasn't designed with fraud in mind -- an email system rebuilt from the ground up for 2019 would be safe for medical information, receipts, not be the giant password reset security hole that email currently is, and not allow randos to spam you
every new product designed in this century needs prevent fraud by design (including spam)
Perhaps you'd give them single-use invites, or invites that included some form of certification path? I've noticed that Discord makes me go out of my way to hand out a reusable/non-expiring invite URL instead of a 1-day use-up-to-10-times link; obviously Discord's implementation relies on their hosting all the servers, but one could imagine a cryptographic equivalent that worked in a federated protocol.
I don't use (or want to use) chat apps like Discord and such, though. It would also be a real challenge convincing the people I interact with routinely to start using such apps.
My company recently switched to MSFT Teams, and the other day I was thinking how difficult it would be to get spam through teams.
By design, only people part of our organization can communicate with each other. There (AFAIK) is no endpoint for my organizational teams account visible to other teams users outside my organization. For spam to occur, someone's account would need to be compromised (which would be found quickly) or a fake account somehow created by the org admin (which seems unlikely).
With email, the IT department is commonly spoofed, or the president, HR, etc. Most people can spot the differences, but with teams they would virtually never get any fraudulent messages.
I suppose “social networks” are the replacement, you’re exchanging getting spammed by random actors you don’t know to a single actor (the social network).
This is an economic problem not a technical one. We simply need to make it unprofitable to wholesale spam call citizens of the wealthy first-world.
Every outbound call should cost $1 to the terminating carrier. ATT, Centurylink, Etc. Recipients can mark spam calls (*69, an app, whatever) and the dollar is split between the carrier and consumer. After 60 days the money is returned for calls not marked as spam.
No calls are connected that don't include this advance this money.
Now, the assholes who dial 2,000 people a minute will need to afford $2,000 a minute of credit to run their operations.
Carveouts or credits can be extended to bona fide groups such as political parties, 503c, etc.
Over time, trustworthy callers will have a revolving account or insurance to cover the costs. Untrusted caller no longer can afford to make calls.
You’re now incentivizing the carrier to deliver spam calls, and the customer to report as spam every call they receive from a party they have no expectation of talking to again regardless of whether it’s spam.
I'm not sure why Washington has to be involved in this.
I've owned a landline phone that had a blacklisting feature. A little useful, except everyone got one shot ... until the available memory slots were used up. I bought it.
Why any phone with a CPU would not offer a whitelisting option is a mystery. Not on the list ... zero attention paid.
https://www.atis.org/sti-ga/resources/docs/shaken-faqs.pdf
As the article mentions, there are some shortcomings. Caller ID spoofing is necessary for some services, as in the VOIP world calls are broken up into termination (dialout) and origination (dialin). If STIR/SHAKEN takes hold, the CID phone number for termination will have to be signed by the origination carrier. It should be fun to watch the carriers handle it. (There are 3 levels of attestation, but that's the gist.)
Bandwidth.com also has a good overview:
https://www.bandwidth.com/glossary/stir-shaken/