Comment by dec0dedab0de
3 days ago
We really just need telcos to stop allowing caller id spoofing. Doesn’t even need your name, but with a real number we could actually report these scams.
You can still allow people to hide it, but then by default every non-business phone should block calls with hidden numbers.
What ever happened to SHAKEN/STIR? I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume? I still get loads of spam phone calls, so clearly something went wrong (or slow enough to be indistinguishable from wrong).
I love a good tortured acronym:
> SHAKEN system, short for Signature-based Handling of Asserted information using toKENs [...]
> The name was inspired by Ian Fleming's character James Bond, who famously prefers his martinis "shaken, not stirred". STIR having existed already, the creators of SHAKEN "tortured the English language until [they] came up with an acronym."
https://en.wikipedia.org/wiki/STIR/SHAKEN
(Unrelatedly, seeing a slash used casually within the URL slug feels so wrong)
I like backronyms because it tells me someone with a soul was involved
3 replies →
I'm not certain, but I think on my phone incoming calls that fail SHAKEN/STIR show the caller id in red rather than black text. I'm on T-Mobile. It also shows "Number Verified" or something like that.
Now that you mention it, I believe I have seen a couple of red flagged calls, but I still get ~3 calls a day from a very aggressive business loan spammer, it's always a new number and never flagged.
7 replies →
According to a defcon talk, spammers just make sure all their spam gets routed through legacy TDM systems which discard the shaken/stir header because they're too old to support it. The other side then re-adds a "we got this from somewhere that didn't support this header" header.
> legacy TDM systems
Easy fix. It should be opt-in to accept a call that is routed through one of these. I know they allow it so some grandma in rural France that still uses a dial phone on a copper line that hasn't been touched since 1962 can call her son in New York, but for the rest of us who are not in that situation, we can just blacklist all those calls and lose nothing. This would even fix spam for the people who opt-in, because so few people have grandmas in rural France that it's not worth it for the spammers to bother anymore.
16 replies →
Just because a call is a spam call doesn't mean it is spoofed. STIR/SHAKEN ends spoofing but anyone can ultimately buy a phone and make calls that are spammy.
Spoofing isn’t ended at all
Almost every spam call has that I get, is spoofed.
Someone here explained it, once.
I think the spoofed calls use a legacy transport tech that can’t be forced to validate.
9 replies →
Sure, but with phone numbers that can't be spoofed, telcos can terminate service, and filtering technologies can block calls. Spam gets expensive if you have to buy new service every five calls.
2 replies →
Nobody is making spam calls with cell phones. Spammers use VOIP services and old TDM systems.
3 replies →
STIR/SHAKEN up to this point has only been a self-certification that a telecom company has the right to use a number. What the FCC is trying to do is set up a legal obligation for the STIR/SHAKEN header to match a KYC verified identity.
If the FCC implements this, I expect a lot litigation because of the burden and legal liability this would place on telecom and VOIP companies. There are other less burdensome approaches to preventing spam that the FCC has not tried.
I am constantly amazed how few people understand that preventing spam is below the last thing the FCC is actually interested in.
First of all, the decision makers at the FCC profit from directly from spam, Christ.
Secondly, the indirect value of spam to the FCC is that it helps to justify initiatives to ruin the privacy of ordinary people via the constant push for KYC.
Just like "age verification", Flock cameras, license plate scanners, ubiquitous IoT with microphones and cameras, etc. Governments and corporations both profit from shredding every molecule of your privacy.
The FCC issued a report on this very subject[1]. TLDR, there have been four exceptions to the SHAKEN/STIR requirements:
- Providers that can't afford it implement it - Non-IP networks - Small voice service providers that originate calls via satellite using U.S. NANP - Providers that lack control over the network infrastructure necessary to implement
Nothing is going to change as long as those holes exist.
1: https://docs.fcc.gov/public/attachments/DOC-416732A1.pdf
The can't afford it exception is disappearing soon, as it isn't true for any business. Total setup costs for STIR/SHAKEN are under $2000 these days. Providers that lack control over the network infrastructure (i.e. they don't have the ability to control the stir/shaken headers so by definition they can't spoof numbers) will likely continue to be a thing as changing it would force pretty much every small business in the VOIP industry out of business and allow only large companies to be VOIP service providers.
> I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume?
It would certainly hurt a consumption-based economy, for starters.
Why would that hurt a consumption-based economy?
5 replies →
and cut off a million dollar annum laundering scheme to provide such service to the scammer networks? nah... they would never.
This is already not allowed.
If your carrier accepts a spoofed call they're already violating FCC recommendations.
Recommendations aren't requirements; you're allowed to violate them.
Of course
And yet, I incessantly get spoofed numbers calling me from the same "central office code". Also resulting in people with the same code "returning my calls" and then getting angry that I say I didn't call them.
Preventing number spoofing would help significantly with spam calling. At least the ones from local numbers.
Medical offices hide their numbers for very good reasons: if you've got an abusive spouse, you often don't want the medical office in your call history. Which results in a lot of very important calls being ignored.
Stopping caller ID spoofing doesn't have to mean caller ID is always enabled. You should be able to make a call with NO caller id, but not a call with somebody else's caller id.
Unless I'm missing something, this doesn't seem hard to fix: just let users decide whether hidden numbers should be ignored or received.
Doesn't that make it more likely people are going to miss important calls from their Doctor's office?
1 reply →
Why do we even need to run on the 20th century system of numbers anyways? Why is there not a better call addressing system?
We don't, but the entire world currently does, and the amount of equipment deployed that depends on it is substantial.
I would be willing to bet money that any "better call addressing system" would be a design by committee where this just gets litigated there. And we'd end up with either a system that requires KYC per-call, or has compromises similar to what we're complaining about now.
Having worked with telco companies, 99% of it is "Yeah, but this stuff still works just fine;) And if a government compels us to change our equipment for reasons other than national security, we're going to pitch a fit and demand financial incentives beyond reason." A lot of the pressure to boot Huawei from tech stacks globally ran straight into that wall and flopped. Even with national security at its back.
Considering most of those same telcos are donors and employers of large numbers of people across many constituencies of almost every nation, usually no politician has or is willing to spend political capital to shoot themselves in the foot like that. And no nation with a national telco company runs it well enough to ever even dream of spending money for something like IP addresses, they typically barely keep the lights on.
Because backwards compatibility expectations make it hard. Also telecoms are evil and greedy so unless you are actually going to stop paying for a phone they won’t lift a finger to improve anything. Countries with newer phone systems at least support Alphaneumeric Senders.
https://help.twilio.com/articles/223133767-International-sup...
I suppose you'd like to replace it with Email since that doesn't have any spam, hmm?
We were able to tack a bunch of domain and header functionality on top of the email system that helped us know if the sender was authentic which is much more than we can say for the POTS
Because the concept of numbers is so heavily baked into many systems. Momentum is a beast.
Said on a forum that was accessed by IP protocol.
What valid purpose does hidden numbers have? Government departments in my country hide their caller ID.
I find that abusive on its own but let’s not forget about the fact that now you have victims of domestic violence being forced to answer hidden numbers in case it’s welfare, or the cops, or their abusive spouse.
Calling in an anonymous tip to the police and such.
I’d say to use a payphone if you need to do that, but then my age is showing, as this is not possible anymore.
3 replies →
unfortunately, the grift economy is hyper-meritocratic: If you can figure out a scam and it makes money, who are we, as capitalists, to stop you? You take out the lower rungs of the grift economy, then whose to say who can fleece the tax payer with a repainting of a reflecting pool on tax payer's dime. It's a slippery slope, really.