Comment by Perseids
2 hours ago
I'm usually not one to focus on technological solutions given sociological problems, but this one seems to be a good exception. If we "just wanted to" [1] all this fake calls could be stopped by requiring strong authentication/authorization. We are very much used to just anybody being able to call my number, but that doesn't need to be the case. At the very least, cold calls should be treated as skeptical in the UI as instant messengers like Signal treat first messages. Probably this isn't enough, though, as it wouldn't have prevented the cases described in the article. Cold calling someone should probably require the caller to be traceable to a real, government-ID-verified person [2]. Even if that person is being defrauded themselves ("get a thousand bucks by installing this app and clicking a few screens") is would destroy the economics of the attack, as it would make each call expensive again.
[1] Structural inertia is the killer here. It will certainly not happen until the problem is huge enough.
[2] Exceptions can of course apply to numbers that are meant to primarily be cold called, like doctors offices. The callee possibly have to be specially trained to withstand this kind of attacks.
Speaking of which, what happened to SHAKEN/STIR? I thought the strong authentication requirements came down the pipe years ago and they were going to start turning off (or hiding by default) routes of low reputation. That was years ago, it was supposed to take years, but here we are years later and I still get loads of spam calls. What happened?
It is hard to get vendors to give up revenue no matter how illegal the source of revenue is.
So lots of judicially-unreachable call centers under judicially-unreachable telecoms need to lose reputation score and get spam-binned by default, just like email. I thought that was going to happen by now. Did the US telecoms just chicken out?
I never answer my phone if I don't know who is calling me.