'Robocall Strike Force' Proposal Could Stop Caller ID Spoofing

This summer the FCC convened a "Robocall Task Force" to help consumers fight unwanted automated telemarketers, and Wednesday the coalition finally delivered a report recommending a "Do Not Originate" list so carriers could spot spoofed numbers which should be blocked. A trial of the "DNO" list that's been running for the last few weeks on some IRS numbers has resulted in a 90 percent drop in the volume of IRS scam calls, officials from AT&T, which leads the strike force, said during the FCC meeting Wednesday. The carriers on the strike force, which include Sprint, Verizon, and many others, plan to continue testing the DNO list in the coming months, with the intent to fully implement it some time next year...

The strike force members also are working on a system to classify calls into categories, such as political or charity, as a way to give consumers more information before they answer calls from unknown numbers. And, the group said it has developed a working solution for authentication between VoIP applications and traditional landline networks as another way to defeat spoofing from callers in foreign countries.
Early next year they're planning larger tests -- and the strike force has also created a new site describing how to block and report robocalls.

Re:Why is that legal in the first place?

[110010001000]

All businesses use it to make the call appear to come from the general office number. So if an employee calls someone they don't get the direct number to that employee, just the general business number.

Re:Why is that possible in the first place?

[swb]

The PBX predates caller ID.

The PBX was fed with trunk lines which actually phone numbers, usually unrelated to the called number. When an inbound call was made to 555-1000, telco switched that call at the CO to one of the trunk lines. Outbound calls worked basically in reverse, the call went to the PBX which chose an open trunk and completed the call.

Direct Inward Dial (DID) involved buying a block of numbers which had no physical line associated with them and these were programmed to be switched to a trunk at telco with signaling that passed the called party number to the PBX so it could complete the call to the internal extension.

This system had to be adapted to caller ID. Early outbound calls often showed the trunk's phone number, but IIRC you could get telco to basically rewrite those calls to a customer specific number, usually the main number, if your switch lacked the software or signalling to pass the calling extension out.

PBX software eventually got the ability to pass an extension's DID to telco, so caller ID passed to the called party would see the number the call came from, even though it may have passed over an analog trunk with a completely different assigned phone number.

Basically, caller ID has, for anything other than single POTS or cell lines where telco handled all the switching, been a kludge on a system that wasn't built for caller ID, and spoofing was a necessary feature.

The problem all along has been lazy and/or greedy telcos who never bothered to implement sanity testing on spoofed calling party info and just accepted all of it rather than build in checks that the calling party info actually represented numbers assigned to the calling party.

And I'm sure much of it was made worse by call centers, for whom number spoofing was a business feature -- doing business for a company who WANTED call center calls to come up as their numbers. And VOIP vendors who wanted to use IP networks to route calls and unload them onto POTS at the cheapest point, terminating a call from a DID block leased from telco A using circuits leased from carrier B.

Re:Why are they messing about?

[currently_awake]

Killing people for less severe crime has been tried, england killed thieves and robbers for a while. The result was a massive increase in murder and other serious crime as there was no difference in punishment and the more serious crimes had a better payout for the same or less risk.

Re:Why is that possible in the first place?

[quetwo]

Actually, since digital switching began in the 60's and 70's, there have been three fields transmitted with every call (well, a lot more, but these are relevant)
BTN = Bill To Number -- this is the number that the call is billed to. This is actually validated by the connecting carrier, and still is today. In most cases it will be the circuit number, SPID, or an account number for really large customers.
CPN = Calling Party Number -- this is the number that the call is presenting itself as -- the Caller ID if you will. A long time ago, this was always validated by the phone company against the customer's record of DIDs. In the early 90's the LECs started charging companies to open up this field so that they could hide call center numbers, etc. and to make their phone number their brand. In the late 90's some LECs started offering this as a standard feature as a differentiation against other CLECs.
RTN = Route To Number -- this is the number the call is destine to.

This biggest problem is that we started getting a lot of smaller CLECs that didn't understand the technology well enough and started giving everybody closer access to the PSTN (for example, by not watching the CPN they were sending). The problem was exacerbated when VoIP became a thing and CLECs started allowing anybody access to the PSTN with no restrictions and no regard to their physical location.

These scams are hard to track down. I'd venture to say that 80% of them are running on stolen credit cards, on AWS (or other cloud provider) EC2 instances, connected to some VoIP provider that is billing another stolen credit card. They connect their SIP phones from anywhere to the PBX in the cloud and they start. Labor is cheap in other places in the world and with everything being in the cloud they can be pretty much anywhere. If they get shut down, they just use another stolen credit card and launch another EC2 instance and they are back in business a few minutes later.