Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Robocall Strike Force' Proposal Could Stop Caller ID Spoofing (onthewire.io)

Posted by EditorDavid on from the do-not-call-from dept.

This summer the FCC convened a "Robocall Task Force" to help consumers fight unwanted automated telemarketers, and Wednesday the coalition finally delivered a report recommending a "Do Not Originate" list so carriers could spot spoofed numbers which should be blocked. A trial of the "DNO" list that's been running for the last few weeks on some IRS numbers has resulted in a 90 percent drop in the volume of IRS scam calls, officials from AT&T, which leads the strike force, said during the FCC meeting Wednesday. The carriers on the strike force, which include Sprint, Verizon, and many others, plan to continue testing the DNO list in the coming months, with the intent to fully implement it some time next year...

The strike force members also are working on a system to classify calls into categories, such as political or charity, as a way to give consumers more information before they answer calls from unknown numbers. And, the group said it has developed a working solution for authentication between VoIP applications and traditional landline networks as another way to defeat spoofing from callers in foreign countries.
Early next year they're planning larger tests -- and the strike force has also created a new site describing how to block and report robocalls.

17 of 97 comments (clear)

  1. Why are they messing about? by Joce640k · · Score: 4, Funny

    Why are they even messing about with this?

    Require mandatory jail sentences for anybody installing/operating this equipment and the problem will disappear overnight.

    The same goes for a lot of other crap the people have to put up with. Start throwing more scumbags in jail and the scumbags will stop doing it.

    Maybe a general "scumbag" law that can be applied retroactively to people who try to beat the system. If a jury decides that somebody is being a 'scumbag' then anybody with a history of the behavior being judged can have the law applied to them.

    Vote for me in the next election!

    --
    No sig today...
    1. Re:Why are they messing about? by HBI · · Score: 3, Interesting

      The task of government is to make the system appear fair to all and to achieve a relatively constant justice. Actually being fair and just in all cases is of course, impossible. But governments have been failing at this task of appearing uncorrupted for a while now. The first effect is vigilantism, as we see with Anonymous and Wikileaks. Then it comes off its moorings with random killing to settle scores. Then we're back in medieval times in the West...much of the rest of the world still lives under the threat of random killing. At that point, our communication systems and goods distribution will crash to a halt due to the manifest lack of safety.

      We're not far away from that reality. Therefore, any attempt to reassure people that there are consequences for unfair or criminal action is useful. Coming up with more and more baleful punishments for the tiny minority who get caught is not the solution, though.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    2. Re:Why are they messing about? by currently_awake · · Score: 4, Informative

      Killing people for less severe crime has been tried, england killed thieves and robbers for a while. The result was a massive increase in murder and other serious crime as there was no difference in punishment and the more serious crimes had a better payout for the same or less risk.

    3. Re:Why are they messing about? by Joce640k · · Score: 2

      Yep. If you're installing a call center then you should make sure of the credentials of the people asking you to do it.

      This will be done by that person giving you a copy their installation permit and you looking up the permit on the government website to see if it checks out (correct person, correct address, correct installation date, etc).

      I may be cruel, but I'm just.

      --
      No sig today...
    4. Re:Why are they messing about? by quetwo · · Score: 4, Insightful

      The problem is that most of these scam calls are originating from outside the United States. Our laws can't do much outside the US without a lot of legal paperwork -- and in most cases it won't be worth it.

      One easy solution is to give consumers access to the BTN or Bill-To phone number. This is the number that is being billed for the call -- essentially pinning down the place where the call is being switched into the PSTN. If you get the BTN, you get the person behind the call -- regardless of what their Caller ID is. Unfortunately, right now, the only way to get access to the BTN is via the SS7 protocol (not available to consumers), or to compel your phone company to give it via a subpoena. Enough abuse from a single BTN -- cut them off until they can clean up their act.

  2. Why is that legal in the first place? by Opportunist · · Score: 2

    We're all too happy to outlaw things that have no legal purpose, even if they do. Care to inform me what legal purpose spoofing caller ID could possibly have?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Why is that legal in the first place? by 110010001000 · · Score: 5, Informative

      All businesses use it to make the call appear to come from the general office number. So if an employee calls someone they don't get the direct number to that employee, just the general business number.

    2. Re:Why is that legal in the first place? by runningduck · · Score: 2

      You explanation is perfectly valid for why a business might assert a particular CID that is valid within the company, but not what carriers allow people to assert any CID not registered to that individual or company.

      The only way to solve this problem is to make the carriers accountable for allowing such behavior. To be clear, I am less concerned about unwanted calls and much more concerned about scammers. If a carrier allows scammers to forge their identities then the carriers are complicit in the scammers illegal acts.

      --
      -rd
    3. Re:Why is that legal in the first place? by runningduck · · Score: 2

      VoIP is actually irrelevant; there is still a hand-off from a customer to a carrier in order for the call to be connected outside of a local network. There will either be a voice gateway with PRIs or some sort of SIP trunk. The carrier has the option of restricting CIDs but few do.

      --
      -rd
    4. Re:Why is that legal in the first place? by Nethead · · Score: 2

      I was given the option by my local carrier for the company PRI. I chose to only allow the DIDs that we lease. Not that I was going to spoof, but if someone got in via SIP to our system at least it would get back to me so I could investigate and fix.

      --
      -- I have a private email server in my basement.
  3. Another Revenue Source for Carriers? by JimMcc · · Score: 2

    I didn't read them all, but T-Mobile's solution is an app which you install on your smart phone. The description says that it's a free trial and they state up from that it is a paid service. So if you want protection from spam/scam calls you need to pay extra. I get tired of the various carriers nickle and diming you to death.

    1. Re:Another Revenue Source for Carriers? by Mister+Transistor · · Score: 2

      AT&T is pulling that shit too, apparently My mother said something like "My caller ID names are gone, and it's just numbers now. It said something about the free trial being up." that must be what she was talking about, she just got a new Galaxy 7 Edge with AT&T service.

      I'm on Verizon and I get names and numbers as part of basic caller ID service, AFAIK.

      --
      -- You are in a maze of little, twisty passages, all different... --
  4. Re:Why is that possible in the first place? by swb · · Score: 5, Informative

    The PBX predates caller ID.

    The PBX was fed with trunk lines which actually phone numbers, usually unrelated to the called number. When an inbound call was made to 555-1000, telco switched that call at the CO to one of the trunk lines. Outbound calls worked basically in reverse, the call went to the PBX which chose an open trunk and completed the call.

    Direct Inward Dial (DID) involved buying a block of numbers which had no physical line associated with them and these were programmed to be switched to a trunk at telco with signaling that passed the called party number to the PBX so it could complete the call to the internal extension.

    This system had to be adapted to caller ID. Early outbound calls often showed the trunk's phone number, but IIRC you could get telco to basically rewrite those calls to a customer specific number, usually the main number, if your switch lacked the software or signalling to pass the calling extension out.

    PBX software eventually got the ability to pass an extension's DID to telco, so caller ID passed to the called party would see the number the call came from, even though it may have passed over an analog trunk with a completely different assigned phone number.

    Basically, caller ID has, for anything other than single POTS or cell lines where telco handled all the switching, been a kludge on a system that wasn't built for caller ID, and spoofing was a necessary feature.

    The problem all along has been lazy and/or greedy telcos who never bothered to implement sanity testing on spoofed calling party info and just accepted all of it rather than build in checks that the calling party info actually represented numbers assigned to the calling party.

    And I'm sure much of it was made worse by call centers, for whom number spoofing was a business feature -- doing business for a company who WANTED call center calls to come up as their numbers. And VOIP vendors who wanted to use IP networks to route calls and unload them onto POTS at the cheapest point, terminating a call from a DID block leased from telco A using circuits leased from carrier B.

  5. simple solution.... by Lumpy · · Score: 4, Insightful

    force all call routing tables that all telcos use to be authenticated. Yes that means poor poor multi million dollar businesses will have to pay $100 a year to have their giant VoIP system to be verified and validated. home VoIP is forced to be sent through a certified telco that locks the CID information and disallows ANY changes.

    Honestly it could be fixed in only a couple of months if people got off their asses.

    --
    Do not look at laser with remaining good eye.
  6. Best incentive yet improvement is cell phones by MrKrillls · · Score: 2

    As long as there is no better alternative, landline telecoms see no downside to a lax stance on robocalls. But if I cancel my land line and just use my cell, because I can control how my cell phone responds better, then the landline industry has motivation for attacking the problem. I am going call my telecom and tell them they will lose my business if the industry doesn't get serious on this. I include political calls, surveys, the whole set of unsolicited calls.

    --
    Don't step on the baby.
  7. Re: Much needed by sjames · · Score: 2

    Spoofing is a relative term. As TFA uses it, you are not spoofing since you are sending out a number that actually belongs to you. The ones they're talking about spoof the number of a legitimate business of government agency that does not belong to them.

  8. Re:Why is that possible in the first place? by quetwo · · Score: 4, Informative

    Actually, since digital switching began in the 60's and 70's, there have been three fields transmitted with every call (well, a lot more, but these are relevant)
    BTN = Bill To Number -- this is the number that the call is billed to. This is actually validated by the connecting carrier, and still is today. In most cases it will be the circuit number, SPID, or an account number for really large customers.
    CPN = Calling Party Number -- this is the number that the call is presenting itself as -- the Caller ID if you will. A long time ago, this was always validated by the phone company against the customer's record of DIDs. In the early 90's the LECs started charging companies to open up this field so that they could hide call center numbers, etc. and to make their phone number their brand. In the late 90's some LECs started offering this as a standard feature as a differentiation against other CLECs.
    RTN = Route To Number -- this is the number the call is destine to.

    This biggest problem is that we started getting a lot of smaller CLECs that didn't understand the technology well enough and started giving everybody closer access to the PSTN (for example, by not watching the CPN they were sending). The problem was exacerbated when VoIP became a thing and CLECs started allowing anybody access to the PSTN with no restrictions and no regard to their physical location.

    These scams are hard to track down. I'd venture to say that 80% of them are running on stolen credit cards, on AWS (or other cloud provider) EC2 instances, connected to some VoIP provider that is billing another stolen credit card. They connect their SIP phones from anywhere to the PBX in the cloud and they start. Labor is cheap in other places in the world and with everything being in the cloud they can be pretty much anywhere. If they get shut down, they just use another stolen credit card and launch another EC2 instance and they are back in business a few minutes later.