FCC Chairman Warns of 'Regulatory Intervention' as He Criticizes Carriers' Anti-Robocall Plans

The Federal Communications Commission will consider "regulatory intervention" if the major telecommunications carriers don't set up a system this year to stop spoofed robocalls, FCC chairman Ajit Pai said Wednesday. "It's time for carriers to implement robust caller ID authentication," Pai said in a statement, noting that some companies have already committed to carrying out protocols, known as the SHAKEN/STIR framework, in 2019. A report adds: Pai sent letters to major wireless carriers in November demanding that they adopt industry-wide frameworks to crackdown on the practice of "spoofing," where robocallers mask a call's origin with a fraudulent number on their caller ID. On Wednesday, the FCC chair followed up with another demand that they implement caller authentication systems this year and a threat over the repercussions if they don't comply. You can read responses from carriers FCC's website.

Finally Ajit Pai does something for consumers

[HalWasRight]

Finally the FCC does something for consumers. I get as many as five robocalls a day with spoofed caller id on the T-Mobile network. The telcos need to secure their networks to stop devaluing the money I pay them. Since consumer complaints haven't gotten any action, at least the FCC is finally doing something. BTW: I got another robocall with spoofed caller ID while typing this ... I wonder if the vmail will be in mandarin, which has been a new development.

Idea for robust caller ID

[mark-t]

First of all, it is important to realize that there can, in fact, be legitimate reasons to spoof a phone number... for example, calling from a direct dial out line for a business, but wanting the main business head office number to show up on the caller ID instead, which might even be located in a different country or state.

So given that, much of the problem becomes how to enable spoofing where it is legitimate, but to not present a spoofed number as the caller when it is not.

A carrier, when receiving a call that is on its own exchange always knows the exact number that is being called from (we will call that phone number A), the number that is being called (we will call that phone number B), and also knows what number the caller is wanting to spoof as (if any, which we will call phone number C). Whether the caller is trying to spoof or not, the carrier for A adds a temporary entry int a local cache that tracks outgoing calls, indicating that it is making a call from A to B. This entry is kept alive only for a minute or two at most before being deleted.

If the caller does not want to spoof, then assume that C = A, and the remainder of this paragraph can be ignored. If the caller wants to spoof, then the following additional steps must be performed. The carrier for A tries to tell the carrier for C that it wants to use that carrier to spoof to spoof, making a call to #B. This request might pass through a number of other carrriers, so let us assume that the carrier for C sees the number that is calling it as X, since it is possible that the carrier for A, or any intermediate carrier might be conspiring to spoof. If the carrier for C allows the number X to be spoofed with C, then the carrier for C will then ask the carrier for X if it is presently making a call from X to B. If it does, then it adds an entry in its own cache that it is making a call from C to B. If the carrier for C does not recognize X as a number it can spoof for, then the request is ignored entirely, and the carrier for C will not do anything. Please note, that if X has been illegitimately spoofed, but X is still legitimately recognized by C as being a number it can spoof for, then the carrier for X as reached by C will not issue any response, so C doesn't have any obligation to add an entry to its table in that case.

Whether or not the caller from A is trying to spoof, the carrier for A concurrently rings the carrier for B. The carrier for B, seeing the number C as being the number claimed to be called from, asks the carrier for C (as seen from B) if it is currently making a call to B. If the answer is yes, then the number shown in call display can be assumed to be valid. If C does not respond, then no number should show up.

This whole verification process should take a few seconds at most, and can happen concurrently with the ringing of the line. A person who answers quickly might not get a verified caller ID until after they have already picked up the phone.

The cached entries, as I said, are temporary, and are individually deleted after being present for a short time (one or two minutes would likely be enough time to be sure that the call is really valid).

This is just something I came up with when I had some spare time and thought about it while I was taking the bus to work one day.... there might still be vulnerabilities, but I wasn't able to find them..

Re:Why is number spoofing even possible?

[Shikaku]

Mostly because businesses now run a VOIP system that translates a bunch of machines into a business account and they need to be able to set their public caller ID as their main business number that can direct your call to who you need and not some random VOIP address of X person trying to call you which might not even be a valid number at all, or just a number of that specific caller in Y department.

The issue has been already solved but in a different format: domain registrars for web addresses with SSL certificates, so a system like that but for phone numbers would be a good start perhaps?