Slashdot Mirror

← Back to Stories (view on slashdot.org)

FCC Chairman Warns of 'Regulatory Intervention' as He Criticizes Carriers' Anti-Robocall Plans (thehill.com)

Posted by msmash on from the enough-is-enough dept.

The Federal Communications Commission will consider "regulatory intervention" if the major telecommunications carriers don't set up a system this year to stop spoofed robocalls, FCC chairman Ajit Pai said Wednesday. "It's time for carriers to implement robust caller ID authentication," Pai said in a statement, noting that some companies have already committed to carrying out protocols, known as the SHAKEN/STIR framework, in 2019. A report adds: Pai sent letters to major wireless carriers in November demanding that they adopt industry-wide frameworks to crackdown on the practice of "spoofing," where robocallers mask a call's origin with a fraudulent number on their caller ID. On Wednesday, the FCC chair followed up with another demand that they implement caller authentication systems this year and a threat over the repercussions if they don't comply. You can read responses from carriers FCC's website.

18 of 147 comments (clear)

  1. I can see why it's taking so long, though by 93+Escort+Wagon · · Score: 2

    After all, they had to devote significant time into coming up with that acronym.

    --
    #DeleteChrome
  2. Re:Uh-oh by Anonymous Coward · · Score: 4, Insightful

    It annoys the wealthy, so of course he's moving to eliminate it. There's no dissonance.

  3. Finally Ajit Pai does something for consumers by HalWasRight · · Score: 3, Informative

    Finally the FCC does something for consumers. I get as many as five robocalls a day with spoofed caller id on the T-Mobile network. The telcos need to secure their networks to stop devaluing the money I pay them. Since consumer complaints haven't gotten any action, at least the FCC is finally doing something. BTW: I got another robocall with spoofed caller ID while typing this ... I wonder if the vmail will be in mandarin, which has been a new development.

    --
    "This mission is too important to allow you to jeopardize it." -- HAL
  4. Re:Uh-oh by 110010001000 · · Score: 2, Funny

    I think that Ajit Pai doesn't want me to get the back brace support I need, a vacation to Disneyworld, and help me pay off my student loans!

  5. Re:Uh-oh by Sarten-X · · Score: 5, Insightful

    Personally, I'm opposed to the idea that anybody's purely evil. I think people are driven by motivations we just don't understand or don't agree with.

    From that perspective, I'll wildly speculate with no evidence or context! That's what Slashdotters do best!

    By threatening regulation instead of actually proposing regulation, Pai has actually opened the door for carriers to avoid compliance. They can present timelines pulled from dark and smelly orifices, promising that they'll be compliant sometime in 2083, and Pai can then turn around and issue statements that the FCC is now working "for the people" and "working with carriers to ensure timelines are met". Any further push by the public to accelerate the standards' implementation will just be called political posturing, led by the Deep State to undermine the FCC's authority.

    Meanwhile, the big carriers will demand subsidies to implement this new standard, and in the name of system-wide compatibility, they will insist the government adopt (and mandate) another new standard, conveniently authored by several industry insiders, and which relies on a software patent with exorbitant licensing fees, just-so-unfortunately out of reach for a startup carrier's budget.

    To be clear, this post is intended to be modded "Funny". Please do not let it be "Insightful". For the sake of all Americans, I hope to be completely wrong.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  6. Re: Uh-oh by HiThere · · Score: 2

    Well...there's also the question of exactly WHAT will get implemented. Just because we're told that a regulation will do something we desire doesn't mean it won't do a lot of things we don't desire, even if it actually does do what we desire. I don't know the SHAKEN/STIR framework, and I certainly haven't analyzed how it works, or in what ways it could be manipulated.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  7. Re:Uh-oh by 140Mandak262Jamuna · · Score: 4, Funny

    Mod Parent Up, ++ insightful

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  8. Re:Uh-oh by budsetr · · Score: 4, Funny

    Wait, are you trying to insinuate that the "wealthy" have their own national phone system completely separate from the rest of us? Staggering. "Hey Bob, new rich guy, yup just hit the 15 million mark. We gotta install all that extra cabling to his house, and plumbing too. Crap! We also have to reprogram another group of servants to never ever ever ever ever ever EVER say a word about any of this. Oh jeez, we also have to train that schmuck on proper Rich Person Telephone Network use. I wonder if anyone let the Rich Person IT department know yet."

  9. Idea for robust caller ID by mark-t · · Score: 3, Informative

    First of all, it is important to realize that there can, in fact, be legitimate reasons to spoof a phone number... for example, calling from a direct dial out line for a business, but wanting the main business head office number to show up on the caller ID instead, which might even be located in a different country or state.

    So given that, much of the problem becomes how to enable spoofing where it is legitimate, but to not present a spoofed number as the caller when it is not.

    A carrier, when receiving a call that is on its own exchange always knows the exact number that is being called from (we will call that phone number A), the number that is being called (we will call that phone number B), and also knows what number the caller is wanting to spoof as (if any, which we will call phone number C). Whether the caller is trying to spoof or not, the carrier for A adds a temporary entry int a local cache that tracks outgoing calls, indicating that it is making a call from A to B. This entry is kept alive only for a minute or two at most before being deleted.

    If the caller does not want to spoof, then assume that C = A, and the remainder of this paragraph can be ignored. If the caller wants to spoof, then the following additional steps must be performed. The carrier for A tries to tell the carrier for C that it wants to use that carrier to spoof to spoof, making a call to #B. This request might pass through a number of other carrriers, so let us assume that the carrier for C sees the number that is calling it as X, since it is possible that the carrier for A, or any intermediate carrier might be conspiring to spoof. If the carrier for C allows the number X to be spoofed with C, then the carrier for C will then ask the carrier for X if it is presently making a call from X to B. If it does, then it adds an entry in its own cache that it is making a call from C to B. If the carrier for C does not recognize X as a number it can spoof for, then the request is ignored entirely, and the carrier for C will not do anything. Please note, that if X has been illegitimately spoofed, but X is still legitimately recognized by C as being a number it can spoof for, then the carrier for X as reached by C will not issue any response, so C doesn't have any obligation to add an entry to its table in that case.

    Whether or not the caller from A is trying to spoof, the carrier for A concurrently rings the carrier for B. The carrier for B, seeing the number C as being the number claimed to be called from, asks the carrier for C (as seen from B) if it is currently making a call to B. If the answer is yes, then the number shown in call display can be assumed to be valid. If C does not respond, then no number should show up.

    This whole verification process should take a few seconds at most, and can happen concurrently with the ringing of the line. A person who answers quickly might not get a verified caller ID until after they have already picked up the phone.

    The cached entries, as I said, are temporary, and are individually deleted after being present for a short time (one or two minutes would likely be enough time to be sure that the call is really valid).

    This is just something I came up with when I had some spare time and thought about it while I was taking the bus to work one day.... there might still be vulnerabilities, but I wasn't able to find them..

    --
    File under 'M' for 'Manic ranting'
    1. Re:Idea for robust caller ID by mspohr · · Score: 2

      Much simpler (but it will require the telcos to do some WORK) is just require legitimate businesses that want to spoof their legitimate head office number to register the spoofed numbers with the telco. The telco can then certify that the spoofed numbers are legitimate. Telcos could even charge money for this service.

      --
      I don't read your sig. Why are you reading mine?
  10. Re:Why is number spoofing even possible? by nerdonamotorcycle · · Score: 2

    Same reason a lot of attacks on the Internet are possible: the network was designed and constructed at a time when only trusted parties were connecting to it. It wasn't designed to be secure because at the time it was relatively easy to identify bad actors and disconnect them from the network.

  11. Re:Why is number spoofing even possible? by Shikaku · · Score: 4, Informative

    Mostly because businesses now run a VOIP system that translates a bunch of machines into a business account and they need to be able to set their public caller ID as their main business number that can direct your call to who you need and not some random VOIP address of X person trying to call you which might not even be a valid number at all, or just a number of that specific caller in Y department.

    The issue has been already solved but in a different format: domain registrars for web addresses with SSL certificates, so a system like that but for phone numbers would be a good start perhaps?

  12. Re: Uh-oh by sconeu · · Score: 4, Funny

    The SHAKEN/STIR framework involves sharing Vodka Martinis with the CEOs of various telecoms.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  13. Doesn't bother me by p51d007 · · Score: 3, Insightful

    Number isn't in my contact list, I just don't answer it. If it IS someone trying to reach me, they will leave a voice mail, and they get added to my contact list. If they don't, they go into my spam blocker. Problem solved.

    1. Re:Doesn't bother me by bjdevil66 · · Score: 2

      You've minimized the inconvenience in your case, which is great. With a better system, however, you'd never have had to put in any effort to setting your system up - or be distracted again by future spoofed calls. THAT'S how it should be.

  14. Re:Why is number spoofing even possible? by Doke · · Score: 3, Interesting

    I tried this when we first got a PRI into our VoIP system. Our provider would only accept caller id numbers in the range they assigned/routed to us over that PRI. I could spoof any of our numbers, but not anyone else's. I don't understand why other providers allow spoofing of numbers that aren't routed to that trunk. Payouts? Graft?

  15. Re: Uh-oh by LostMyBeaver · · Score: 2

    It affects him directly.

    I turned on my American telephone for my upcoming US trip next week. Since I've turned it on, I've signed up for the "Do not call registry" which I'm quite sure does nothing. I've been receiving on average 3-5 phone calls a day from Kissimmee Florida to inform me that my medicare will not cover a hip some surgery if I wait any longer. Every call claims quite forcefully that "This is your last warning" of which I keep hoping it is true... it's not. If I press 2, it should add me to the "Do not call list" and I've pressed it a few times only to be transferred to a sales person. At which time I ask to be removed from the list... and I'm not.

    It is quite impressive to see how poor the state of the US is in. Only in India, the UK and the US have I ever seen so many people blatantly trying to take advantage of other people. It's absolutely horrifying that the regulatory committees are unable to control this problem. When an American company calls and American telephone number and the owner of that number contacts the FTC to report a violation, the FTC should be knocking on their door within a week. Instead, the FTC doesn't seem to do anything about it... all the scam calls I've received are long time members of a list of known scammers. It also appears that these people know they are safe. What's worse is that there are people working for these companies who knowingly violate the "Do not call" registry. After all, Robocallers should have access to a database which makes it clear who they can call and who they can't. If these companies violate that, they should be shutdown or fined severely on early offenses and punished with prison on repeat offenses.

    I'm very sad to know just how low the people of America have declined to.

  16. Re: Uh-oh by green1 · · Score: 3, Insightful

    Spoofing isn't the problem. Unauthenticated spoofing is the problem. The CID needs to be taken out of the hands of the businesses, and put in to the hands of the telecoms. They can then work with the companies to present the appropriate CID. It would be no problem for a company to register their main number, and say "calls from all these other numbers should appear to come from this one, here's proof we own this one" It's that proof part that we're skipping.

    It always surprises me how quickly idealistic engineers design systems that fail to include ANY security/authentication system, and expect that humans will play nice. We know that simply doesn't work, it's been proven repeatedly for pretty much as long as humans have existed. It's not hard to authenticate ownership of the main number, phone it! There's no reason why the end user needs to be able to spoof any number they please without proving first that they own that number.