Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
AT&T Advertising Businesses Cellphones Communications Google Government Privacy Verizon Apple

'Robocall Strike Force' Proposal Could Stop Caller ID Spoofing (onthewire.io) 97

This summer the FCC convened a "Robocall Task Force" to help consumers fight unwanted automated telemarketers, and Wednesday the coalition finally delivered a report recommending a "Do Not Originate" list so carriers could spot spoofed numbers which should be blocked. A trial of the "DNO" list that's been running for the last few weeks on some IRS numbers has resulted in a 90 percent drop in the volume of IRS scam calls, officials from AT&T, which leads the strike force, said during the FCC meeting Wednesday. The carriers on the strike force, which include Sprint, Verizon, and many others, plan to continue testing the DNO list in the coming months, with the intent to fully implement it some time next year...

The strike force members also are working on a system to classify calls into categories, such as political or charity, as a way to give consumers more information before they answer calls from unknown numbers. And, the group said it has developed a working solution for authentication between VoIP applications and traditional landline networks as another way to defeat spoofing from callers in foreign countries.

Early next year they're planning larger tests -- and the strike force has also created a new site describing how to block and report robocalls.
This discussion has been archived. No new comments can be posted.

'Robocall Strike Force' Proposal Could Stop Caller ID Spoofing

Comments Filter:
  • the task force pays for itself... from the untold billions the carriers made on every spam / scam call they put thru to you.
  • I would say about 90% of all landline calls are spam at this point.
    • by Anonymous Coward

      I would say about 90% of all landline calls are spam at this point.

      I put the political calls in that category too - and they're all robocalls.

      And for some reason, a lot of them think that a robocall with their wife on it actually makes a difference. And if those robocalls actually make a difference, well my opinion of the American people cannot get any lower.

      My opinion of the US Electorate is at an all time low and I finally realized the genius of our Founding Fathers for making us a Republic and not a Democracy. Just look at most of the comments to that poll to the right

      • . . . .thanks to your crappy VoIP service, we shut down our landline **just prior** to the blizzard of political robocall spam. Because that's what it is: Unsolicited and Commercial. . .

        Of course, that won't stop them from trying to call our cell phones, but the target is at least more diffuse.

        As for the Republic, I fear that it is dead, but don't worry, the American Empire has replaced it.

        Ave, President-Imperator, nos morituri te salutabat. . . . .

        (evil grin)

    • I would tend to agree with you. This also falls into a "no-brainer" type of law. I cannot reasonably imagine a legitimate use for caller-ID spoofing (outside of maybe the law).
    • I have toyed with the idea of turning my land line into a 1-900 number so that the robocallers have to pay me to talk to the box.

  • by Joce640k ( 829181 ) on Sunday October 30, 2016 @09:40AM (#53178655) Homepage

    Why are they even messing about with this?

    Require mandatory jail sentences for anybody installing/operating this equipment and the problem will disappear overnight.

    The same goes for a lot of other crap the people have to put up with. Start throwing more scumbags in jail and the scumbags will stop doing it.

    Maybe a general "scumbag" law that can be applied retroactively to people who try to beat the system. If a jury decides that somebody is being a 'scumbag' then anybody with a history of the behavior being judged can have the law applied to them.

    Vote for me in the next election!

    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Sunday October 30, 2016 @09:48AM (#53178679)
      Comment removed based on user account deletion
    • Start throwing more scumbags in jail and the scumbags will stop doing it.

      Because all those scumbag murderers already in jail has stopped people from committing murders. The same with rapists, child molesters, animal abusers, financial fraud and so on.

      It would be much cheaper to simply execute them since it serves two purposes.

      1) The criminals would be gotten rid of rather than being coddled by taxpayer money. They wouldn't be able to get out and go back to their criminal ways.

      2) It woul
      • by currently_awake ( 1248758 ) on Sunday October 30, 2016 @11:22AM (#53179049)
        Killing people for less severe crime has been tried, england killed thieves and robbers for a while. The result was a massive increase in murder and other serious crime as there was no difference in punishment and the more serious crimes had a better payout for the same or less risk.
      • Yeah. I'm in favour of all cold calling being made a crime. For me death alone is not enough, I would give them a choice between impalement and crucifixion. Since most of them are abroad in places like India or Pakistan I would be in favour of using drone strikes to take out the call centres.
        That would teach them.

        We get a lot of cold calls..

    • by EvilSS ( 557649 )
      You want to throw every telecom installer in jail? it's not like they are using special scam hardware, it's standard PBX equipment.
      • Yep. If you're installing a call center then you should make sure of the credentials of the people asking you to do it.

        This will be done by that person giving you a copy their installation permit and you looking up the permit on the government website to see if it checks out (correct person, correct address, correct installation date, etc).

        I may be cruel, but I'm just.

        • by EvilSS ( 557649 )
          What installation permit? No permit is required, at least in the US, to install a PBX in your building. Also what about VOIP providers? You want to arrest the guys who sold them their PBX equipment because one of VOIP provider's customers 5 years later scammed someone? You didn't think this through.
    • by quetwo ( 1203948 ) on Sunday October 30, 2016 @05:06PM (#53180565) Homepage

      The problem is that most of these scam calls are originating from outside the United States. Our laws can't do much outside the US without a lot of legal paperwork -- and in most cases it won't be worth it.

      One easy solution is to give consumers access to the BTN or Bill-To phone number. This is the number that is being billed for the call -- essentially pinning down the place where the call is being switched into the PSTN. If you get the BTN, you get the person behind the call -- regardless of what their Caller ID is. Unfortunately, right now, the only way to get access to the BTN is via the SS7 protocol (not available to consumers), or to compel your phone company to give it via a subpoena. Enough abuse from a single BTN -- cut them off until they can clean up their act.

      • Then they can find a way to make it available.

      • by Anonymous Coward

        "Our laws can't do much outside the US"

        Who says you have to do anything outside of the US? Require that all interconnections telcoms routing calls into the US either provide a legitimate caller ID, or a specific "unknown number"/"private number" code that consumers can block calls from if they desire. Any interconnection telcom that doesn't conform to this requirement gets blocked from the US telephone network.

      • The seemed to find a way to nail people under the "IRS scam" that was going around. I'd imagine that they could do something about this if they were so inclined.

        My first thought is that a non-local-originating caller should not be able to display a local number. If they want a North American # then they should have at least a local satellite office.

  • by Opportunist ( 166417 ) on Sunday October 30, 2016 @09:48AM (#53178681)

    We're all too happy to outlaw things that have no legal purpose, even if they do. Care to inform me what legal purpose spoofing caller ID could possibly have?

    • by 110010001000 ( 697113 ) on Sunday October 30, 2016 @09:56AM (#53178717) Homepage Journal
      All businesses use it to make the call appear to come from the general office number. So if an employee calls someone they don't get the direct number to that employee, just the general business number.
      • You explanation is perfectly valid for why a business might assert a particular CID that is valid within the company, but not what carriers allow people to assert any CID not registered to that individual or company.

        The only way to solve this problem is to make the carriers accountable for allowing such behavior. To be clear, I am less concerned about unwanted calls and much more concerned about scammers. If a carrier allows scammers to forge their identities then the carriers are complicit in the scammer

        • by EvilSS ( 557649 )

          You explanation is perfectly valid for why a business might assert a particular CID that is valid within the company, but not what carriers allow people to assert any CID not registered to that individual or company.

          Because when the system was put in place no one foresaw VOIP and the extremely low barrier to entry for doing this. So they didn't design the system with misuse of the CID assignment from a PBX in mind. So they went with the simpler implementation and then technology happened.

          • VoIP is actually irrelevant; there is still a hand-off from a customer to a carrier in order for the call to be connected outside of a local network. There will either be a voice gateway with PRIs or some sort of SIP trunk. The carrier has the option of restricting CIDs but few do.

            • by Nethead ( 1563 )

              I was given the option by my local carrier for the company PRI. I chose to only allow the DIDs that we lease. Not that I was going to spoof, but if someone got in via SIP to our system at least it would get back to me so I could investigate and fix.

            • by EvilSS ( 557649 )
              It's not irrelevant, and I already explained why. Maybe read the entire comment first.
              • Maybe read the entire reply first before getting all indignant. The existing protocols carry sufficient information for carriers to lock customers into displaying only CIDs that the customer is authorized to display. Carrier equipment has had the ability to lock PRIs to customer CIDs for the past 20 years that I am aware of, likely much longer. VoIP still relies on a carrier unless you are talking about a limited VoIP deployment within a contained network. At the point of ingress a carrier can block una

                • by EvilSS ( 557649 )
                  Still missing the context I see. Why didn't the telcos require it all this time?
                  • Only the people behind closed doors know why the telcos did not require this, but in my experience it is likely for a few reasons:
                    1) Without a good architecture and integrated process managing CIDs requires an amount of administrative overhead
                    2) Telcos could not figure out how to charge customers for locking down CIDs
                    3) Locking down CIDs reduces call volumes and exchange fees

        • This. And every time the subject comes up, I propose that carriers should only automatically allow a company's PBX to request the display of a number that also appears on the same bill as the number placing the call.

          There would have to be some manual verification process to cover cases where several companies share a number (for example, a contract customer service call center) or one company uses numbers from several providers, since these would not appear on the same bill. That should be as simple as di
          • Well said!

            • Thank you! I've been posting this for years now and you're the first person to actually acknowledge it.

              Incidentally, I just got a call from my local DMV office to remind me of an appointment I have later this week. I didn't answer because they user the international format for their DID, so I assumed it was a scammer because, well, most calls from 800 numbers are scams and this one made itself look extra suspicious. If they hadn't left a message, I wouldn't have known who called in order to call back to c
              • You are very welcome. I have not seen your other posts.

                I agree with you on the CID spoofing. I never answer calls unless I know the number. People can leave a message. If it is legitimate then I'll add them to my address book.

      • by chihowa ( 366380 )

        That's the one valid use for this, but that could be implemented without allowing general spoofing. Between that and allowing people to block caller ID altogether (which most normal people wouldn't do and would guarantee that a telemarketer call wouldn't be answered), are there any other cases that warrant allowing the caller to arbitrarily set their own ID?

      • All businesses use it to make the call appear to come from the general office number. So if an employee calls someone they don't get the direct number to that employee, just the general business number.

        The sensible thing to do would be to have a "callback" number as well as a "from" number. The "callback" number could be set to the business' general office number, but it should be impossible to change the "from" number.

    • Why is it possible in the first place?

      If I were to design a protocol of this kind, one of the first measures I would take, in the protocol itself if relevant and in any implementation, would be to check that peer-provided source addresses match the routing system, making spoofing impossible. I cannot fathom that the people who designed this particular protocol did not do the same from the beginning, and even more so that they did not fix it since then.

      • Then your protocol would be broken, my PBX routes calls via the best carrier for a given destination. The CID might be the main 800 line an extension DID or an individuals cellphone (which tend to call forward into DID's for VM and desk phone roll over). Many of those carriers I dont have any DID's with nor do I want any.

        It would be fairly easy to require LOA's the same as IPv4 just a nightmare to administrate where once you get big enough the requirement goes away. Looking for odd DID origination is als

        • Checking foreign calls to ensure they don't have a local caller ID would go a long way to stopping this. Or you could display "Foreign" before the caller ID for any call that originated outside the trusted network. You could do this for email and text messages as well. Or you could bill the phone company for scam and spam calls so stopping them pays money instead of costing them money.
          • You dont seem to get how the PSTN works. Foreign you mean oversea's? so get few buck a month VM via bitcoin and you look like a US PBX now. These guys are not using indian/russian telco's to do this they are back hauling to the US via VoIP as they dont realy care about call quality only cost. It's not uncommon for them to hack legit PBX's to save costs either.

            People keep thinking a hack system like we put in place for ipv4 will work but there are billions of DID's ipv4 doesn't work well with only million

      • by swb ( 14022 ) on Sunday October 30, 2016 @10:46AM (#53178895)

        The PBX predates caller ID.

        The PBX was fed with trunk lines which actually phone numbers, usually unrelated to the called number. When an inbound call was made to 555-1000, telco switched that call at the CO to one of the trunk lines. Outbound calls worked basically in reverse, the call went to the PBX which chose an open trunk and completed the call.

        Direct Inward Dial (DID) involved buying a block of numbers which had no physical line associated with them and these were programmed to be switched to a trunk at telco with signaling that passed the called party number to the PBX so it could complete the call to the internal extension.

        This system had to be adapted to caller ID. Early outbound calls often showed the trunk's phone number, but IIRC you could get telco to basically rewrite those calls to a customer specific number, usually the main number, if your switch lacked the software or signalling to pass the calling extension out.

        PBX software eventually got the ability to pass an extension's DID to telco, so caller ID passed to the called party would see the number the call came from, even though it may have passed over an analog trunk with a completely different assigned phone number.

        Basically, caller ID has, for anything other than single POTS or cell lines where telco handled all the switching, been a kludge on a system that wasn't built for caller ID, and spoofing was a necessary feature.

        The problem all along has been lazy and/or greedy telcos who never bothered to implement sanity testing on spoofed calling party info and just accepted all of it rather than build in checks that the calling party info actually represented numbers assigned to the calling party.

        And I'm sure much of it was made worse by call centers, for whom number spoofing was a business feature -- doing business for a company who WANTED call center calls to come up as their numbers. And VOIP vendors who wanted to use IP networks to route calls and unload them onto POTS at the cheapest point, terminating a call from a DID block leased from telco A using circuits leased from carrier B.

        • by quetwo ( 1203948 ) on Sunday October 30, 2016 @05:25PM (#53180665) Homepage

          Actually, since digital switching began in the 60's and 70's, there have been three fields transmitted with every call (well, a lot more, but these are relevant)
          BTN = Bill To Number -- this is the number that the call is billed to. This is actually validated by the connecting carrier, and still is today. In most cases it will be the circuit number, SPID, or an account number for really large customers.
          CPN = Calling Party Number -- this is the number that the call is presenting itself as -- the Caller ID if you will. A long time ago, this was always validated by the phone company against the customer's record of DIDs. In the early 90's the LECs started charging companies to open up this field so that they could hide call center numbers, etc. and to make their phone number their brand. In the late 90's some LECs started offering this as a standard feature as a differentiation against other CLECs.
          RTN = Route To Number -- this is the number the call is destine to.

          This biggest problem is that we started getting a lot of smaller CLECs that didn't understand the technology well enough and started giving everybody closer access to the PSTN (for example, by not watching the CPN they were sending). The problem was exacerbated when VoIP became a thing and CLECs started allowing anybody access to the PSTN with no restrictions and no regard to their physical location.

          These scams are hard to track down. I'd venture to say that 80% of them are running on stolen credit cards, on AWS (or other cloud provider) EC2 instances, connected to some VoIP provider that is billing another stolen credit card. They connect their SIP phones from anywhere to the PBX in the cloud and they start. Labor is cheap in other places in the world and with everything being in the cloud they can be pretty much anywhere. If they get shut down, they just use another stolen credit card and launch another EC2 instance and they are back in business a few minutes later.

    • by Anonymous Coward

      I used to work for a company that would make automated calls on behalf of our clients to people with existing business relationships or optins (club memberships, renewal notifications, etc.). One of the selling points was that we would spoof the caller id to make it look like it was coming from the store/location that they had made a purchase from or had registered at, that way they would a) know who was calling them and b) could use redial to call back and get that store/location.

      Everything was legit, thi

    • by Greyfox ( 87712 )
      Back in the day I used to run an asterisk server that listened for calls on a landline. When a call came in, it would check the caller ID against a white list and send matching numbers out over voip to my cell phone. Since my voip provider would accept any caller ID I entered, I'd spoof the outgoing caller ID to my cell phone to be the incoming caller ID of the person calling me. Kind of an edge case, I suppose, and I could have lived without the feature, but there are valid use cases.
  • Why did we design systems which implicitly trust the information provided by a sender? Why are packets that claim they are from an IP address that doesn't belong to that ISP or phone numbers that don't below to a specific service not immediately blocked at the first router?

    • by emil ( 695 )

      The PSTN/POTS trust design is likely older than both of us combined.

      Fortunately, autodialers also must trust "Special Information Tones" (SIT) that announce a disconnected number [lifehacker.com]. I put this SIT tone on my voicemail.

      Because I ported my longtime landline number, "Rachel from card services" was leaving me messages several times per day. With my SIT tone trick, she is now long gone. I really don't miss her.

      • by quetwo ( 1203948 )

        Sure, autodialers, by law are supposed to trust those tones. Guess what -- the people making these scam calls don't care, and often don't respect them.

    • by Anonymous Coward

      The trust model predates most people on this site. In the olden days calls cost money, long distance calls cost lots of money, spam calls were therefore not profitable. Without an incentive to exploit it, the broken trust model wasn't an issue.

      Today spam calls are profitable, and the carriers have an incentive to let as many calls as possible complete so that they can skim some revenue off the top. The "enumerated prohibition" model of the do-not-originate list is clearly intended to have as many gaps as po

  • A trial of the "DNO" list that's been running for the last few weeks on some IRS numbers has resulted in a 90 percent drop in the volume of IRS scam calls

    How do we know, the drop is not explained by one such big scam operation getting busted [slashdot.org]?

    The scam-calls I'm getting, for example, — 2-3 times per day — do not pretend to be from the IRS' numbers at all...

  • by JimMcc ( 31079 ) on Sunday October 30, 2016 @10:40AM (#53178881) Homepage

    I didn't read them all, but T-Mobile's solution is an app which you install on your smart phone. The description says that it's a free trial and they state up from that it is a paid service. So if you want protection from spam/scam calls you need to pay extra. I get tired of the various carriers nickle and diming you to death.

    • AT&T is pulling that shit too, apparently My mother said something like "My caller ID names are gone, and it's just numbers now. It said something about the free trial being up." that must be what she was talking about, she just got a new Galaxy 7 Edge with AT&T service.

      I'm on Verizon and I get names and numbers as part of basic caller ID service, AFAIK.

      • Doesnt the phone match up the number with your phones internal contact database?
        • That gives you local caller ID names, kind of a local whitelist. With landlines there is a "name service" that provides a number AND a name, usually (when not blocked, spoofed, etc.) but that doesn't get sent to the cell network, apparently. So, the latest version of Android has it half-baked in as a paid service feature or something.

      • by phorm ( 591458 )

        On mobile phones this isn't a big deal, since anyone in your contact lists is automatically matched up with the number. Heck, it's on things I give Kudos to Apple for, since apparently in IOS the answer "button" is different for recognised/non-recognised callers.

    • by quetwo ( 1203948 )

      The database that does the CLID -> Name lookup is owned by a company called NeuStar. They charge the telephone companies roughly a penny for each lookup they perform for each call. That's why there is a charge for pretty much every company to provide this data...

  • by Lumpy ( 12016 ) on Sunday October 30, 2016 @11:01AM (#53178963) Homepage

    force all call routing tables that all telcos use to be authenticated. Yes that means poor poor multi million dollar businesses will have to pay $100 a year to have their giant VoIP system to be verified and validated. home VoIP is forced to be sent through a certified telco that locks the CID information and disallows ANY changes.

    Honestly it could be fixed in only a couple of months if people got off their asses.

  • This does nothing to handle those that bounce their calls off of vulerable VoIP or other devices. This happened to me recently; the ID was of some girl in a local city that has (had, hopefully) an Android phone that has obviously been hacked. It's unlikely someone is going to spend the kind of money required to trace them in this manner, unless they suspect it's a Big Fish they're going to catch.

  • by MrKrillls ( 3858631 ) on Sunday October 30, 2016 @12:58PM (#53179429)

    As long as there is no better alternative, landline telecoms see no downside to a lax stance on robocalls. But if I cancel my land line and just use my cell, because I can control how my cell phone responds better, then the landline industry has motivation for attacking the problem. I am going call my telecom and tell them they will lose my business if the industry doesn't get serious on this. I include political calls, surveys, the whole set of unsolicited calls.

  • CLID (standard Caller ID) is sent out by the sending phone/PBX, and is not trustworthy. ANI (Automatic Number Identification) is used by telcos for billing info, and it works, Otherwise telcos would be in financial trouble. Yes, it is available, but telcos want to "monetize" it, so they charge an ar and a leg for anybody who orders it.

    • by quetwo ( 1203948 )

      CLID and ANI are the same thing. The BTN is what you are really looking for (The Billing Telephone Number)... Field 0x71 on SS7, according to Telcordia...

  • i use tracfone they don't have a system the even tells you whos calling unless you save the number to you address book.
  • The real problem with call-id is that you can lie. You can identify the calling party number as any collection of 10 digits (in the US). There is no check. Even this 'Do Not Originate' is a blacklist approach, which as we know has its limits. Rather the system should only allow you to say you are one of the numbers you own, as in those assigned to the line being used, or assigned to the organization which owns the line. Case in point, when a DID enabled desk phone calls out for pizza, the caller-id giv

  • That drop in IRS calls could also be due to the recent bust of the Indian scammers behind it all. As for the DNO, what's to stop some company setting up an automated phone routing center in BFE South Dakota? VOIP from India to the routing center where the calls would originate.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...