It should be relatively easy to identify the bad actors here and I don't mean the spammers, I mean the telcos that make this possible, deliberately so, by essentially "laundering" spam calls.
My response to picking up a number is to answer the call and say nothing. Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
A human calling will wonder what is happening and fill the silence by saying something. A machine will not.
I hang up within 6 seconds of this in the hopes that it affects some metric somewhere of this being a low-quality or spam call. I don't know if it does. I think I read somewhere once that it did. I could be wrong.
If a real human is on the other end and does say nothing in this window, they'll generally just call right back. You get the exact same number again then this time I'll answer it.
It is nice to filter contacts vs non-contacts but there are too many things on non-contacts. Businesses you deal with, primarily.
In the email world where obviously spam is a huge problem zombie relays that allow this (which I believe is the primary source?) can get blacklisted. Why don't telcos who do this also get blacklisted? Or at least identified? This isn't AT&T or Verizon. It's the little telcos that connect to them.
But is this all too little too late? I think we've discovered over the last 20 years that we're all pretty much over open networks. It's all opt-in now with the likes of Whatsapp, FB Messenger and so forth.
Oh and while we're at it, can we get rid of this stupid exemption to robocalling restrictions for political campaigning? It's defended as "political free speech". To me, this is nonsensical. Free speech doesn't mean that I should be forced to listen to it.
EDIT: Found an example [1] of the bad actors I'm talking about.
> Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
I work with phone systems. It's usually determined by how long they hear a continuous sound at the start of a call. If it's relatively short (and it can be adjusted by settings), it assumes it's a live voice (like someone saying "Hello?" is usually pretty short). If it's continuous for a certain period of time, it assumes it's a voicemail.
For our speech applications we have different behaviors depending on which call disposition is detected (that's the term for this, also determines things like invalid phone numbers).
Sometimes when testing speech applications I'll pick up and scratch the receiver continuously or speak without taking a pause until the voicemail disposition is triggered so I can test a voicemail message without having to check voicemail.
We make these calls on behalf of health insurance companies for health reminders and surveys, so our calls are more legitimate than most, but we do use an autodialer to reduce the load on our live agents.
anon9001 1477 days ago [-]
Neat job.
Question you might know the answer to: I've noticed it's a pretty common practice to get appointment reminders with caller ID from the doctor's office. I like that feature. I'd imagine there are plenty of other legitimate use cases for caller ID spoofing as well. Do you have any idea how that's going to work with STIR/SHAKEN?
I'd guess it's going to be some kind of oauth for your phone number, where you own it and can grant spoofing access to other entities?
It's going to be a problem for some systems for sure, but as the STIR framework is used to attest the number, the caller itself doesn't need to do anything. The originating carrier then attests with a level certainty A, B or C who the caller is, and adds a crypto signature to the signaling.
The key here is the attestation. If the calling carrier (usually the provider of the DID in retail but in commercial, not necessarily the same carrier) can attest by the caller, then the call will go through regardless. So tele-center company can agree with the calling carrier that, basically, tele-center company really owns the number (A) or it's more or less certain of it (B) and the call will be sent attested.
TuringNYC 1477 days ago [-]
The case you are citing is not the one I would be most concerned about -- it is the spoofed numbers that should have been top priority. I get calls for different numbers (almost like they have been selected randomly) every single day selling cruises.
If you call the missed call back, you realize the person picking up didnt make the call.
anon9001 1477 days ago [-]
Be careful calling the numbers back. There's another scam where they use the equivalent of a 900 number to do billing to anyone who calls. The scammers use country codes with 3 digits to try and trick you into thinking it's a US number and hope that you attempt to return the call.
nimish 1478 days ago [-]
It took this long because the fcc is run by people who simply do not believe in using government to enforce oversight.
WillPostForFood 1477 days ago [-]
Good thing we replaced career lobbyist Tom Wheeler with someone who would actually do something, right? Are we so looking at the FCC through our worldview that we can't even acknowledge positive action?
Wheeler was born on April 5, 1946 in Redlands, California. He attended Ohio State University.[7] From 1969 to 1976, Wheeler led the trade group Grocery Manufacturers of America.[8] He then went on to work at the National Cable & Telecommunications Association from 1976 to 1984, becoming president of the trade group in 1979. For a year until its closure, Wheeler was president of NABU Network, before spending a number of years creating or running several different technology startups. In 1992, he became the CEO of the Cellular Telecommunications & Internet Association, a post he held until 2004.
We shouldn't interfere in the free market. Those robocalls are just good old American ingenuity.
rapnie 1477 days ago [-]
Indeed. I'm from the Netherlands and never, ever in my life received a robocall, and also do not know anyone else who received one.
vor0nwe 1477 days ago [-]
I'm from the Netherlands (born and raised) and have received several robocalls, until I registered my phone number on the bel-me-niet.nl web site.
Since then, I only get such calls from companies that got my details in exchange for some freebie. I tell them I'm not interested, and would they please stop calling me, and they do.
The only calls I got recently were in English with a heavy Indian accent, "Ilse Smid" or another stereotypically Dutch name, claiming to be from Microsoft Windows, and that my computer had alerted them that it had a virus... These scam calls all came from nonexistent Dutch phone numbers.
wiz21c 1477 days ago [-]
I live in Belgium. I receive such a call on average twice a (week) day. Sometimes it's just blank call (nobody answers) sometimes they're offering gifts if I go to shop X, they ask if I want to compare my phone/energy bill.
The funniest one is when my fixed line provider (let's call it P) calls me on my mobile phone (which is another provider) and ask me if I'm one oh their (P) customer :-)
(the explanation is that the mobile/fixed businesses are separated to avoid monopoly and, since they can't share customer data ('cos of data protection rules), they have to ask them again :-))
hyperman1 1477 days ago [-]
Seconded for the P. They call me every 3 months. Every single one promises they'll note in their CRM how I wont be contacted again. None can answer why they didn't read the note from all their previous calls.
warent 1477 days ago [-]
The deep level of suffering is very obvious in your post. Everything will be okay, but you really don't know the joys of relentless robocall spam that you're missing out on.
blame_lewis 1477 days ago [-]
Australia speaking. We get a buttload of spam calls from China (in Chinese, no less).
sova 1477 days ago [-]
Parliament should get on that
swsieber 1478 days ago [-]
People like to razz on it for being a free market, but it's really a gov. backed oligopy.
syshum 1477 days ago [-]
There is alot of people that do not have a proper understanding of what free market is, and misdirect the failing of the current markets from their proper blame point (government) to what they have associated with "free markets", failing to understand the influence that existing regulations have had on those markets including elimination of competition in the market.
Telco has not been a free market, ever.
zo1 1477 days ago [-]
Such a disingenuous argument. The government quite frankly ties the free-market with weird regulations that essentially prevent competition. And then we get snarky comments such as this that say "oh wow, look how badly the free-market failed". For an example of free market trying to solve this, albeit not in a great way, have a look at TrueCaller and similar software.
jonathanpierre 1477 days ago [-]
The regulations are not "weird". Before telcos were required to route all calls without discrimination, they didn't. And as soon as telcos are no longer required to route their competitors' calls, they stop. A recent example is the new area code for VOIP calls introduced in Germany in 2009. Major telcos just didn't route them, citing "technical reasons" despite being able to route local area numbers with the same mechanism without problem.
Competition is only a solution for problems where the telcos' interest and the consumers' interest align. And that's very rare.
will4274 1478 days ago [-]
? Telecom is one of most regulated industries in the United States. Not sure why this pattern ("look how bad the free market is" @ highly regulated market) is so common here and on reddit.
unishark 1477 days ago [-]
Because apparently every discussion on every message board needs to be hijacked to talk about one of the internet's four favorite political narratives, if there is any marginal relationship whatsoever.
Someday we'll have A.I. to screen calls for us, and hopefully it can also screen this highly-upvoted-but-worthless tripe from message boards for us.
SAI_Peregrinus 1477 days ago [-]
I'm pretty sure they were being sarcastic.
rat9988 1477 days ago [-]
He is criticizing the sarcasm.
_v7gu 1477 days ago [-]
> here and on reddit
If you pay upvotes and karma, you get unsubstantiated politicised arguments. The feedback mechanism rewards those comments.
darkarmani 1477 days ago [-]
I agree. Free the telcos to strictly requiring authenticated calls, so i can freely choose to ignore some calls.
Where did congress grant the FCC the authorities for that order?
chrisfinazzo 1478 days ago [-]
Ahem.
"An independent U.S. government agency overseen by Congress, the commission is the United States' primary authority for communications law, regulation and technological innovation."
You can have arguments until forever about what they should or shouldn't do, but their raison d'être is to set policy according to these overarching objectives.
Oh, and just to be clear, the lack of an Oxford comma in that quote is inexcusable :)
dantheman 1477 days ago [-]
Ahem, the authority comes from Title 2 passed in 1934.
In 2005, the FCC decided that ISPs should be regulated by them. From 2005 - 2012, Congress failed to pass new bills granting the FCC this authority. It was denied by congress. In 2015, the FCC decided that they didn't congress to grant that authority.
So yeah, the FCC website claiming they have an authority is not an impartial source. Two years later, the FCC reverted back to the Title I classification.
So for 2 years, the FCC claimed a power that they were not authorized to claim.
If Congress wants the FCC to have this power they can easily pass a bill granting them that authority, they have repeatedly failed to do so.
The very first sentence of the communications act of 1934 says the FCC exists to regulate communication by wire, congress need not pass a law granting it[1]. And what wording could the new law possibly use that is more explicit than the existing "for the purpose of regulating interstate and foreign commerce in communication by wire"
It's inexplicable that the same party that claims the act establishing the FCC is more limited than the wording states while the federal arbitration act is continuously expanded to cover cases that neither the authors nor previous courts ever tolerated.
The GOP lays out an obviously slanted view about why they are opposed to the "utility-style" regulation that Title II entails.
However, this assumes that the market is functional when it's been clear since the '96 Telecom Act that it has been anything but. The idea that the FCC can't claim this authority without Congress acting first is FUBAR.
From pricing (generally higher for lower speed) to barriers to entry (the upfront cost for infrastructure is enormous), time has shown that carriers and ISPs will refuse to behave unless they are forced to.
Legislation is needed, but Republican arguments that a light touch will "preserve innovation" or some other nonsense doesn't work. 1993 was a long time ago and almost anyone who cares about this issue will tell you that Internet access is a utility (essential service, widely available, for reasonable cost) but the incumbent providers don't act like one.
(Save for maybe Google/WebPass, Sonic, and any number of municipal broadband initiatives)
75dvtwin 1475 days ago [-]
Bit off topic wrt robocalls, but on topic wrt FCC mandates.
What do you think about the 'Free Press' group asking FCC to sensor Trump's corona virus updates?
My strategy has been to do the exact opposite. I've claimed to have had the accident, spoken to the real person, asked them to hold the line whilst I finish something off some "urgent" work, received the follow up call after they hang up and asked them to call me back in a couple hours, again kept them waiting a few minutes. It really wastes their time and turns me in to an expensive call for them. Yes, it's wasted my time, but if we all did this they'd quickly run out of money.
IgorPartola 1477 days ago [-]
I employ one of two strategies. Either I answer with “911. What’s the location of your emergency?” or similar. If it’s a live person calling it usually gets them nice and confused. I then get to yell at them for calling an emergency line. My favorite was the guy I talked to when I pretended to be “Shepard Sharp, deputy director of the NSA”. “How did you get this unlisted number? Where are you located, we are dispatching a team to your location now.” This person seemed to believe me.
The second and more common is to simply ask for their company name, their name and employee number, and their boss’s name. By the time I get to the third question they hang up and often don’t call back again. In my state you can sue for unwanted cell phone calls and the max you can get is something like $1200/call, which I am happy to inform them of. No clue how to actually do this but if someone automates the process of filing a suit, I will split the profits :)
spartas 1477 days ago [-]
https://donotpay.com is an automated service that will collect the information you obtain from illegal robocallers and allow you to craft a demand letter.
Source: I've sent demand letters to vehicle extended-warranty robocallers using DoNotPay
karthikb 1476 days ago [-]
Have the demand letters worked out so far?
IgorPartola 1476 days ago [-]
Is also like to know if this has worked.
jazzyjackson 1475 days ago [-]
Yes when I'm getting a spoofed caller ID I like to ask where they're calling from, or just innocently, "who am I speaking to? what is your company name?"
I've never gotten enough information to file a complaint
frereubu 1477 days ago [-]
A friend of mine used to actively enjoy doing this. Most of the calls he got were of the "we hear you've had an accident" variety, and he would start with a generic story about something like a car accident. The story would slowly get more and more bizarre until he's eventually telling them a story like how he hit a lorry full of miniature circus animals, with loads of tiny tigers and giraffes bouncing off his windscreen. He'd see how deep he could get them into the story before they realise they'd been had.
notahacker 1477 days ago [-]
If it was actually a real person calling me about the accident, I'd love to respond with a furious "no it's YOUR fault' and try to convince them I'd literally just had an accident answering the phone whilst driving.
The time I told the robocall bot that this was very worrying because I was on my way to a driving test was actually true though. :D
gouggoug 1477 days ago [-]
I did something similar to this a while ago, but the scam was happening via text messages.
I spent a full weekend texting back and forth with the scammer.
Although I never went as far as your lorry of circus animals, I did give _many_ hints to him that he was being played with.
Now, the more interesting part is that I was particularly fed with scammers and wanted to see if I could out scam one, which I did.
On the Monday after that weekend, I managed to get my scammers to provide me with his bank account username and password.
Once I got this information, I checked that they were correct credentials and stopped all and every contact. I also did nothing with it as I didn't want to myself be on the wrong side of the law, nor did I want to mess too much with a scammer and get myself in trouble.
I don't see how people can sit there and watch this live with him trying but normally the clipped/edited videos are pretty funny how much he can waste their time
pontifier 1476 days ago [-]
I was livestreaming about a month ago and kept getting spam calls, so I decided to try to see what I could find out.
A website they pointed me to had a multidomain SSL certificate gave me a list of other scammy domains, and one that appeared to sell robocalling software. On that site I found a phone number to call to get started. I called the number and somebody immediately answered! I pretended to be an interested customer for a while, and he claimed to be the author of the software. I wasted his time for about 10 minutes asking questions about how it worked, and where i could get lists, etc. Then told him I wanted him to add a patch to prevent my number from being called again, and that I'd be calling him again if i got anymore calls.
It was very fun!
throwanem 1478 days ago [-]
I mute the mic and mash the keypad until the other end disconnects, no matter how long that takes. I find I get far fewer such calls than I did when I started, and the occasional hopelessly snarled-up IVR system is a nice bonus.
gcb0 1478 days ago [-]
i'm afraid there is an option that legally allows them o call me non-stop if I press 1 or something :) so i just mute and leave the phone on the desk to add some noise to their voice learning (and they have to pay for the call if it is over 4s)
Aloha 1478 days ago [-]
It took a while for the carriers to bring themselves into compliance with the technical requirements to make it work.
Basically, he walks through the history of the phone system and how it never really considered bad actors, and then what they are working on now and what it'll take to deploy it.
api 1477 days ago [-]
A lot like the early Internet. Hopefully we've learned that systems must be designed security-first to scale.
omgwtfbyobbq 1478 days ago [-]
The DOJ obtained injunctions against those bad actors a few days ago.
I'd noticed that initial silence thing as well, but mostly because I answer and speak immediately. The spammers generally have a lag on their software and connect shortly after my greeting. Then while I'm waiting in silence, they've missed that sign of life and sit there doing nothing.
cletus 1478 days ago [-]
So again, I don't really have a provable basis for this, but I don't want to give positive proof that they've reached a live human. I feel like that's a recipe for getting continually called.
darkarmani 1477 days ago [-]
> My response to picking up a number is to answer the call and say nothing. Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
I do the same thing. I moved and my old number is forwarded through google voice. Everytime i get a call from my old area code I know it is a neighbor spam call as no one calls me from that area code anymore.
It's gotten so bad i let my calls go to voicemail now.
dhimes 1477 days ago [-]
The iPhone has a setting that has you route unknown callers to VM ("silence unknown callers"). I used to do the silent-answer trick, but this is so much better. If it's important,I get a vm and I'll call right back.
The times it has failed me is, actually, right now. I put in a call to have a delivery, maybe the last four digits are 4700- I've plugged that number in. But the guy calling me back calls on 4709 and gets VM. So I have to remember to turn this off if I'm expecting a delivery.
moron4hire 1478 days ago [-]
>> A human calling will wonder what is happening and fill the silence by saying something. A machine will not.
I've encountered robots in the last 6 months that have started with "Hello?" when I didn't say anthing. It tripped up my Turing Test at first, but eventually hit an ALICEBot-like moment that crashed the whole thing down.
logfromblammo 1477 days ago [-]
Telephone numbers are a synchronous interactive channel. If someone calls you to have a chat, they pay for your attention with their own. They can say something to you, and you can in turn say something back to them.
Robocalls shove someone else's voice into your ear, without offering you an ear in return. They signal a synchronous communication, and then reneg on that promise with a spammed asynchronous message.
"Political speech" is the same as every other kind of speech. There should be no exemptions for policy just because someone running for office is involved. They have the same duty of courtesy as everyone else, and we have the same right to block our ears from their spam messages as businesses and scams.
zw123456 1478 days ago [-]
um... cuz they get paid per call. So, just like ISP guys or Google or anyone else who is happy to irritate the fuck out of you for $.0001 per whatever useless crap that yields one in a million sales of some crap people don't need.
PhilosAccnting 1477 days ago [-]
While I haven't taken the time to research further, I figured I'd try to brick the algorithm by speaking absolute gibberish. I also tell everyone else I know. Since machine learning is still "dumb", I figured that enough people babbling incoherently would require the spammers to hand-scrub the data or make more training rules, both requiring more work.
No idea if it worked, but it was the least I could do to halt progress in the wrong direction.
kbuck 1478 days ago [-]
Regarding robocalls from political campaigns: I removed my phone number from my voter registration, because honestly I don't want any calls or texts from campaigns. I left my email address in case they want to spam that. I recommend doing the same (although at least with Gmail I find that several of the political emails end up in the spam folder...)
chillacy 1477 days ago [-]
> Good. But really, why did this take this long?
I know nearly nothing about telco software but after working at enough big places I suspect one likely answer is "because it's monstrously complex for both technical and human reasons, moreso than it might seem at first".
Autowired 1477 days ago [-]
> A human calling will wonder what is happening and fill the silence by saying something. A machine will not.
This is a naive assumption. I've come across robocallers that do exactly this. It is sort of trivial, if you think about it.
mtgx 1477 days ago [-]
Isn't it obvious? It's the NSA - same reason they haven't fixed the SS7 flaws.
I'll bet anything that even this "authentication" requires some sort of man-in-the-middle attack for the NSA before implemented, otherwise we wouldn't be seeing this announcement.
mulmen 1478 days ago [-]
Does this mean I can start answering my phone again? Are there other vectors for spam calling which are not addressed by this solution?
dsmithn 1478 days ago [-]
I really hope so. I stopped answering calls from unknown numbers until a year ago when I got a call from the same number twice and it was a paramedic calling to let me know my wife was in a car accident. She was awake enough to remember my number but her phone was lost.
So now I can't help but answer calls from unknown numbers even though I know 999 out of 1000 of them will be spam. It's abusive and an incredible waste of everyone's time and energy, not to mention in my case I wasted 10 minutes of critical time I should have been with her at the hospital.
jborichevskiy 1478 days ago [-]
Missing an emergency call like that from a family member or close friend is one of my fears. I do hope these regulations come with teeth.
I have a feeling the fake emergency calls are much more obvious than a real one, though. I will say, however, that emergency family calls are probably successful in the older generations.
battery_cowboy 1477 days ago [-]
Most of those services use a different network, or their devices are flagged as emergency numbers and get some priority. Why doesn't the call from a paramedic or other emergency number go through as a high-priority call and indicate as such? When I call 911 my cell goes all nuts telling me about how it's got priority service and the UI changes to an emergency-colored UI with some additional information, so when they call me when my wife is in the ER, why not have the phone go nuts and force me to answer it?
jborichevskiy 1477 days ago [-]
Good point - that would be awesome.
anitil 1477 days ago [-]
That nightmare scenario is the only thing that makes me answer unknown numbers. Also, a family member has a job in health and often calls from a withheld number so I end up answering a lot of spam.
In Australia a lot of it seems to target Chinese international students for some sort of visa-related scam ('Your visa is out of date, the police are coming, you need to pay your fees immediately in gift cards').
75dvtwin 1478 days ago [-]
I hope this addresses the abuse.
See [1]
It basically asks the telecom operators to implement
digitally signed certificates.
So it would work, if I understand it conceptually, like your web browser, when it receives https traffic unsigned certificate, or https traffic from a domain that's not part of the certificate chain.
Therefore, this mandate will prevent 'spoofing'.
And without spoofing, the spammers would necessarely have
to reveal their identity, and there are already bunch of
existing legislation to prevent them from doing this type of business.
I missed important business calls when in US. Because they were calling using same area code where my sim card was registered, so I thought it was from the area local to me.
It is horrible, I am sure people actually lost not just business value, but also had negative health impacting incidents, due to this abuse of telecommunications.
> I missed important business calls when in US. Because they were calling using same area code where my sim card was registered, so I thought it was from the area local to me.
I just ignore calls from my prefix. There's literally nobody in my contacts that has the same prefix I have, and I consider it extremely unlikely that any legitimate calls will come from there. 90% of spam calls come from my prefix, and most of the rest come from out of state (different area code entirely).
Another way is to just ignore all calls not in your contacts, and use Google voice's voicemail transcription (I think I've read about some way to do this with Twilio or another service, but I might be wrong).
annoyingnoob 1478 days ago [-]
Seems like the scammers may already be using smaller service providers which means you have at least two more years of not answering your phone. I like voicemail, if its important they'll leave a message.
manigandham 1478 days ago [-]
Yea, you still probably don't know what that number is. This just prevents spoofing, not the calls themselves.
derefr 1478 days ago [-]
As long as there's no spoofing, shared client-side software-level blacklists (i.e. the same "adblocking" we do elsewhere) can handle the rest.
It would solve 99% of the problem just to be able to block all the calls that either 1. originate directly in other countries, or 2. that originate from number-ranges leased to carriers known to exist solely for the purpose of leasing numbers to VoIP/softphone/"app calling" providers; or 3. that originate from numbers that refer to the PBXes of companies whose business is to proxy foreign numbers to appear as local numbers. (Heck, once there's no more spoofing, we'll notice how big of a problem those are, and we'll probably get a law against them.)
spockz 1477 days ago [-]
How does client side filtering work for unknown or private numbers? I tend not to pick these up anyway.
1478 days ago [-]
russdill 1477 days ago [-]
It depends. Do you own rental property?
0xff00ffee 1478 days ago [-]
After 15 years of cell phone spam, anything that shows up as a number on my personal phone, and not a contact, is reflexively ignored. I don't think I'll ever shake this habit: if it is important, they will leave a message.
jrimbault 1478 days ago [-]
I've pushed that reflex further : if it's important, the information will find its way to me.
munk-a 1478 days ago [-]
I just wish various Doctors and Dentists could jump on the text/email bandwagon. Those two groups are responsible for nearly all of my phone usage - with a slim minority (that is itself mostly spam) being calls from my bank.
divbzero 1478 days ago [-]
Even with banks I do not trust incoming calls and always return the call using an official phone number from the bank’s HTTPS secured website.
dahart 1478 days ago [-]
> I just wish various Doctors and Dentists could jump on the text/email bandwagon.
Mine have already, and I assumed it was becoming ubiquitous already.
I'm frustrated with it because I get multiple texts, multiple emails, and multiple voice calls & voice messages for every appointment I make. I want maybe one text reminder the day before or a couple of hours before and no more, just in case I forgot to set my own reminder. But usually I do have it in my calendar reminding me anyway, just two more notifications on top of the 10 the doc/dentist sends me... :P
gumby 1478 days ago [-]
They are subject to HIPAA comstraints.
athenot 1478 days ago [-]
More precisely an over-cautious interpretation of HIPAA that happens to annoy patients and is specifically called out by HHS.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.
There's something in HIPAA saying how the provider is to contact you? Over which channels?
I'm sceptical. I get texts from my dentist and in-app notification from doctor.
gumby 1478 days ago [-]
You have to ensure a channel that doesn’t gratuitously leak. Email took a very long time to be accepted, especially after things like hotmail and especially gmail arrived.
This is why fax is still so common in medicine and law (in law there’s also a belief that a fax confirmation says it’s been delivered, if not read, while email is considered less reliable / more easily deniable.
grawprog 1478 days ago [-]
Yup, my voicemail box is constantly full of spam messages to the point where, my voicemail's regularly full, I couldn't be bothered to listen to any of them any more and it's too much effort to clean it out. My last carrier used to send a text if I got a voicemail. If I got a text saying I got a voicemail from someone I knew, I'd call back, if it was a random number, I'd just delete the text.
alharith 1478 days ago [-]
"Hi jimmy, this is your mother. My phone died so I am calling you from the hospital phone. Your dad is in the hospital. Come quick."
In the above scenario that happened to me, sometimes you just don't have time to let the information find you.
penagwin 1478 days ago [-]
While this is a possible scenario- in my experience most people know to call multiple times - especially if they know that the recipient won’t recognize the number.
I don’t usually answer my phone from unknown numbers, but when I get three calls from the same number within 3 minutes I’ll pick it up.
dvtrn 1478 days ago [-]
I’m not getting into ALL the details but the “repeatedly calling” back and forth between two numbers quite honestly kept me out of jail overseas due to an embarrassing miscommunication and unintended breaking of a local law (backpacking in college, drinks were had, a friend made an ass out of himself if you must know)
I called a local friend, he didn’t answer. I called his wife she didn’t either. Both follow the “don’t answer unknown numbers” rule. As do I.
It wasn’t until I called friend a second time that he answered the phone. His response? “When my wife got a call from the same number back to back is when I started thinking this must be worth my attention.”
I wonder if it would be possible to set up something like this more rigorously. Give everyone unrelated two phone numbers. The first never rings the phone. The second only rings if the first was called within the last minute.
gibspaulding 1478 days ago [-]
Or perhaps just a pin they have to enter in order to get the first phone to actually ring. Basically 2fa for the right to bother me.
dvtrn 1478 days ago [-]
With a creative dialplan design one could do this with a private Asterisk installation (asterisk is behind so many of these cheap disposable phone number/voip providers anyway), though I suppose if one wanted to use someone else’s platform and infrastructure it’d be probably less effort with twilio or plivo
gruez 1478 days ago [-]
>While this is a possible scenario- in my experience most people know to call multiple times - especially if they know that the recipient won’t recognize the number.
I'm surprised robocallers don't do this too
jon_richards 1478 days ago [-]
Calling once selects for people more likely to fall for the actual scam.
yellowapple 1478 days ago [-]
Also, spamming/scamming in general is a numbers game. It's generally more profitable to move onto the next number on the list than to keep retrying.
gumby 1478 days ago [-]
They do
catalogia 1478 days ago [-]
That would suck, but fear of that scenario isn't enough to make me answer my phone for spammers 5 times a day.
MaxBarraclough 1478 days ago [-]
Also, I'd hope they'd have the initiative to leave both a voicemail and an SMS.
jfengel 1478 days ago [-]
Especially with a service like Google Voice that will transcribe your voicemails. I will look at those; it takes a fraction of a second to dismiss the spam.
Fortunately, I only get a few of those a week, so far.
BenjiWiebe 1478 days ago [-]
Check your spam folder. I find Google voice itself is pretty good at blocking spam calls/messages/texts.
1478 days ago [-]
paulie_a 1478 days ago [-]
Was your presence at the hospital going to aide in his treatment?
ChrisClark 1478 days ago [-]
Wow...
SketchySeaBeast 1478 days ago [-]
I'm struggling with the decision of whether to automatically block anyone not in my contact list and leave a message in my voicemail explaining why. Don't want to be unfriendly, but it's only getting more ridiculous.
p2t2p 1478 days ago [-]
> Don't want to be unfriendly
Given my experience with robocall and stuff, I _do_ want to be unfriendly. I hate to guts that a lot of people assume that they can interrupt you at any given moment. One guy called me when I was driving and wasn't having any of that, kept on complaining that I didn't pick up.
My current plan right now is to have a landline number from my internet provider (that's SIP essentially). Whenever anybody requires a phone number give that.
Now, there will be an voice mail device on my side with message: "Hello, you've reached p2t2p and his wife. We _DO_ _NOT_ appreciate your call. If you think your message is important, leave a message and we maybe, just maybe call you back. Otherwise, use email please".
And that is not even for bloody robocalls. Every single bloody prick think they are important enough to steal my time. Hey, I wrote you an email so respond to email, dumbass, don't call me. There were one windows installation company that stopped interacting with as soon as I told them that I won't pick up the phone and asked them to use email.
I guess the ultimate solution is to have my iPhone in permanent "contacts only" mode.
macintux 1478 days ago [-]
I’ve been paying for Vonage for 10-15 years now so I can keep my old landline phone number active to give out to businesses. Haven’t had a phone hooked up to it for nearly all that time. Voicemail + transcription works great.
koolba 1478 days ago [-]
You can get that for free with a google voice number. If you can’t port directly, the indirect method is to sign up for a PAYGO mobile phone and port your number there as an interim hop.
macintux 1478 days ago [-]
I don’t trust Google with my email. Not going to trust them with my voicemail.
(Yes, I know, a significant portion of my email ends up in their hands anyway.)
grahamburger 1478 days ago [-]
Recent versions of Android have an option to automatically screen callers who are not in your contact list. The caller gets a robot asking them why they're calling, and you can view the transcript of their response in real time and decide whether or not to answer.
SketchySeaBeast 1478 days ago [-]
I thought that was Pixel only option - I'll have to dig in and see if it's available on a Samsung.
ChuckMcM 1478 days ago [-]
As I recall this was a Google Voice feature as well.
My mobile carrier puts "scam likely" on calls that its algorithms have determined are likely spam, I wish there was an android option to just not ring the phone if that was the caller ID name.
bonestamp2 1478 days ago [-]
My carrier was doing that but I haven't seen it on any spam calls lately.
unclebucknasty 1477 days ago [-]
I've used this feature and each time it occurs to me that the next step for spammers will likely be to simply leave the message, as they will still get an impression via the transcript.
texasbigdata 1478 days ago [-]
It's nice but buggy!
zszugyi 1478 days ago [-]
I did try it for a bit, but it was annoying when Uber drivers and delivery people were trying to reach me.
frank2 1478 days ago [-]
Maybe we should lobby Uber to add functionality to their mobile app to eliminate the need for a legacy phone call.
Maybe after a few popular apps do that, the phone companies will start to fear losing relevance and finally take effective action against phone spam.
SketchySeaBeast 1478 days ago [-]
Yeah, that's my fear as well - I'd miss signal in the noise filtering.
alistairSH 1478 days ago [-]
I did this as soon as the iPhone offered it.
It only bit me once in several years - I was expecting a call-back from a doctor and they weren't in my contacts. Missed their call, which caused a several hour delay and some annoyance (thankfully not for something critical).
codegeek 1478 days ago [-]
Yep me too. I just don't pick ANY unknown number, period. If it is important, they will leave a voicemail.
manigandham 1478 days ago [-]
This is now a feature on both iOS and Android to mute incoming calls that are not a contact. Voicemails still work fine, and with automatic transcription and all the other digital channels still open, there's no real reason to worry about anonymous calls anymore.
evan_ 1478 days ago [-]
Yeah this worked really well for me until the county health department called from an unknown number to tell me my child had been exposed to COVID-19.
manigandham 1478 days ago [-]
Did they not leave a voicemail? Was there no transcription? How'd you end up getting the info?
evan_ 1478 days ago [-]
They called my wife, who didn’t have that set.
They actually also emailed and texted us both so in reality there was no chance of us missing that specific message...
dheera 1478 days ago [-]
I actually block all calls unless they are scheduled in advance, with the exception of SO/family
dbg31415 1478 days ago [-]
If it’s important, they can text me. I ain’t listening to voice mail. Eww, what is this, the Middle Ages?
sinak 1478 days ago [-]
About a year ago I changed my voicemail to say "Sorry I missed your call. I don't listen to voicemails, please send me a message by SMS instead."
I couldn't recommend doing so more. Text is so much easier, even if you have voicemail transcription.
Simon_says 1477 days ago [-]
Sounds like you're in your Middle Age.
PunksATawnyFill 1478 days ago [-]
Good question. I recently started getting Internet-originated SMS spam on AT&T, which Verizon gave consumers the means to block a decade ago.
When confronted with it, AT&T whined that they can't block it... which is absolute bullshit. Not only does Verizon let you block it, but it isn't even shown as coming from a phone number, but rather a GMail address or other non-numeric source. So obviously this pattern could be used to filter it.
AT&T also pummels customers with multiple texts for several days a month to tell them that there's nothing wrong with their accounts. No exaggeration: They badger you to tell you that your monthly auto-pay is going to happen, and then WHOA it DID happen! They wake you up for this, and insist on sending these idiotic notices via TEXT and not E-mail.
Again, when confronted on it, AT&T whined that they can't do anything, and that customers should put themselves on the Do Not Call list... which expressly ALLOWS companies you DO BUSINESS WITH to communicate with you.
AT&T: hating its own customers.
gjs278 1478 days ago [-]
you can start answering your phone now
pshiryaev 1478 days ago [-]
No. The spammers will relocate to India lol.
ugh123 1478 days ago [-]
I didn't see anything in there about penalties for carriers not enforcing this. Also willing to bet they beg for extensions claiming they're not ready - or too costly to implement.
equalsione 1477 days ago [-]
New legisation is being enacted around this on an ongoing basise:
e.g H.R. 4998 was introduced about two weeks ago
All the major carriers are implementing a STIR/SHAKEN strategy that should be in effect by next year.
But it is complicated to do and there may still be problems when they do - as others have explained here it's not as simple as it first appears.
I don't have any sympathy for the operators in this. They've profited from this for long enough and ignored the problem. There's a lot of pressure on them to solve it and the impression I have is that there's no appetite for "the dog ate my homework" excuses from regulators so let's see.
ableal 1478 days ago [-]
Good point. I suspect carriers tolerate scammers because they're good for the bottom line.
jazzyjackson 1478 days ago [-]
The same way USPS is funded by junk mail, a large volume of Telecoms' voice calls is likely robo-caller spam. Still I would have thought either Verizon or AT&T could come up with a competitive advantage of, you know, "the number that comes up on caller ID is authenticated to actually be the person paying for that phone number"
The spoofed caller ID to match your local area code has landed on people in my contact list, and it was extremely jarring to think "why is my best friend's mom calling me out of the blue" and get offered a discount cruise by a robot.
Simon_says 1477 days ago [-]
Telecoms have no problem figuring out who to bill.
0x00000000 1478 days ago [-]
When I got a new phone, I got a text saying that I was on a free trial of Verizon’s spam call blocking service. Needless to say they have every reason to remain complicit
rhizome 1478 days ago [-]
If my mom's bill is any indication, the telco's getting ~$40 for each landline. Not sure what a voice T1 goes for these days.
webkike 1478 days ago [-]
If you’re wondering if STIR/SHAKEN was a James Bond reference, the answer is yes, and SHAKEN stands for “Signature-based Handling of Asserted information using toKENs”
nsxwolf 1478 days ago [-]
Backronym writing is a real gift.
1478 days ago [-]
aasasd 1478 days ago [-]
I vaguely wonder sometimes as to what's the origin of the extreme US cheesiness with these names. Like, it's elementary-school level kitsch.
So far my guess is ‘the forties’. Or maybe the fifties, with all the ‘atomic’ ridiculousness.
aasasd 1477 days ago [-]
However, I gotta say I like the semantics where the more emotionally positive the title, the worse the actual bill is. Other countries tend to hide that behind uninformative titles or just numbers, so you have to read the actual bill to figure out if it's good or bad. With the US, you can be sure that a ‘GOODTHING’ bill would be something from 4chan.
The name in the post seems pretty emotionally neutral.
plandis 1477 days ago [-]
Really missed out on the opportunity to have STIR/SHAT
tgsovlerkhgsel 1477 days ago [-]
How will delegation be handled?
Right now, I guess I'm "spoofing" my caller ID by using a VoIP service unrelated to my actual phone provider to make outbound calls. My phone provider has every incentive to sabotage this, since this alternative provider allows me to pay probably something like 1% of the rates I'd be paying to my regular provider.
The VoIP provider verifies that I own the number before letting me use it as caller ID, but towards the network it still relies on the ability to send arbitrary caller IDs. Will this remain possible/will providers controlling someone's phone number be required to somehow enable this?
How will this work for call centers that want to send a central well-publicized inbound number from multiple locations?
Edit: So I read up on the protocol The SIP provider will provide a claim, signed with their key, confirming that they checked my number.
This leaves the possibility of providers having bypassable checks (I think mine e.g. let you set an arbitrary caller ID if you edited a HTML dropdown client-side) and "how to identify which provider is trustworthy", but that seems a lot easier to solve than the original problem.
mehrdadn 1478 days ago [-]
Can someone explain what this will translate into in terms of the end-user experience? For one thing, authentication will be next to useless (at least to me) if my phone is still going to ring. So does that mean it's not going to ring for a spoofed number? Also, if it results in tons of voicemail then that's still going to be quite annoying. (How) is the actual end-user experience going to be addressed?
cglong 1478 days ago [-]
From my understanding, it basically means all telecoms will be required to do what T-Mobile already does in the U.S. If I get a call and the reported Caller ID doesn't match the transmitted one, it reads on my phone as "Scam Likely".
Pixels also have their own solution to this: If that condition occurs, the Google Assistant will answer the call and auto-decline if it is actually a robocall.
mehrdadn 1478 days ago [-]
So that means phones will still ring (unless you have a Pixel or something)? That will still drive people crazy!
yellow_lead 1478 days ago [-]
Some carriers may have the ability to limit calls to customers based on attestation level. Customer could configure they only want to receive i.e "A" attested calls. This means the carrier from where the call originated knows that the customer who made the call owns the number they dialed from.
mehrdadn 1478 days ago [-]
Right, but I guess I'm asking, are plans for this in the works? Because currently I'm not aware of anything like this, nor of any plans to implement anything like this. None of the announcements suggest it might be happening either, so that's why I'm lost as to what the end-user experience would be.
yellow_lead 1478 days ago [-]
I can only speak for one carrier, and the answer as of this moment is no. Pretty much everyone is struggling to meet the FCCs aggressive timelines and do interoperability testing with each other. After that is done, maybe. I'm sure the FCC has upcoming requirements based on this, but to my knowledge those aren't out yet. If the FCC doesn't make additional requirements, then it will depend on the carrier's decision. I'm under the assumption that they will introduce those additional requirements though.
mehrdadn 1478 days ago [-]
I see. Thanks!
hwbehrens 1478 days ago [-]
iOS also has a feature to send unknown calls directly to voicemail without ringing through [0]. It seems an easy jump to classify numbers into three categories (known, unknown but authenticated, and unauthenticated) rather than two once reliable authentication is available.
I think T-Mobile only does this for postpaid users though. Prepaid users are excluded AFAIK.
nulbyte 1477 days ago [-]
It is available to all customers[1] with a supported device (plan doesn't matter, but I suspect prepaid customers are more likely to have cheaper, unsupported devices).
Hmmm. Interesting.. When I was on postpaid, I used to get caller ID with something like "Scam Likely", but since switching to pre-paid, I don't get those anymore. Looking at their page about it, it only mentions post-paid.
Wrong. Prepaid MVNO Metro By T-Mobile has this feature as well.
imajoo 1472 days ago [-]
I can't be sure about Metro since I don't use them, but I've gone from postpaid to pre-paid on T-mobile and I no longer get the the warning/caller ID saying it. Even on their page, it does not mention anything about pre-paid.
Also, their website doesn't have the option for me like it used to, and here's a thread on their site from 2018 that talks about it not being available to pre-paid users:
The thing this will address is certain classes of scams that rely on spoofing a specific area code. The infamous “Windows support” calls, which generally spoof a Redmond, WA area code. The IRS/FBI/Immigration scam calls that spoof Washington DC area codes. These are scams which defraud people of huge sums of money every year, mostly the elderly and immigrants.
noahtallen 1478 days ago [-]
Most of my spam calls originate from a number close to my area code. Now that I live on the other side of the country, it’s easy to tell when I’m getting a spam call from where I first got my number
kristofferR 1477 days ago [-]
Do people generally know area codes other than their own area?
larrywright 1477 days ago [-]
At least on my iPhone, for numbers that aren’t in my contacts, it shows the location under the number. I’m assuming based on area code. So it will say Redmond, WA right on the screen.
throwaway829 1478 days ago [-]
> STIR/SHAKEN enables phone companies to verify that the caller ID information transmitted with a call matches the caller’s phone number.
Seems to target spoofing. If they can eliminate spoofing it should make tracking down bad actors easier which should ultimately put many of them out of business.
mehrdadn 1478 days ago [-]
I don't think actually tracking down the bad actors is the motivation for this is it? You're still going to be blind to the call behind the originating network; you just won't get attestation as to its identity.
nine_k 1478 days ago [-]
Fraud becomes harder because unauthorized impersonation of someone else's number becomes illegal and is (hopefully) technically prevented.
Because of this, you can just blacklist spammers again, and burner numbers for them become harder to come by.
ninkendo 1478 days ago [-]
This is the correct answer. Forcing all numbers to be authenticated doesn’t stop scammers from calling you, it just makes it easier for you to make an effective blacklist. (A blacklist around which Apple and Google, etc would be wise to make a good UX.)
II2II 1478 days ago [-]
Presumably it would reduce the amount of fraud. While it may not deter legal nuisance calls, that should make the phone a more reliable communications medium. That's especially true for businesses and government since, with the current state of affairs, it isn't even worth verifying that an incoming call is legitimate. Not to mention that spoofed numbers make targeted attacks possible.
mehrdadn 1478 days ago [-]
Off-topic, but your sentence made me realize a useful difference between "lawful" and "legal". I first read "legal" as "relating to matters of law" rather than "lawful", and then realized you meant the latter. Now I see why the word "lawful" might be used!
Regarding your actual reply, though, that basically means we shouldn't really hold our breaths for this to actually stop calls? :\ Just less fraud, which is nice, but from the only thing that makes these calls such a nuisance.
g_p 1478 days ago [-]
From my understanding, spoofed calls won’t get onto your carrier’a network under this model, let alone ring your phone. All this assumes that sorting out spoofing resolves the problem, which isn’t guaranteed.
Thanks, that link is a much better overview. It seems the calls will still reach the destination network, and the phone then, but with potential for the operator to signal the likelihood of it being an unwanted or spoofed call.
I imagine we will see a tickbox in the operators apps and web settings portals to block or send such calls straight to voicemail (or similar), as they'd be able to be distinguished via the reduced attestation level.
r00fus 1478 days ago [-]
Maybe I'm missing something but if authentication is allowed, it will allow the client or carrier to block calls based on authenticated ID accurately. RN that's effectively impossible.
mehrdadn 1478 days ago [-]
Yeah I get that, but I'm asking what a user should expect to actually happen by that time, not what a user should expect to be theoretically no longer impossible by that time.
Nursie 1478 days ago [-]
This is a first step, make all this stuff able to be traced and authenticated.
Step 2 is to start to put the fraudsters in jail, now we can figure out who they are.
This also means easier blacklisting for the client.
hirundo 1478 days ago [-]
90% of my phone calls are from the same outfit informing me that this is my last chance to renew the extended warranty on my car. Based on my call history that recording is officially my best friend. And a very forgiving one given that it has been my last chance hundreds of times over the past several years. I hope this regulation won't interfere with our relationship.
JumpCrisscross 1478 days ago [-]
> the same outfit informing me that this is my last chance to renew the extended warranty on my car
I get this too. Which is great, my being a New Yorker who hasn’t had a driver’s license for close to a decade.
pathseeker 1478 days ago [-]
What do you use for an ID? Passport card? State issued ID?
mumblemumble 1478 days ago [-]
A non-driver's state ID works for everything you'd use a driver's license for except operating a motor vehicle. Even though people typically say, "Driver's license" when they really mean either kind of state-issued ID card.
koheripbal 1478 days ago [-]
Isn't a driver's license nearly as easy to renew as a non-driving state ID? I don't see the point, even if you only need to rent a car on rare instances.
II2II 1478 days ago [-]
There are people who choose not to drive. If you have never had a license, there is nothing to renew. Then there are people who do not qualify for a driver's license (e.g. medical reasons).
Heck, I've lived most of my (middle-aged) life without ID and probably haven't used it in the past three years.
kelnos 1477 days ago [-]
Usually the state ID is cheaper, but not so much that if you already have a driver's license you'd "downgrade", most likely. YMMV, though.
closeparen 1477 days ago [-]
Driver’s Ed isn’t a rite of passage for New York City kids like it is in suburbia. Lots of people just never learned.
r00fus 1478 days ago [-]
Being carded for buying liquor. 2ndary auth for CC charge (rare now). Proof of status (veteran/senior). Voting (where required).
JumpCrisscross 1478 days ago [-]
> State issued ID?
This.
entropicdrifter 1478 days ago [-]
It's generally a bad idea to carry your passport around just because it has your SSN printed on it
JumpCrisscross 1478 days ago [-]
> passport...has your SSN printed on it
My U.S. passport certainly doesn’t.
(Agree that it’s a poor form of primary identification. It is bulky. It is difficult to replace. And it contains more information than you need for identification.)
kube-system 1478 days ago [-]
US passports do not have SSNs printed on them.
mmhsieh 1478 days ago [-]
this is not true. but if you need to carry around proof of passport there is a passport card you can get for North American travel only.
laurencerowe 1478 days ago [-]
The passport card is no longer valid for international flights, only entry by land or sea.
blahedo 1478 days ago [-]
It was never valid for international flights. It is, however, valid as ID for domestic flights (and I have used it as such).
kelnos 1477 days ago [-]
Entertainingly, it is even valid in lieu of a REAL ID if you don't get around to getting a new ID before Oct 2021.
zymhan 1478 days ago [-]
No, it's generally a bad idea to carry it around in a foreign country when you don't need it that day, as having it pickpocketed would suck.
Having it pickpocketed in the US would be far less of a headache, minus lacking an ID for a few weeks.
njarboe 1478 days ago [-]
This is bad advice. You will need it in almost any country when getting stopped by the police. That can happen any time. This will be more of a problem in some countries than others. If you really can't find a way to carry it without getting pick pocketed then a least carry a xeroxed copy with you.
ComputerGuru 1478 days ago [-]
Does it really? I can’t find anything to agree with that.
jandrese 1478 days ago [-]
I let the call go through once just to see what kind of extended warranty they were willing to give me on a '93 Ranger with 250,000 miles.
I even hit them with "But YOU called ME with this extremely urgent notification! It's my last chance, you gotta help me!", but sadly I couldn't get her to give me a quote.
reaperducer 1478 days ago [-]
100% of the spam calls on my work phone in the last six months have been trying to sell me Marriott time shares.
I don't know if it's actually Marriott or not. I suspect it's just one of those "affiliate marketing" scumbags, but it still makes the brand look bad.
fortran77 1478 days ago [-]
It's not Marriott. I feel a little bad for the big hotel chains whose names are used by telemarketing scammers because their reputations get tarnished.
tjr225 1478 days ago [-]
I get these on a semi weekly basis!
MFLoon 1478 days ago [-]
Mine are mostly offers for a pre-approved $250,000 loan, available in less than 48 hours, for my non-existent small business. Curious what stolen mailing list I'm on that makes scammers think I'm a small business owner. Flattering really, that they'd think I have the potential to become one.
tomcam 1478 days ago [-]
Try registering a domain name without privacy.
amyjess 1478 days ago [-]
I don't even own a car, and I get them all the time. I make sure to very loudly laugh whenever I get one of those calls, even when I'm completely alone (which has been a little over two weeks solid now...).
macjohnmcc 1478 days ago [-]
Well we really wouldn't want you to miss out on this opportunity to get that warranty. Were here when we call you.
Knowing a number is legitimate is great, going after scammers and those that support them is better.
Negitivefrags 1478 days ago [-]
Why is this problem unique to the USA?
I'm not saying I never get spam calls, but I certainly have to scroll back quite a bit in my phone call history to see the last one.
Also, on the rare occasion I do get a spam call it's always from some random international country like South Sudan or Oman that I would never expect a phone call from.
What makes this problem uniquely hard to solve for the USA as opposed to anywhere else?
floatingatoll 1478 days ago [-]
Prior to the quarantine, I was getting 5-10 per day.
The USA's implementation of caller ID does not require telephone providers to verify that the caller ID provided to them is real (prior to this order).
It also lacks the regulatory structure to "trace" (prosecute/fine) calls through the various interlocking copper, cellular, and internet telephony networks, even when each provider in the chain has data.
It also lacks the legal experience in knowing how (and the political will) to prosecute an individual who dials random phone numbers with an app on a cell phone using a prepaid SIM card and conferences whoever they're calling into a spam line to disguise the spam line's phone number.
Finally, our regulatory system is captive to politicians who depend critically on spam calls for political purposes, and continue to fight to have those calls exempt, making it vastly more difficult to stop all robocalls because some are legal and others aren't.
mulmen 1477 days ago [-]
During the last presidential election I got a spam call in an elevator. Like, the emergency phone in the elevator actually rang while I was inside. It picked up automatically and I had to suffer through 20 seconds of Donald Trump shouting about immigrants until the doors opened.
reaperducer 1478 days ago [-]
Why is this problem unique to the USA?
Every time this topic comes up on HN, someone asks that same question.
Then there's a bunch of responses that are lots of suppositions.
Then several people from small European countries chime in saying they've never had a spam call.
Then a bunch of Europeans from large countries show up saying they get spam calls, too, and it's not just an American thing.
"Why is this problem unique to the USA?" is pretty much a meme at this point.
Also...
You start with "Why is this problem unique to the USA?" Then follow immediately with, "I'm not saying I never get spam calls" which means it's not unique to the USA. So your first sentence is invalid.
omginternets 1478 days ago [-]
Oh, I can actually weigh in here. In the past ten years, I've spent significant amounts of time in the US, France and the UK.
In the UK, I get the occasional spam call ("I'm calling with regards to the recent accident that wasn't your fault..."). At its peak, I got about one such call per week. It's been months since I've had a spam call.
In France, I got zero. In the 7 years I lived there, I got exactly zero.
Every time I go to the US, I get 2-5 per day ("last chance to renew the extended warranty on your car").
As is often the case, things are bigger in the US.
jakub_g 1478 days ago [-]
Living in France since 2012, I get zero French spam calls on my mobile. I'm getting some immediate-disconnect calls from Algerian numbers though (no idea what those are). I used to get silent calls on a landline though, back when I had one (even if I never gave the number to anyone). One fine day I just disconnected it as it was annoying.
I used to get occasional spam calls on my rarely-used old Polish number, but since beginning this year they somehow stopped (late effect of GDPR perhaps?)
perl4ever 1478 days ago [-]
Different people in the US have different experiences. Why is some random anecdote (assuming it's not made up) good enough to define xxx million people? I don't get 2-5 calls per day. My experience is more like what you describe with the UK. But that could be affected by my being on the do not call list on one hand, and on the other, occasionally answering a telemarketer by accident when I'm waiting for another call.
omginternets 1477 days ago [-]
>Why is some random anecdote (assuming it's not made up) good enough to define xxx million people?
It's not. Who told you it was?
Experience reports are still useful and interesting.
Legogris 1477 days ago [-]
France has actually been the worst for me spam-call-wise - used to get daily calls until recently. I think it comes down to chance (handing over your cell to the wrong hairdresser/gym/restaurant/online shop/whatever) and once you're in the wrong register, the online thing you can do is rotate numbers.
teruakohatu 1478 days ago [-]
In New Zealand many people get 1-2 per day, often using UK numbers (+44)
hadrien01 1478 days ago [-]
I live in one of the largest countries in the EU and I receive one, maybe two, spam calls a month (and always coming from countries outside the EU). From what I understand from the never-ending list of articles about spam calls in the US, some receive tens, sometimes hundreds of spam calls every day! So yes, this problem is, from our EU perspective, unique to the USA.
lukevp 1478 days ago [-]
I get 5-10 per day in USA these days. I turned on silence unknown callers and it’s not terrible anymore but still ridiculous that it’s allowed to happen.
mumblemumble 1478 days ago [-]
I would not be surprised if turns out to be a bigger problem in the USA (and perhaps also Canada) than elsewhere simply because the USA is a bigger, easier-to-access pot of honey. It's a large area where everyone speaks the same language, lives in roughly the same regulatory and infrastructural environment, and has a lot of money to be scammed out of.
Europe is also a big pot of honey. But people speak all sorts of different languages, so you'd have to redo the scam in a bunch of different languages, which increases the effort needed to operate it.
China has way more people all speaking the same language, but relatively less wealth per person, which reduces the potential payoff. Also, I wouldn't be surprised if China has already closed off most the holes people exploit to operate these scams, because they seem less inclined than the US government to fart around about silly crap like this for literally decades on end.
Latin America has scads of people all speaking the same language, too, but they're split up among a whole bunch of different countries, which I'm guessing also makes the scam more expensive to operate at scale than it would be in the English-speaking bits of North America.
igammarays 1478 days ago [-]
I'm not sure why your comment is being downvoted. Having THE largest rich homogenous market segment in the world with a weak regulatory environment (aka a free market) is probably a huge factor in scam targeting. See also Amazon fake inventory and fake reviews, which are a much bigger problem in Amazon US than in Amazon Canada, for example.
nullc 1477 days ago [-]
To me it suggests they're resource limited rather than victim limited currently.
This means they'll exploit the most profitable targets almost exclusively. It doesn't have to be much more profitable, just the most.
If they were victim limited, they'd expand the pool of targets to include the most profitable N until they became resource limited again.
Is precisely why US get so many Spam calls, and very little in many other developed countries on earth.
And judging from that, it is also no wonder why SMS passcode hijacking is much common in US as compared to many other places.
It reality it really is an US thing, much like how rest of the world have public health care ( Good or not ), and it wasn't until ObamaCare did rest of the world realise public health services is not a standard practice in the wealthiest nation on earth.
octocop 1478 days ago [-]
Isn't FCC unique to USA? Well there you have it.
selectnull 1478 days ago [-]
Hmmm... no! I guess every country has an equivalent agency to FCC.
octocop 1477 days ago [-]
That has also passed something similar?
skissane 1478 days ago [-]
> What makes this problem uniquely hard to solve for the USA as opposed to anywhere else?
Starting back in 2018 or so there has been a big problem in Australia with scam robocalls claiming to be from the Australian Tax Office. The area code on the phone number said it came from Canberra (Australia's national capital) which made it look more legitimate–even though in reality the call was coming from an overseas call centre. The robocall started out by saying that you owe a tax debt and the government was about to commence legal action against you. I got several, most people would hang up realising that the tax office would never do that. (It is illegal for them to discuss your tax affairs without confirming your identity first, so they would never begin a call by saying you owed them money.) But, some people (many of whom were older/vulnerable people), stayed on the call until the live operator connected. The live operator would then pressure them to go to a store and buy thousands of dollars of gift cards (such as Apple iTunes gift cards) and then read the gift card details out over the phone.
(Definitely the incidence of these fake calls appears to be falling, in my personal experience, so I think the Australian authorities'/industry's attempts are producing some results.)
toast0 1478 days ago [-]
There's a bunch of reasons why the US is targetted by spam callers.
a) it's a large market with a large penetration of internationally chargable credit cards. Several countries in the EU have their own payment systems including a bunch on a push model --- it's hard to scam germans over the phone because it's going to be hard to get them to send you funds without a german bank account; and if you have a german bank account, that's going to get you caught. Everywhere can process US visa and mastercard though.
b) large community that can be addressed with a single language; yes, there's a lot of people who would prefer another language, but they can probably be scammed in English (Although, with a bay area number I do get a good amount of scam calls in Chinese).
c) last, but probably most important; outbound calls to the US are incredibly cheap, as long as the number is not in Alaska. It's easy to find retail voip offers for less than 1 cent per minute to US numbers; and it doesn't matter if it's a landline or a cell phone. Calls to most EU mobile phones are at least 10 cents, but many countries are closer to 30 cents. That adds up quickly.
devonbleak 1478 days ago [-]
Embedded corporate interests and lobbies fighting against solutions because it'll cost them money to implement or lower their revenue once implemented. The usual.
throwaway894345 1478 days ago [-]
What solutions does Europe, etc have that the US doesn't? Genuine question.
michaelbuckbee 1478 days ago [-]
A working legislature?
throwaway894345 1477 days ago [-]
Clever. What solutions has said legislature come up?
throwaway894345 1477 days ago [-]
*come up with? (apparently I missed the edit window)
thomasfortes 1478 days ago [-]
Don't know about Europe, in Brazil spam calls are common but you can register your number in a consumer protection organ to say that you do not want unwanted commercial calls and if you keep receiving them the companies can be fined, for me it works "ok", there still companies that don't give a shit but at least the amount of calls I receive was reduced a lot...
* Carrier maintainer blacklists and other tools have also been used by providers for a long time.
* My provider, Voip.ms, enforces a provenance whitelist by default. This block all SPIT calls coming from unspoofed caller ids. That may not sound like a lot, but yes, many of those calls are just random poeple picking their phone or mobile apps using the real phone number. Having regulation to track internal sources of SPIT (and enforcing it) helps too.
* In Canada, you can subscribe to a non-telemarketing list. That doesn't help for scammer, but it helps for unsolicited ads, political spam and private surveys. This works when enforced with actual penalties for all parties involved.
kube-system 1478 days ago [-]
Canada's non-telemarketing list that was implemented in 2004 is essentially a copy of the US legislation that was passed the year prior. It doesn't help though, as neither the US nor Canada have jurisdiction in India, et al.
mrlala 1478 days ago [-]
If you were setting up a little scam operation.. who would you target?
Would you decide to set it up to call over 40 different countries in europe? Each with their own way to show phone numbers.. each carrier attempting to block spam calls in different ways.. each country virtually speaking a different language.. most countries having some different banking/credit card systems..
Or would you target the united states which everyone in the country has the same phone prefix, pretty much all speak one language, banking/credit card system is the same, etc.
It just makes sense for scammers to target the US. You can target hundreds of millions of people the exact same way.
bdamm 1478 days ago [-]
As a bonus, the country has a high ratio of people desperate for services who also have enough money to successfully swindle. Many elderly Americans really believe that a stranger on the phone might be their ticket to improved conditions.
morei 1478 days ago [-]
That argument just suggests that the US has more scam operations, not that it has all of them. Crowding out is still an effect, so scam operations are incentivized to target other countries as the US becomes fully 'supplied' with scammers.
robert_foss 1478 days ago [-]
In Sweden telephone operators can be forbidden from let spam categorized numbers reach you.
That and you know.. breaking the law has actual consequences for both spammers and telcos.
StavrosK 1478 days ago [-]
Same in Greece, I think it's EU-wide. When you tell a spammer you're registered in our do-not-call registry, they get scared pretty quickly and swear they'll never call again. They usually don't.
kube-system 1478 days ago [-]
The US has had a do-not-call registry for 17 years. It still doesn't deter spammers who are not subject to US law.
Back in the early 2000's I remember doing the same thing you're describing: startling spammers by telling them that I was on the list. But today, the people calling don't care because they aren't inside of the US.
PeterisP 1477 days ago [-]
This is what anti-spoofing is for - it's trivial to deny calls from India or Russia or whatever if you're not doing any business there, the problem is that currently they're spoofing a local number.
If you're being called from a local number, then this should mean (and outside of USA actually means) that there's somebody who's subject to local law and fully responsible for ensuring that the spam laws are met. If you're a telecoms operator sending in calls to the nework, then you ensure that the fines get paid - the spammers are, naturally, liable, but if you enable access to scammers in an unreachable jurisdiction or insolvent shell companies, well, it's coming out of your pocket and it's your problem on how to recover these losses. In USA, however, telecoms who specialize in providing such access to phone spammers have a legal and profitable business model. This needs to change.
kube-system 1477 days ago [-]
CID spoofing is an entirely different thing from getting a local VoIP number. A lot of spammers just get local VoIP number, that's not spoofing, that's just a real local number.
CID spoofing is when you tell the network to display a different caller ID value than the actual originator. This never had any sort of authentication in the US (until the announcement in the OP)
Most of the spam calls in the US aren't CID spoofed, but some egregious scams are. This is usually used for things like scammers displaying "SOCIAL SECURITY" on the caller ID.
The US just generally doesn't make carriers liable for the crimes of their users. We don't need to change that, and I don't think it's a good idea either because of the unintended affects that could have on accessibility. We just need to require controls that authenticate proper use of the network. The announcement in the OP is one step towards doing that.
But preventing CID spoofing alone is not going to stop spam calls from local numbers, because VoIP.
1477 days ago [-]
pkaye 1478 days ago [-]
Do the spammers speak greek or english?
StavrosK 1478 days ago [-]
Greek, why would they speak English? They're usually phone companies offering discounts.
pkaye 1478 days ago [-]
In the US we get a fair amount of spam calls originating from India. So an english speaking country would be their target.
StavrosK 1478 days ago [-]
Hmm, I see. What are they selling?
pkaye 1478 days ago [-]
I think mostly IT scams or falsely representing a tax agency. But these days I mostly get automated calls. I have a way around those which is when I answer a call, I don't speak until the other side says hello. Automated calls just assume the line is dead and hangup. I think these automated called are used by the spammers to identify live numbers a flurry of real call will follow up in a few days.
StavrosK 1478 days ago [-]
That sounds really annoying, I can't imagine being bothered by spam calls multiple times a week.
JumpCrisscross 1478 days ago [-]
> telephone operators can be forbidden from let spam categorized numbers reach you
How does this help with a spoofed call from India?
Humphrey 1477 days ago [-]
Australian here.
Until this HN post it never occurred to me that you could spoof phone calls. While landlines used to get lots of spam calls, perhaps I've had just two of these calls to my mobile in my life. Each time I typed the number into google and found reports of that number being spam. And maybe less than 20 spam sms's.
Does this mean that other countries (such as Australia) do not allow spoofing of numbers?
liambates 1478 days ago [-]
Having lived in the UK and now the US, the problem is definitely more pronounced over here. In the UK I was receiving a spam call maybe once a week at most. In the US I was getting about 2-3 a week on a pretty new number before blocking all unknown calls.
I assume it's simply more worthwhile to create a fraudulent scheme aimed at a larger population with more potential marks.
kube-system 1478 days ago [-]
The US just has a lot of VoIP providers, English speakers, and is a high income country. It is just an easy target.
bonestamp2 1478 days ago [-]
It's not that the problem has been solved elsewhere, it's that other countries aren't as big of a target so it's not as big of a problem in most other countries (for a variety of reasons). That said, some area codes in Canada are getting bad too.
tinus_hn 1478 days ago [-]
It’s not, but the scale... in the Netherlands if your number is on the lists you get I’d say about 5 calls from ‘Microsoft’ each month, not multiple calls a day.
1477 days ago [-]
bscphil 1478 days ago [-]
I guess I'll be the one to go against the grain here: I might have received 2-3 spam calls in the last year, here in the US. This implies that most spam callers aren't simply dialing random numbers, they're getting lists from somewhere, and by luck or by care my number hasn't ended up on their lists.
amiga_500 1478 days ago [-]
Because they are unable to organize themselves. See healthcare and schools for other examples.
igammarays 1478 days ago [-]
Free market problems.
Florin_Andrei 1478 days ago [-]
> Why is this problem unique to the USA?
It's the price we have to pay for Freedom (TM).
bryanmgreen 1478 days ago [-]
Right now I use Apple's "Send Unknown Numbers To Voicemail" feature and dear lord it has saved my life.
Some have provided timelines (such as AT&T), others skirt around it basically saying that they offer call SPAM protection already but that they will go along.
ilamont 1478 days ago [-]
Kind of curious why it took so long. Spoofed calls for fraud, swatting, etc. have been around for at least ten years.
tommoor 1478 days ago [-]
Only in recent years has the FCC been inundated with complaints about it. Seems like there was a tipping point in volume the last couple of years
chefandy 1478 days ago [-]
Way more than 10 years. I saw a pretty in-depth demonstration on using this sort of spoofing for social engineering at H2K2, the 2600 HOPE conference in way back in 2002.
nsxwolf 1478 days ago [-]
Longer than that. As long as ISDN/T1 PRI lines have been around. A completely unhindered spoofing playground.
gnopgnip 1478 days ago [-]
There are three big issues. Robocalls and spam were not as severe an issue until relatively recently. Political robocalls in the US are an important part of how some politicians get elected and raise funds. And these solutions cost a non trivial amount of money, without increasing revenue directly.
bmm6o 1478 days ago [-]
This is about requiring authentication, not blocking robocalls in general. Right?
gnopgnip 1476 days ago [-]
Authentication means blocking any calls with spoofed or no info
bmm6o 1475 days ago [-]
Right, but does robocall imply spoofed or no info? Can't they just include authentication?
closeparen 1478 days ago [-]
Why it took so long to get all the participants in a federated network to adopt a new protocol?
If that were easy we would have solved email spam too, 20 years ago.
user5994461 1478 days ago [-]
and indeed gmail has fixed email spam for almost 20 years.
unishark 1478 days ago [-]
Spam filtering is based on the content of email. To translate this (partial) success to phones, we'd have to let a private 3rd party monitor phone conversations, record them on its server indefinitely for training their AI, and screen them for us based on what the caller is actually saying to us.
deadmutex 1478 days ago [-]
The problem had gotten worse due to easily available tools used to automate the calls.
nsxwolf 1478 days ago [-]
Is this going to impact PBX systems that use ANI Information Elements to route calls and provide caller information to customer service applications, etc? Spoofing is kind of at the heart of those things.
skrtskrt 1478 days ago [-]
ANIs will still get "spoofed" as there are many legitimate use cases, but you have to "have permission" to use the number you're spoofing, meaning either you own the number or your underlying service provider owns it on your behalf.
The legitimate use case is basically: I am placing this outbound call over VOIP or a different phone line, but I want this ANI to show up on the callee's phone, so when they call back they go to the correct line (dentist's desk, software sales line, whatever)
phs2501 1478 days ago [-]
The issue is when I have a automated answering system (asterisk, for a museum). It rattles off some prerecorded info, possibly with prompting. To talk to a human, I need to forward the caller (I.e. call and set up a voice bridge since the caller is already connected to me) to one of our volunteers, which will be to their cell phone (we are a railway museum and we don't have a staffed office on weekdays). I want to forward the call with the original caller's phone as the caller ID so that if they miss the call our volunteer can call back easily rather than trying some awful game of tag via calling back the PBX.
skrtskrt 1478 days ago [-]
This should still be available, though it will likely take some work from the underlying software provider to be compliant.
The goal of the regulation is to cut down spam/scam calling, not legitimate uses, and the telecom providers know these uses and lobby heavily to make sure they'll still be allowed to work.
The telecom providers don't like scam calls either, or more specifically they don't like short calls. All the work and compute power in telecom is used to set up the call, then the cost of keeping it going is minimal so the longer the call goes on, the more economical it is for the provider
rob-olmos 1478 days ago [-]
How will it still be available and what underlying software work in Asterisk is being referred to?
Based on the given situation, the museum won't own the caller's cell phone number that they're trying to legitimately spoof for their staff's cell phone.
skrtskrt 1478 days ago [-]
You've reached the limit of my knowledge here regarding implementation details :)
I previously worked at a telecom software company, and I know everyone with their shit together has been preparing for this for a long time, which is why I'm not concerned that these common cases should continue working. These softwares are often built on top of or on a branch of Freeswitch/Asterisk.
phs2501 1478 days ago [-]
Good to know; I admit I haven't looked at the technical side of this. Mostly I was just providing my "legit" use case for wanting to spoof numbers since I think a lot of times most people don't realize they exist.
rob-olmos 1477 days ago [-]
Interesting. I did not think of the potential case that Asterisk could forward the STIR signature forward. Thanks!
1478 days ago [-]
annoyingnoob 1478 days ago [-]
I guess you are not spoofing when you are using your assigned DIDs and not just making up any old number.
Cymen 1478 days ago [-]
Any ideas on how this will be implemented? I use voip.ms and I can put in my cell phone number as my caller ID so I don't need to pay for a DID (basically, rent a phone number) and calls come back to my cell.
I've thought about some potential SaaS products that would leverage a similar approach. But I would authenticate the number back to the customer before allowing it to be used to avoid spam/malicious use.
I'm guessing this is down a layer at the provider level. So in my case, voip.ms would verify the number I'm using as my caller ID is actually a number that comes back to me. Right now, I just tested by swapping my wife's cell number in, they do not validate this. Now I understand how people are spoofing numbers so easily.
Obvious approach is to voice call or text the number and require the confirmation code to be entered on the website. Just curious though if there are other requirements or if this is up to the provider.
davidajackson 1478 days ago [-]
I don't think SHAKEN/STIR will stop robocalls, because the economics won't change. It's too easy for foreign robocalls to cycle numbers once one gets blocked. It will help with impersonation, but I don't believe it will significantly decrease robocall volume.
I think the telecommunications world will need to adopt whitelisting instead of blacklisting. I run a whitelist-based robocall blocking service called CallStop and a lot of customers have straight up given up using their landline, or their personal number with unknown numbers.
People who claim that whitelisting is a bad solution because it could block an emergency call don't realize that many people don't answer unknown calls anymore--and I don't think SHAKEN/STIR will change that.
ehsankia 1478 days ago [-]
Can you extend a bit on that, maybe I'm not understanding the problem right. Isn't having calls being authenticated the first step before you have whitelist/blacklist? Once every call can be definitively attached to a given source, then you can ban any foreign provider that let's these proliferate completely, no?
davidajackson 1478 days ago [-]
SHAKEN/STIR + Whitelisting is the best solution. SHAKEN/STIR by itself isn't going to change things too much I think. But it is a step in the right direction.
Whitelisting without SHAKEN/STIR is still extremely functional.
There are billions of unique American numbers possible, and with 250-500 average contacts per random dial, contact spoofing is not statistically significant.
ehsankia 1478 days ago [-]
That's what I was getting at, S/S seems like a foundational step, before being able to whitelist/blacklist. You first need to be certain about the source of the call before you can actually moderate it. Without authentication, spoofing makes banning numbers meaningless and dangerous.
fortran77 1478 days ago [-]
Not when you can contact spoof banks, major drug store chains, AppleCare, etc.
davidajackson 1478 days ago [-]
Good point, if they're calling from a specific number. I see of lot of complaints about companies like FedEx though, where the calls come from random numbers.
Wowfunhappy 1478 days ago [-]
How do you get a new US phone number? (I'll likely block anything from outside the US if authentication happens.)
davidajackson 1478 days ago [-]
You don't, you just forward your current number to protect it.
megavolcano 1478 days ago [-]
I swear to god the number of times I've hung up on people threatening visits from the FBI because I'm behind on my taxes (spoiler: i'm not) has been driving me literally insane. Maybe I can actually turn my ringer on my phone off of silent mode one day.
mikorym 1477 days ago [-]
Do robocallers spoof the number that gets displayed? I haven't personally seen that.
tomcooks 1477 days ago [-]
If you get phonespam whisper at increasingly lower volumes, then out of the blue shout I HAVE ALREADY TOLD TO YOUR MANAGER TO BLACKLIST MY NUMBER WHAT IS YOUR SURNAME AND CUSTOMER SUPPORT ID
They usually hang up at 'blacklist'.
peter_d_sherman 1478 days ago [-]
I think this is a great idea on the one hand...
...But it will equal-and-oppositely create a market, perhaps a black market, for anonymous voice calls on the other... Perhaps these would be delivered by an open source Voice-over-IP program which uses an anonymizing P2P network as its backbone...
Also... will it make any difference for phone calls that originate outside of our country?
Now, those small observations aside, I think that hard authentication of the source of phone calls, is a great idea to help combat scammers and robocalls... I'd use this service myself, and I know other people that would be immensely benefitted from it...
g_p 1478 days ago [-]
Sounds like a good first step to solve the problem of how the legacy telecoms systems were designed in a world of trusted peers federating. End result of course being spoofed caller ID spam.
Unless I'm missing something though, these measures don't do anything to address the gaping security hole in mobile networks around roaming interconnects. That seems to still be a pretty good way to do SMS and call interception, which are increasingly valuable as phones become the de-facto 2FA channel for access to banking, cryptocurrency services and more.
anonymousiam 1478 days ago [-]
I've got a FreePBX/Asterisk VoIP PBX and I've thought about running TeleCrapper2000 (https://hackaday.com/2005/09/08/telecrapper-2000/), but a better solution is to just put Google Voice in front of it and turn on "Screen Calls". It does a very effective (although not 100%) job of eliminating most robo/sales calls.
ulkesh 1477 days ago [-]
The audio delay on Google Voice is too horrible for an impatient person like myself. I’d love this feature baked into phones. Odd that it’s not yet.
cryptonector 1478 days ago [-]
About time. How will SS7 get fixed though?
wbsun 1478 days ago [-]
Finally, although there are still more than a year to wait. Hope there won't be any extension to this deadline.
Before that, I'll keep allowing calls from my contacts only, and bear the miserable inconvenience that sometime my packages may take a month to arrive because of denials of calls from the delivery guy.
devindotcom 1478 days ago [-]
There is in fact an extension for small providers who say they need more time.
tiffanyh 1478 days ago [-]
How do services like Twilio stay compliant with this regulation?
davidajackson 1478 days ago [-]
I'm guessing they talk with the carriers regularly about being complaint. I asked them about it recently and they said in a response ticket they were following along with progressions in authentication. There may be someone who works for Twilio on this thread that has more info though.
YokoZar 1478 days ago [-]
I answered my phone today, since maybe people are calling due to everything that's happening
Turns out they're still doing that robocall scam where they say you won a free cruise
0xff00ffee 1478 days ago [-]
Google Voice impact?
markovbot 1478 days ago [-]
are you asking if this will impact Google Voice? If so, I would imagine the answer is almost certainly that it will not at all impact Google Voice.
Google Voice works by acting as a proxy for outbound calls. You dial your friend's number, your phone dials Google, who in turn dials your friend with your Google Voice number displayed. Since Google is the legitimate carrier for your Google Voice number, I can think of no reason why they wouldn't be able to correctly sign the call.
Additionally, Google is listed as one of the companies that the 14 companies that the FCC appears to be working with (see the table towards the bottom of https://www.fcc.gov/call-authentication), so I assume they are planning to use it for Fi and hopefully Voice as well.
pandaman 1478 days ago [-]
Google voice also acts as a proxy for inbound calls. Your friend dials your GV number, GV dials your other phone number, which does not belong to Google and uses your friend's number (which may or may not belong to Google) as the caller ID. From the point of view of your telco, who services your phone number, Google is spoofing your friend's number unless your friend happened to call using another GV number.
kirykl 1478 days ago [-]
Maybe a registry of parties trusted to spoof
markovbot 1478 days ago [-]
What parties are trusted to spoof? Having a telecom industry group play favorites with who is and isn't allowed to spoof anyone's phone number sounds like it would be bad.
1478 days ago [-]
dayaz36 1477 days ago [-]
Hold up...does this mean all voip calls need to be authenticated too? Why is no one talking about the privacy implications of this?
zubi 1478 days ago [-]
For those who don't live in the US, this entertaining video by John Oliver might give some context:
Wait, wasn't this already done? Seriously! We are doing this now. Why has it taken so long!
hammock 1478 days ago [-]
What are the privacy implications of this requirement?
DaniloDias 1478 days ago [-]
None. You are already in a weak non-repudiation environment with cell phones. This solution will reduce some spoofing, but I doubt it will eliminate it.
It will be interesting to see who will be running the CA for these connections.
actionowl 1477 days ago [-]
I was wondering the same thing, then remembered that I have no expectation of privacy when using a phone anyways... that's where we are today. bleh.
leowoo91 1477 days ago [-]
Wait, caller-id was not authenticated all the time?
These concepts could be applied towards that purpose if the MNOs wanted to rejigger messaging within their networks & for inter-carrier connectivity- but pursuing that solution would likely be more challenging to implement than this solution.
RKearney 1478 days ago [-]
I have never received a spoofed SMS message so I already thought this was impossible.
ronack 1478 days ago [-]
It's definitely a thing and prevent some SMS use cases due to this security hole. This new FCC doc only references tracing the original sender.
"The FCC has also called on the industry to “trace back” illegal spoofed calls and text messages to their original sources."
Commodore_64 1476 days ago [-]
Nice
aalebel33 1478 days ago [-]
and all it took was a pandemic
markovbot 1478 days ago [-]
is there any reason to believe this is anything other than the next step in a long, slow-moving process? SHAKEN/STIR has been being rolled out for a few years now, IIRC most major players said they were going to have it deployed by the end 2019 (see response column of table towards the bottom of https://www.fcc.gov/call-authentication), now they're just setting a deadline of June 2021 to start authenticating calls.
Great, maybe after so many dead, the US government will start to actually do its job for a change. I'm not hopeful.
bigbird-media 1478 days ago [-]
Summary:
The Federal Communications Commission adopted new rules requiring caller ID authentication using technical standards known as “STIR/SHAKEN.” These rules will further the FCC’s efforts to protect consumers against malicious caller ID “spoofing,” which is often used during robocall scam campaigns.
dmurray 1478 days ago [-]
This made me check the date, but it's still March 31 in the US.
negus 1478 days ago [-]
It is bad news for the US citizens indeed.
Unauthenticated phone number is the last island of privacy in our modern world.
Think about it: from some point all citizens will carry a geolocation tracking device that is directly linked with their ID. The internet access will also be bound to your ID and so on.
There are better ways to fight spam that do not pose a treat to privacy -- think about email or Facebook. There were tons of spammers, but there are commercial spam filters that do well now.
I live in a country where cellphone carriers are legally forced to authenticate users. And this data is used against political opposition and journalists.
jeremyjh 1478 days ago [-]
No. Per TFA: STIR/SHAKEN enables phone companies to verify that the caller ID information transmitted
with a call matches the caller’s phone number.
negus 1478 days ago [-]
Well, I misunderstood the point. Thanks for the clarification
VectorLock 1478 days ago [-]
Does this mandate do that? It seems like it just enforcing STIR/SHAKEN to prevent spoofed numbers. It doesn't, at least from what I can see, mandate any tying of identity to number. Your 7-11 burner phone and prepaid AT&T number should be fine.
beervirus 1478 days ago [-]
No one except robocallers uses this “feature” anyway.
Rendered at 16:14:53 GMT+0000 (Coordinated Universal Time) with Vercel.
It should be relatively easy to identify the bad actors here and I don't mean the spammers, I mean the telcos that make this possible, deliberately so, by essentially "laundering" spam calls.
My response to picking up a number is to answer the call and say nothing. Auto-dial systems will route the call to a person when they get a "live" response. I don't know the criteria but I'm pretty sure it's them detecting noise on the call (which could be voicemail).
A human calling will wonder what is happening and fill the silence by saying something. A machine will not.
I hang up within 6 seconds of this in the hopes that it affects some metric somewhere of this being a low-quality or spam call. I don't know if it does. I think I read somewhere once that it did. I could be wrong.
If a real human is on the other end and does say nothing in this window, they'll generally just call right back. You get the exact same number again then this time I'll answer it.
It is nice to filter contacts vs non-contacts but there are too many things on non-contacts. Businesses you deal with, primarily.
In the email world where obviously spam is a huge problem zombie relays that allow this (which I believe is the primary source?) can get blacklisted. Why don't telcos who do this also get blacklisted? Or at least identified? This isn't AT&T or Verizon. It's the little telcos that connect to them.
But is this all too little too late? I think we've discovered over the last 20 years that we're all pretty much over open networks. It's all opt-in now with the likes of Whatsapp, FB Messenger and so forth.
Oh and while we're at it, can we get rid of this stupid exemption to robocalling restrictions for political campaigning? It's defended as "political free speech". To me, this is nonsensical. Free speech doesn't mean that I should be forced to listen to it.
EDIT: Found an example [1] of the bad actors I'm talking about.
[1]: https://www.theverge.com/2020/1/31/21117477/justice-departme...
I work with phone systems. It's usually determined by how long they hear a continuous sound at the start of a call. If it's relatively short (and it can be adjusted by settings), it assumes it's a live voice (like someone saying "Hello?" is usually pretty short). If it's continuous for a certain period of time, it assumes it's a voicemail.
For our speech applications we have different behaviors depending on which call disposition is detected (that's the term for this, also determines things like invalid phone numbers).
Sometimes when testing speech applications I'll pick up and scratch the receiver continuously or speak without taking a pause until the voicemail disposition is triggered so I can test a voicemail message without having to check voicemail.
We make these calls on behalf of health insurance companies for health reminders and surveys, so our calls are more legitimate than most, but we do use an autodialer to reduce the load on our live agents.
Question you might know the answer to: I've noticed it's a pretty common practice to get appointment reminders with caller ID from the doctor's office. I like that feature. I'd imagine there are plenty of other legitimate use cases for caller ID spoofing as well. Do you have any idea how that's going to work with STIR/SHAKEN?
I'd guess it's going to be some kind of oauth for your phone number, where you own it and can grant spoofing access to other entities?
Google seems to be supporting it: https://ecfsapi.fcc.gov/file/1119583115056/2018-11-19%20Goog... (via https://www.fcc.gov/call-authentication)
If you call the missed call back, you realize the person picking up didnt make the call.
Wheeler was born on April 5, 1946 in Redlands, California. He attended Ohio State University.[7] From 1969 to 1976, Wheeler led the trade group Grocery Manufacturers of America.[8] He then went on to work at the National Cable & Telecommunications Association from 1976 to 1984, becoming president of the trade group in 1979. For a year until its closure, Wheeler was president of NABU Network, before spending a number of years creating or running several different technology startups. In 1992, he became the CEO of the Cellular Telecommunications & Internet Association, a post he held until 2004.
Since then, I only get such calls from companies that got my details in exchange for some freebie. I tell them I'm not interested, and would they please stop calling me, and they do.
The only calls I got recently were in English with a heavy Indian accent, "Ilse Smid" or another stereotypically Dutch name, claiming to be from Microsoft Windows, and that my computer had alerted them that it had a virus... These scam calls all came from nonexistent Dutch phone numbers.
The funniest one is when my fixed line provider (let's call it P) calls me on my mobile phone (which is another provider) and ask me if I'm one oh their (P) customer :-) (the explanation is that the mobile/fixed businesses are separated to avoid monopoly and, since they can't share customer data ('cos of data protection rules), they have to ask them again :-))
Telco has not been a free market, ever.
Competition is only a solution for problems where the telcos' interest and the consumers' interest align. And that's very rare.
Someday we'll have A.I. to screen calls for us, and hopefully it can also screen this highly-upvoted-but-worthless tripe from message boards for us.
If you pay upvotes and karma, you get unsubstantiated politicised arguments. The feedback mechanism rewards those comments.
Otherwise, every hyperbole will have to be considered as irrefutable truth.
Or, is the 'who comes up with wittiest hyperbole' is the type of 'thought exchange' framework you would like to engage in?
That kinda/sorta was the mandate, until we put a telecom shill in charge.
https://en.wikipedia.org/wiki/FCC_Open_Internet_Order_2010
"An independent U.S. government agency overseen by Congress, the commission is the United States' primary authority for communications law, regulation and technological innovation."
Source: https://www.fcc.gov/about-fcc/what-we-do
You can have arguments until forever about what they should or shouldn't do, but their raison d'être is to set policy according to these overarching objectives.
Oh, and just to be clear, the lack of an Oxford comma in that quote is inexcusable :)
In 2005, the FCC decided that ISPs should be regulated by them. From 2005 - 2012, Congress failed to pass new bills granting the FCC this authority. It was denied by congress. In 2015, the FCC decided that they didn't congress to grant that authority.
So yeah, the FCC website claiming they have an authority is not an impartial source. Two years later, the FCC reverted back to the Title I classification.
So for 2 years, the FCC claimed a power that they were not authorized to claim.
If Congress wants the FCC to have this power they can easily pass a bill granting them that authority, they have repeatedly failed to do so.
https://en.wikipedia.org/wiki/Net_neutrality_in_the_United_S...
It's inexplicable that the same party that claims the act establishing the FCC is more limited than the wording states while the federal arbitration act is continuously expanded to cover cases that neither the authors nor previous courts ever tolerated.
[1]https://transition.fcc.gov/Reports/1934new.pdf
https://www.rpc.senate.gov/policy-papers/why-title-ii-is-not...
The GOP lays out an obviously slanted view about why they are opposed to the "utility-style" regulation that Title II entails.
However, this assumes that the market is functional when it's been clear since the '96 Telecom Act that it has been anything but. The idea that the FCC can't claim this authority without Congress acting first is FUBAR.
From pricing (generally higher for lower speed) to barriers to entry (the upfront cost for infrastructure is enormous), time has shown that carriers and ISPs will refuse to behave unless they are forced to.
Legislation is needed, but Republican arguments that a light touch will "preserve innovation" or some other nonsense doesn't work. 1993 was a long time ago and almost anyone who cares about this issue will tell you that Internet access is a utility (essential service, widely available, for reasonable cost) but the incumbent providers don't act like one.
(Save for maybe Google/WebPass, Sonic, and any number of municipal broadband initiatives)
What do you think about the 'Free Press' group asking FCC to sensor Trump's corona virus updates?
Does FCC have authority to do that?
https://thefederalist.com/2020/04/02/far-left-media-group-as...
https://en.wikipedia.org/wiki/Communications_Act_of_1934
The second and more common is to simply ask for their company name, their name and employee number, and their boss’s name. By the time I get to the third question they hang up and often don’t call back again. In my state you can sue for unwanted cell phone calls and the max you can get is something like $1200/call, which I am happy to inform them of. No clue how to actually do this but if someone automates the process of filing a suit, I will split the profits :)
Source: I've sent demand letters to vehicle extended-warranty robocallers using DoNotPay
I've never gotten enough information to file a complaint
The time I told the robocall bot that this was very worrying because I was on my way to a driving test was actually true though. :D
I spent a full weekend texting back and forth with the scammer.
Although I never went as far as your lorry of circus animals, I did give _many_ hints to him that he was being played with.
Now, the more interesting part is that I was particularly fed with scammers and wanted to see if I could out scam one, which I did.
On the Monday after that weekend, I managed to get my scammers to provide me with his bank account username and password.
Once I got this information, I checked that they were correct credentials and stopped all and every contact. I also did nothing with it as I didn't want to myself be on the wrong side of the law, nor did I want to mess too much with a scammer and get myself in trouble.
https://www.419eater.com/
I don't see how people can sit there and watch this live with him trying but normally the clipped/edited videos are pretty funny how much he can waste their time
A website they pointed me to had a multidomain SSL certificate gave me a list of other scammy domains, and one that appeared to sell robocalling software. On that site I found a phone number to call to get started. I called the number and somebody immediately answered! I pretended to be an interested customer for a while, and he claimed to be the author of the software. I wasted his time for about 10 minutes asking questions about how it worked, and where i could get lists, etc. Then told him I wanted him to add a patch to prevent my number from being called again, and that I'd be calling him again if i got anymore calls.
It was very fun!
Basically, he walks through the history of the phone system and how it never really considered bad actors, and then what they are working on now and what it'll take to deploy it.
https://www.justice.gov/opa/pr/district-court-orders-injunct...
I do the same thing. I moved and my old number is forwarded through google voice. Everytime i get a call from my old area code I know it is a neighbor spam call as no one calls me from that area code anymore.
It's gotten so bad i let my calls go to voicemail now.
The times it has failed me is, actually, right now. I put in a call to have a delivery, maybe the last four digits are 4700- I've plugged that number in. But the guy calling me back calls on 4709 and gets VM. So I have to remember to turn this off if I'm expecting a delivery.
I've encountered robots in the last 6 months that have started with "Hello?" when I didn't say anthing. It tripped up my Turing Test at first, but eventually hit an ALICEBot-like moment that crashed the whole thing down.
Robocalls shove someone else's voice into your ear, without offering you an ear in return. They signal a synchronous communication, and then reneg on that promise with a spammed asynchronous message.
"Political speech" is the same as every other kind of speech. There should be no exemptions for policy just because someone running for office is involved. They have the same duty of courtesy as everyone else, and we have the same right to block our ears from their spam messages as businesses and scams.
No idea if it worked, but it was the least I could do to halt progress in the wrong direction.
I know nearly nothing about telco software but after working at enough big places I suspect one likely answer is "because it's monstrously complex for both technical and human reasons, moreso than it might seem at first".
This is a naive assumption. I've come across robocallers that do exactly this. It is sort of trivial, if you think about it.
I'll bet anything that even this "authentication" requires some sort of man-in-the-middle attack for the NSA before implemented, otherwise we wouldn't be seeing this announcement.
So now I can't help but answer calls from unknown numbers even though I know 999 out of 1000 of them will be spam. It's abusive and an incredible waste of everyone's time and energy, not to mention in my case I wasted 10 minutes of critical time I should have been with her at the hospital.
https://www.consumer.ftc.gov/articles/0204-family-emergency-...
In Australia a lot of it seems to target Chinese international students for some sort of visa-related scam ('Your visa is out of date, the police are coming, you need to pay your fees immediately in gift cards').
See [1]
It basically asks the telecom operators to implement digitally signed certificates.
So it would work, if I understand it conceptually, like your web browser, when it receives https traffic unsigned certificate, or https traffic from a domain that's not part of the certificate chain.
Therefore, this mandate will prevent 'spoofing'. And without spoofing, the spammers would necessarely have to reveal their identity, and there are already bunch of existing legislation to prevent them from doing this type of business.
I missed important business calls when in US. Because they were calling using same area code where my sim card was registered, so I thought it was from the area local to me.
It is horrible, I am sure people actually lost not just business value, but also had negative health impacting incidents, due to this abuse of telecommunications.
[1] https://transnexus.com/whitepapers/understanding-stir-shaken...
I just ignore calls from my prefix. There's literally nobody in my contacts that has the same prefix I have, and I consider it extremely unlikely that any legitimate calls will come from there. 90% of spam calls come from my prefix, and most of the rest come from out of state (different area code entirely).
Another way is to just ignore all calls not in your contacts, and use Google voice's voicemail transcription (I think I've read about some way to do this with Twilio or another service, but I might be wrong).
It would solve 99% of the problem just to be able to block all the calls that either 1. originate directly in other countries, or 2. that originate from number-ranges leased to carriers known to exist solely for the purpose of leasing numbers to VoIP/softphone/"app calling" providers; or 3. that originate from numbers that refer to the PBXes of companies whose business is to proxy foreign numbers to appear as local numbers. (Heck, once there's no more spoofing, we'll notice how big of a problem those are, and we'll probably get a law against them.)
Mine have already, and I assumed it was becoming ubiquitous already.
I'm frustrated with it because I get multiple texts, multiple emails, and multiple voice calls & voice messages for every appointment I make. I want maybe one text reminder the day before or a couple of hours before and no more, just in case I forgot to set my own reminder. But usually I do have it in my calendar reminding me anyway, just two more notifications on top of the 10 the doc/dentist sends me... :P
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.
https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hip...
This is why fax is still so common in medicine and law (in law there’s also a belief that a fax confirmation says it’s been delivered, if not read, while email is considered less reliable / more easily deniable.
In the above scenario that happened to me, sometimes you just don't have time to let the information find you.
I don’t usually answer my phone from unknown numbers, but when I get three calls from the same number within 3 minutes I’ll pick it up.
I called a local friend, he didn’t answer. I called his wife she didn’t either. Both follow the “don’t answer unknown numbers” rule. As do I.
It wasn’t until I called friend a second time that he answered the phone. His response? “When my wife got a call from the same number back to back is when I started thinking this must be worth my attention.”
I wonder if it would be possible to set up something like this more rigorously. Give everyone unrelated two phone numbers. The first never rings the phone. The second only rings if the first was called within the last minute.
I'm surprised robocallers don't do this too
Fortunately, I only get a few of those a week, so far.
Given my experience with robocall and stuff, I _do_ want to be unfriendly. I hate to guts that a lot of people assume that they can interrupt you at any given moment. One guy called me when I was driving and wasn't having any of that, kept on complaining that I didn't pick up.
My current plan right now is to have a landline number from my internet provider (that's SIP essentially). Whenever anybody requires a phone number give that.
Now, there will be an voice mail device on my side with message: "Hello, you've reached p2t2p and his wife. We _DO_ _NOT_ appreciate your call. If you think your message is important, leave a message and we maybe, just maybe call you back. Otherwise, use email please".
And that is not even for bloody robocalls. Every single bloody prick think they are important enough to steal my time. Hey, I wrote you an email so respond to email, dumbass, don't call me. There were one windows installation company that stopped interacting with as soon as I told them that I won't pick up the phone and asked them to use email.
I guess the ultimate solution is to have my iPhone in permanent "contacts only" mode.
(Yes, I know, a significant portion of my email ends up in their hands anyway.)
My mobile carrier puts "scam likely" on calls that its algorithms have determined are likely spam, I wish there was an android option to just not ring the phone if that was the caller ID name.
Maybe after a few popular apps do that, the phone companies will start to fear losing relevance and finally take effective action against phone spam.
It only bit me once in several years - I was expecting a call-back from a doctor and they weren't in my contacts. Missed their call, which caused a several hour delay and some annoyance (thankfully not for something critical).
They actually also emailed and texted us both so in reality there was no chance of us missing that specific message...
I couldn't recommend doing so more. Text is so much easier, even if you have voicemail transcription.
When confronted with it, AT&T whined that they can't block it... which is absolute bullshit. Not only does Verizon let you block it, but it isn't even shown as coming from a phone number, but rather a GMail address or other non-numeric source. So obviously this pattern could be used to filter it.
AT&T also pummels customers with multiple texts for several days a month to tell them that there's nothing wrong with their accounts. No exaggeration: They badger you to tell you that your monthly auto-pay is going to happen, and then WHOA it DID happen! They wake you up for this, and insist on sending these idiotic notices via TEXT and not E-mail.
Again, when confronted on it, AT&T whined that they can't do anything, and that customers should put themselves on the Do Not Call list... which expressly ALLOWS companies you DO BUSINESS WITH to communicate with you.
AT&T: hating its own customers.
All the major carriers are implementing a STIR/SHAKEN strategy that should be in effect by next year. But it is complicated to do and there may still be problems when they do - as others have explained here it's not as simple as it first appears.
I don't have any sympathy for the operators in this. They've profited from this for long enough and ignored the problem. There's a lot of pressure on them to solve it and the impression I have is that there's no appetite for "the dog ate my homework" excuses from regulators so let's see.
The spoofed caller ID to match your local area code has landed on people in my contact list, and it was extremely jarring to think "why is my best friend's mom calling me out of the blue" and get offered a discount cruise by a robot.
So far my guess is ‘the forties’. Or maybe the fifties, with all the ‘atomic’ ridiculousness.
The name in the post seems pretty emotionally neutral.
Right now, I guess I'm "spoofing" my caller ID by using a VoIP service unrelated to my actual phone provider to make outbound calls. My phone provider has every incentive to sabotage this, since this alternative provider allows me to pay probably something like 1% of the rates I'd be paying to my regular provider.
The VoIP provider verifies that I own the number before letting me use it as caller ID, but towards the network it still relies on the ability to send arbitrary caller IDs. Will this remain possible/will providers controlling someone's phone number be required to somehow enable this?
How will this work for call centers that want to send a central well-publicized inbound number from multiple locations?
Edit: So I read up on the protocol The SIP provider will provide a claim, signed with their key, confirming that they checked my number.
This leaves the possibility of providers having bypassable checks (I think mine e.g. let you set an arbitrary caller ID if you edited a HTML dropdown client-side) and "how to identify which provider is trustworthy", but that seems a lot easier to solve than the original problem.
Pixels also have their own solution to this: If that condition occurs, the Google Assistant will answer the call and auto-decline if it is actually a robocall.
[0]: https://support.apple.com/en-us/HT207099
[1]: https://www.t-mobile.com/customers/mobile-security
https://www.t-mobile.com/support/plans-features/scam-id-and-...
Here's also a thread about it on their site.
https://community.t-mobile.com/thread/146574
https://www.t-mobile.com/support/plans-features/scam-id-and-...
Also, their website doesn't have the option for me like it used to, and here's a thread on their site from 2018 that talks about it not being available to pre-paid users:
https://community.t-mobile.com/thread/146574
Seems to target spoofing. If they can eliminate spoofing it should make tracking down bad actors easier which should ultimately put many of them out of business.
Because of this, you can just blacklist spammers again, and burner numbers for them become harder to come by.
Regarding your actual reply, though, that basically means we shouldn't really hold our breaths for this to actually stop calls? :\ Just less fraud, which is nice, but from the only thing that makes these calls such a nuisance.
I imagine we will see a tickbox in the operators apps and web settings portals to block or send such calls straight to voicemail (or similar), as they'd be able to be distinguished via the reduced attestation level.
Step 2 is to start to put the fraudsters in jail, now we can figure out who they are.
This also means easier blacklisting for the client.
I get this too. Which is great, my being a New Yorker who hasn’t had a driver’s license for close to a decade.
Heck, I've lived most of my (middle-aged) life without ID and probably haven't used it in the past three years.
This.
My U.S. passport certainly doesn’t.
(Agree that it’s a poor form of primary identification. It is bulky. It is difficult to replace. And it contains more information than you need for identification.)
Having it pickpocketed in the US would be far less of a headache, minus lacking an ID for a few weeks.
I even hit them with "But YOU called ME with this extremely urgent notification! It's my last chance, you gotta help me!", but sadly I couldn't get her to give me a quote.
I don't know if it's actually Marriott or not. I suspect it's just one of those "affiliate marketing" scumbags, but it still makes the brand look bad.
Knowing a number is legitimate is great, going after scammers and those that support them is better.
I'm not saying I never get spam calls, but I certainly have to scroll back quite a bit in my phone call history to see the last one.
Also, on the rare occasion I do get a spam call it's always from some random international country like South Sudan or Oman that I would never expect a phone call from.
What makes this problem uniquely hard to solve for the USA as opposed to anywhere else?
The USA's implementation of caller ID does not require telephone providers to verify that the caller ID provided to them is real (prior to this order).
It also lacks the regulatory structure to "trace" (prosecute/fine) calls through the various interlocking copper, cellular, and internet telephony networks, even when each provider in the chain has data.
It also lacks the legal experience in knowing how (and the political will) to prosecute an individual who dials random phone numbers with an app on a cell phone using a prepaid SIM card and conferences whoever they're calling into a spam line to disguise the spam line's phone number.
Finally, our regulatory system is captive to politicians who depend critically on spam calls for political purposes, and continue to fight to have those calls exempt, making it vastly more difficult to stop all robocalls because some are legal and others aren't.
Every time this topic comes up on HN, someone asks that same question.
Then there's a bunch of responses that are lots of suppositions.
Then several people from small European countries chime in saying they've never had a spam call.
Then a bunch of Europeans from large countries show up saying they get spam calls, too, and it's not just an American thing.
"Why is this problem unique to the USA?" is pretty much a meme at this point.
Also...
You start with "Why is this problem unique to the USA?" Then follow immediately with, "I'm not saying I never get spam calls" which means it's not unique to the USA. So your first sentence is invalid.
In the UK, I get the occasional spam call ("I'm calling with regards to the recent accident that wasn't your fault..."). At its peak, I got about one such call per week. It's been months since I've had a spam call.
In France, I got zero. In the 7 years I lived there, I got exactly zero.
Every time I go to the US, I get 2-5 per day ("last chance to renew the extended warranty on your car").
As is often the case, things are bigger in the US.
I used to get occasional spam calls on my rarely-used old Polish number, but since beginning this year they somehow stopped (late effect of GDPR perhaps?)
It's not. Who told you it was?
Experience reports are still useful and interesting.
Europe is also a big pot of honey. But people speak all sorts of different languages, so you'd have to redo the scam in a bunch of different languages, which increases the effort needed to operate it.
China has way more people all speaking the same language, but relatively less wealth per person, which reduces the potential payoff. Also, I wouldn't be surprised if China has already closed off most the holes people exploit to operate these scams, because they seem less inclined than the US government to fart around about silly crap like this for literally decades on end.
Latin America has scads of people all speaking the same language, too, but they're split up among a whole bunch of different countries, which I'm guessing also makes the scam more expensive to operate at scale than it would be in the English-speaking bits of North America.
This means they'll exploit the most profitable targets almost exclusively. It doesn't have to be much more profitable, just the most.
If they were victim limited, they'd expand the pool of targets to include the most profitable N until they became resource limited again.
The problem described in https://news.ycombinator.com/item?id=22742976
Is precisely why US get so many Spam calls, and very little in many other developed countries on earth.
And judging from that, it is also no wonder why SMS passcode hijacking is much common in US as compared to many other places.
It reality it really is an US thing, much like how rest of the world have public health care ( Good or not ), and it wasn't until ObamaCare did rest of the world realise public health services is not a standard practice in the wealthiest nation on earth.
Starting back in 2018 or so there has been a big problem in Australia with scam robocalls claiming to be from the Australian Tax Office. The area code on the phone number said it came from Canberra (Australia's national capital) which made it look more legitimate–even though in reality the call was coming from an overseas call centre. The robocall started out by saying that you owe a tax debt and the government was about to commence legal action against you. I got several, most people would hang up realising that the tax office would never do that. (It is illegal for them to discuss your tax affairs without confirming your identity first, so they would never begin a call by saying you owed them money.) But, some people (many of whom were older/vulnerable people), stayed on the call until the live operator connected. The live operator would then pressure them to go to a store and buy thousands of dollars of gift cards (such as Apple iTunes gift cards) and then read the gift card details out over the phone.
So this definitely is not a problem unique to the US. And other countries have been taking action, see e.g. in Australia – https://www.zdnet.com/article/acma-proposes-three-point-acti...
(Definitely the incidence of these fake calls appears to be falling, in my personal experience, so I think the Australian authorities'/industry's attempts are producing some results.)
a) it's a large market with a large penetration of internationally chargable credit cards. Several countries in the EU have their own payment systems including a bunch on a push model --- it's hard to scam germans over the phone because it's going to be hard to get them to send you funds without a german bank account; and if you have a german bank account, that's going to get you caught. Everywhere can process US visa and mastercard though.
b) large community that can be addressed with a single language; yes, there's a lot of people who would prefer another language, but they can probably be scammed in English (Although, with a bay area number I do get a good amount of scam calls in Chinese).
c) last, but probably most important; outbound calls to the US are incredibly cheap, as long as the number is not in Alaska. It's easy to find retail voip offers for less than 1 cent per minute to US numbers; and it doesn't matter if it's a landline or a cell phone. Calls to most EU mobile phones are at least 10 cents, but many countries are closer to 30 cents. That adds up quickly.
Most US spam calls originate outside of the US, though.
* Carrier maintainer blacklists and other tools have also been used by providers for a long time.
* My provider, Voip.ms, enforces a provenance whitelist by default. This block all SPIT calls coming from unspoofed caller ids. That may not sound like a lot, but yes, many of those calls are just random poeple picking their phone or mobile apps using the real phone number. Having regulation to track internal sources of SPIT (and enforcing it) helps too.
* In Canada, you can subscribe to a non-telemarketing list. That doesn't help for scammer, but it helps for unsolicited ads, political spam and private surveys. This works when enforced with actual penalties for all parties involved.
Would you decide to set it up to call over 40 different countries in europe? Each with their own way to show phone numbers.. each carrier attempting to block spam calls in different ways.. each country virtually speaking a different language.. most countries having some different banking/credit card systems..
Or would you target the united states which everyone in the country has the same phone prefix, pretty much all speak one language, banking/credit card system is the same, etc.
It just makes sense for scammers to target the US. You can target hundreds of millions of people the exact same way.
That and you know.. breaking the law has actual consequences for both spammers and telcos.
Back in the early 2000's I remember doing the same thing you're describing: startling spammers by telling them that I was on the list. But today, the people calling don't care because they aren't inside of the US.
If you're being called from a local number, then this should mean (and outside of USA actually means) that there's somebody who's subject to local law and fully responsible for ensuring that the spam laws are met. If you're a telecoms operator sending in calls to the nework, then you ensure that the fines get paid - the spammers are, naturally, liable, but if you enable access to scammers in an unreachable jurisdiction or insolvent shell companies, well, it's coming out of your pocket and it's your problem on how to recover these losses. In USA, however, telecoms who specialize in providing such access to phone spammers have a legal and profitable business model. This needs to change.
CID spoofing is when you tell the network to display a different caller ID value than the actual originator. This never had any sort of authentication in the US (until the announcement in the OP)
Most of the spam calls in the US aren't CID spoofed, but some egregious scams are. This is usually used for things like scammers displaying "SOCIAL SECURITY" on the caller ID.
The US just generally doesn't make carriers liable for the crimes of their users. We don't need to change that, and I don't think it's a good idea either because of the unintended affects that could have on accessibility. We just need to require controls that authenticate proper use of the network. The announcement in the OP is one step towards doing that.
But preventing CID spoofing alone is not going to stop spam calls from local numbers, because VoIP.
How does this help with a spoofed call from India?
Until this HN post it never occurred to me that you could spoof phone calls. While landlines used to get lots of spam calls, perhaps I've had just two of these calls to my mobile in my life. Each time I typed the number into google and found reports of that number being spam. And maybe less than 20 spam sms's.
Does this mean that other countries (such as Australia) do not allow spoofing of numbers?
I assume it's simply more worthwhile to create a fraudulent scheme aimed at a larger population with more potential marks.
It's the price we have to pay for Freedom (TM).
Will be nice to go a step further.
Some have provided timelines (such as AT&T), others skirt around it basically saying that they offer call SPAM protection already but that they will go along.
If that were easy we would have solved email spam too, 20 years ago.
The legitimate use case is basically: I am placing this outbound call over VOIP or a different phone line, but I want this ANI to show up on the callee's phone, so when they call back they go to the correct line (dentist's desk, software sales line, whatever)
The goal of the regulation is to cut down spam/scam calling, not legitimate uses, and the telecom providers know these uses and lobby heavily to make sure they'll still be allowed to work.
The telecom providers don't like scam calls either, or more specifically they don't like short calls. All the work and compute power in telecom is used to set up the call, then the cost of keeping it going is minimal so the longer the call goes on, the more economical it is for the provider
Based on the given situation, the museum won't own the caller's cell phone number that they're trying to legitimately spoof for their staff's cell phone.
Asterisk is an open-source PBX system.
I think the original call will come in with the correct STIR/SHAKEN-validated SIP headers and the PBX can forward them as is, see some discussion here: https://community.freepbx.org/t/stop-robocalls-act/60921/5
I previously worked at a telecom software company, and I know everyone with their shit together has been preparing for this for a long time, which is why I'm not concerned that these common cases should continue working. These softwares are often built on top of or on a branch of Freeswitch/Asterisk.
I've thought about some potential SaaS products that would leverage a similar approach. But I would authenticate the number back to the customer before allowing it to be used to avoid spam/malicious use.
Based on this:
https://www.zdnet.com/article/at-t-comcast-successfully-test...
I'm guessing this is down a layer at the provider level. So in my case, voip.ms would verify the number I'm using as my caller ID is actually a number that comes back to me. Right now, I just tested by swapping my wife's cell number in, they do not validate this. Now I understand how people are spoofing numbers so easily.
Obvious approach is to voice call or text the number and require the confirmation code to be entered on the website. Just curious though if there are other requirements or if this is up to the provider.
I think the telecommunications world will need to adopt whitelisting instead of blacklisting. I run a whitelist-based robocall blocking service called CallStop and a lot of customers have straight up given up using their landline, or their personal number with unknown numbers.
People who claim that whitelisting is a bad solution because it could block an emergency call don't realize that many people don't answer unknown calls anymore--and I don't think SHAKEN/STIR will change that.
Whitelisting without SHAKEN/STIR is still extremely functional.
There are billions of unique American numbers possible, and with 250-500 average contacts per random dial, contact spoofing is not statistically significant.
They usually hang up at 'blacklist'.
...But it will equal-and-oppositely create a market, perhaps a black market, for anonymous voice calls on the other... Perhaps these would be delivered by an open source Voice-over-IP program which uses an anonymizing P2P network as its backbone...
Also... will it make any difference for phone calls that originate outside of our country?
Now, those small observations aside, I think that hard authentication of the source of phone calls, is a great idea to help combat scammers and robocalls... I'd use this service myself, and I know other people that would be immensely benefitted from it...
Unless I'm missing something though, these measures don't do anything to address the gaping security hole in mobile networks around roaming interconnects. That seems to still be a pretty good way to do SMS and call interception, which are increasingly valuable as phones become the de-facto 2FA channel for access to banking, cryptocurrency services and more.
Before that, I'll keep allowing calls from my contacts only, and bear the miserable inconvenience that sometime my packages may take a month to arrive because of denials of calls from the delivery guy.
Turns out they're still doing that robocall scam where they say you won a free cruise
Google Voice works by acting as a proxy for outbound calls. You dial your friend's number, your phone dials Google, who in turn dials your friend with your Google Voice number displayed. Since Google is the legitimate carrier for your Google Voice number, I can think of no reason why they wouldn't be able to correctly sign the call.
Additionally, Google is listed as one of the companies that the 14 companies that the FCC appears to be working with (see the table towards the bottom of https://www.fcc.gov/call-authentication), so I assume they are planning to use it for Fi and hopefully Voice as well.
https://www.youtube.com/watch?v=FO0iG_P0P6M
Had to hop onto my VPN to view.
Edit: Ok, at least not viewable in the UK!
The Do Not Call list has been around for almost 30 years.
https://en.wikipedia.org/wiki/Do_not_call_list
It will be interesting to see who will be running the CA for these connections.
* http://jdebp.uk./FGA/truths-about-telephones.html#CallerID
These concepts could be applied towards that purpose if the MNOs wanted to rejigger messaging within their networks & for inter-carrier connectivity- but pursuing that solution would likely be more challenging to implement than this solution.
"The FCC has also called on the industry to “trace back” illegal spoofed calls and text messages to their original sources."
The Federal Communications Commission adopted new rules requiring caller ID authentication using technical standards known as “STIR/SHAKEN.” These rules will further the FCC’s efforts to protect consumers against malicious caller ID “spoofing,” which is often used during robocall scam campaigns.
I live in a country where cellphone carriers are legally forced to authenticate users. And this data is used against political opposition and journalists.