
FCC closes telemarketing loophole used by scammers - cloud_thrasher
https://www.consumeraffairs.com/news/fcc-closes-telemarketing-loophole-used-by-scammers-080519.html
======
avivo
This is nice and perhaps actually useful for going after international
organized criminals...but still doesn't prevent anything. We need actual
authentication for Caller ID. Urgently.

Fake voices are already being used to steal millions
([https://www.bbc.com/news/technology-48908736](https://www.bbc.com/news/technology-48908736)).
I co-authored the paper linked here, which goes into some detail about why
this all matters, particularly for voice cloning...
[https://medium.com/@aviv/reducing-malicious-use-of-
synthetic...](https://medium.com/@aviv/reducing-malicious-use-of-synthetic-
media-research-9def6ab81aaf)

~~~
SilasX
Hm, I almost feel like it's the spam problem all over again where the
appropriate fixes involve tradeoffs that many (not me though) find
unacceptable, and we need to adapt the famous spam solution forum letter:

[https://craphound.com/spamsolutions.txt](https://craphound.com/spamsolutions.txt)

(I just came up with a version for robocalls but I don't want to post it here
because it's a giant wall of text that I don't think pays for itself in terms
of contribution to the discussion.)

~~~
GauntletWizard
Pastebin it.

~~~
SilasX
[https://pastebin.com/0htfZWQD](https://pastebin.com/0htfZWQD)

------
lol768
I would argue that the legality of this doesn't matter; there's a huge
technical problem in that there's no authenticity guarantees at all when it
comes to caller ID and the entire feature is badly designed and has always
been open to abuse.

SHAKEN/STIR is the (technical) answer to this, though I'll be interested to
see to what extent it's adopted.

~~~
londons_explore
The solution doesn't _have_ to be at the phone network level either.

It would be easy enough for a regulator to simply fine any company whose
products are advertised or sold through telemarketing.

Make it the companies problem that some of their marketing contractors or
affiliate schemes lead to illegal calling.

~~~
paulie_a
Forget fines. Everyone in the company needs to be charged with felonies under
Rico

Spoofing numbers could be considered a criminal organization

Take down every single person

~~~
gruez
>Take down every single person

Management/c-suite? Sure. Your typical telemarketer working at minimum wage?
No.

~~~
ceejayoz
> Your typical telemarketer working at minimum wage?

If they're claiming to be the IRS so they can scam you out of iTunes gift
cards, why not? They know what they're a part of.

------
souterrain
This is akin to the BCP 38[1] problem with ISPs. I suspect few SIP-based
telcos do validation of originating numbers today.

STIR/SHAKEN has the potential to help here, but there are still shortcomings,
e.g. when originating calls with source numbers obtained from other
carriers[2].

1\. [https://tools.ietf.org/html/bcp38](https://tools.ietf.org/html/bcp38)

2\. [https://support.bandwidth.com/hc/en-
us/articles/360025664313...](https://support.bandwidth.com/hc/en-
us/articles/360025664313-What-Is-STIR-SHAKEN-and-How-Does-It-Impact-
Robocalling-)

------
bertil
They haven’t fixed it. They just made what scammers do illegal for one more
reason. Unless they make telecommunication operators liable, this will remain
a problem.

~~~
asark
Yep. Solution is recursive fines. Spam calls from network provider? Issue a
warning. Keep it up? The fines start and don't stop coming in until the calls
stop. They ignore the fines and are outside your jurisdiction? Warn every
company they transit through. They don't block them? The fines start. Rinse,
repeat, until you find someone who you can effectively fine or who cares about
the warnings (because you can effectively fine them) and they either bring
down the banhammer (which those other entities _will_ care about, even if they
don't care about the fines) or they find a technical solution.

These calls are largely preying on the elderly. They're despicable and it's
disgusting it's taken us so long to stop them—there's no excuse, it's not like
human beings don't control every part of what's happening, this isn't some
force of nature. Nuke them from orbit.

~~~
rrauenza
My mother-in-law has alzheimers and is in a care facility, but she really
values the independence of having a phone, say to call family.

In the past she'd been scammed by the "your grandson is in jail" scam and the
bank stopped her.

One day she was really worked up because she was sure someone was going to
come to her facility at 4pm and demand their money from her, and it was all
tangled into my family needing money or something. Luckily she has no direct
access to funds anymore.

Enough was enough. I found a product that I could put on her phone line that
lets me white list her calls. It also suppresses the first ring because with
Alzheimers, the last thing you need is the phone ringing once constantly.

It isn't perfect -- it has to be configured over bluetooth and only from a
cell phone. I'd prefer a device that lets me do this remotely over the web,
but this is what we're using for now:

[https://www.amazon.com/Call-Control-Home-Automatically-
Telem...](https://www.amazon.com/Call-Control-Home-Automatically-
Telemarketers/dp/B071S6NB5N)

For ourselves, I have a linux box running ncid. I just wish I could find a
first ring suppressor that works on POTS. The FRS22100 I tried resulted in a
fast busy for any caller -- didn't conform to whatever the central office
required.

------
ipython
I get a ton of calls offering to lower my interest rate. Im surprised that the
card issuing companies mentioned by name in the call- visa, MasterCard, etc.
don’t take the same tactic that Microsoft used to take down botnets. Microsoft
used trademark law to sue the botnet operators and have their domain names
seized. Why can’t the same happen here with any US based voip operator they
may be using?

~~~
adrianmonk
Here's a minor technical correction about payments lingo. Visa and Mastercard
aren't issuers.

Payments are kind of a world of their own, but basically there are 5 parties
involved in a credit card purchase:

1\. The party that receives the payment. For example, a retailer like Amazon
or Target. In payments lingo: "merchant".

2\. The merchant's bank. This is where funds are going to end up. In payments
lingo: "acquiring bank" or "acquirer" (because they're acquiring funds I
guess).

3\. The customer's bank. This is where funds are going to come from. Usually
on credit. For example, Citi, Capital One, Chase, HSBC, Bank of America. In
payments lingo: "issuing bank" or "issuer" (because the customer has an
account with them and they issue the actual card).

4\. The customer, the person who makes the purchase. This person's name is
printed on the credit card. In payments lingo: "cardholder".

5\. A payments network. These arrange payments (including operating computer
networks as well as defining rules and policies) and facilitate the purchase.
For example, Visa, Mastercard, American Express. In payments lingo: "credit
card association".

Back to something vaguely relevant, one way you can instantly detect these
scams is that they always seem to claim they're from Visa or Mastercard, then
try to talk about lowering your interest rate. Your interest rate is between
you (the customer) and your issuing bank (Citi, Capital One, etc.), not
between you and the card association. _Visa or Mastercard doesn 't care about
your interest rate. The scammers are not even claiming to be from the right
type of organization!_

I assume they do this because they get a higher hit rate. If they claimed to
be from, say, Chase, then lots of people would think "I don't have an account
with them" and hang up. If they say Visa or Mastercard, odds are good that
you'll think "yes, I have one of those".

~~~
lotsofpulp
There is another entity involved also, the card processor:

[https://www.vantiv.com/credit-card-processing/what-
is](https://www.vantiv.com/credit-card-processing/what-is)

------
tantalor
Is it currently feasible for carriers to block these calls? Like, it should be
easy enough to check if the call originated internationally but the area code
is domestic. This regulation would appear to compell carriers to act on that.

~~~
gwbas1c
Apparently, this will break a lot of (cough) features (cough) that no one
uses, like call forwarding. I also wonder if this will break VOIP systems that
small businesses use?

The reality is that no one should care. The telephone system is broken when
most of the calls we get are fraudulent. I want my phone to be useful; I don't
care if fixing it breaks some phone system set up by a sketchy IT wannabe.

~~~
lemcoe9
I am glad that you "don't care" about breaking a few million phone systems
across the world. Every single IT manager, however, does care. If you start
having carriers wholesale-blocking calls based on their lack of STIR/SHAKEN's
verifications, then you will completely disable the vast majority of IP- and
POTS-based phone systems in the country, many of which were
purchased/installed in the early-2000's.

You can have the "I don't care" attitude when you have one telephone number in
your life. You have to care when you have a couple hundred thousand telephone
numbers in your life, like I do, working for a Class 3 ITSP.

~~~
marcosdumay
I have to side with the GP here. The options are completely losing the
telephone system because nobody trusts anything coming from it anymore, or
having those pre-2000 systems upgraded. It's a no-brainier.

Yet, we seem to be committed into destroying the entire system.

~~~
sq_
It's really amazing how little trust people have in the telephone system now.

At least on personal devices/lines, everyone I've talked about it with now
refuses to pick up any call from a number they don't recognize, which is
really the only option when 2/3 of the calls you get daily are spam. Most just
assume that if it's important, the caller will leave a message.

~~~
cabaalis
> everyone I've talked about it with now refuses to pick up any call from a
> number they don't recognize

This is true, and also burned me last weekend. My dog set off my alarm system
and the phone identified ADT as "potential spam" so I didn't answer it. The
police showed up at my house. Fixed by adding ADT to my contacts, but the
distrust is real.

------
ananonymoususer
I'm all for it, but one gripe I have about Consumer Affairs' reporting is that
they interchange the words "regulations" and "law" to mean the same thing. As
we witnessed during the Net Neutrality see-saw, regulations enacted by the FCC
are not "law", and can change at the whim of a new administration.

------
mysterydip
Great! I'll tell all the scammers calling my phone that what they're doing is
illegal. That should stop them.

~~~
rootusrootus
In that case, why bother making anything at all illegal? Criminals are just
going to be criminals anyway.

~~~
homonculus1
It's a matter of severity and demonstrable willingness to ignore consequences.
Scamming and fraud can earn you a spot in prison for a serious length of time,
whereas phone spoofing is probably just a fine or probation, IANAL. In general
it defies reason that the people who purposely violate existing major laws are
going to be dissuaded by tacking regulations onto their methods.

~~~
rootusrootus
As I recall, certainty of punishment is generally a far more effective
deterrent than severity. In any case, what I think the law would really get is
leverage against the US-based phone companies who gateway the traffic onto our
phone network.

------
slater
I wish (and I bet there's something on Android for this) that there was some
kind of social app just for sharing scam numbers among trusted friends†. E.g.,
as your phone receives a call, it'd hash the number and compare it with you
and your friends' reported "spam caller network". If you or your friends have
marked something as a spam-originating number (number spoofing not
withstanding, yesyes), it would either drop the call outright, or highlight it
as potential spam call ("5 of your friends have marked this as spam!") before
you need to pick up.

† Why just among your friends? Cos we all know that the minute you make it
open to everyone, the marketing and MBA folks will get their fangs in it and
monetize and data-mine.

~~~
e40
The numbers are random so why would sharing the numbers help reduce anything??

I never get calls from the same number. I've had the same scammer call me 3
times in one day from 3 different numbers.

This is the scammer that has called me 100s of times in the last 2 years:
[http://www.caribbeandiscountsinternational.com/about/](http://www.caribbeandiscountsinternational.com/about/)

I tried to contact Tucows to complain, no way to do that. Then, I filed a
report with ICANN that Tucows was violating their contract (because I can't
report abuse), and that case was closed after two weeks.

The entire system is supporting the scammers.

~~~
MBCook
You’d be surprised. Maybe YOU don’t get calls from the same number (though I
do at times) but it seems like scammers will use one number to call 100,000
people then switch to a second number and call again. So as long as someone
reports it lots of people will benefit. It’s not a random number per call,
which would make this approach unfeasible.

This shared block list is basically how Nomorobo works and it’s quite
effective for me.

~~~
reaperducer
And when some scammer uses your number (since any number can be used by a
scammer, it's just a number not a phone line), then under your scheme, you get
cut off from all of your friends.

~~~
e40
This. Given the quantity andlocality of the numbers to mine, if I block them,
it's only a matter of time before I block a number that matters to me.

------
EGreg
Seriously, if you have a good data plan, why have a phone number? The phone
system is so laughably insecure and limited compared to the voip alternatives.
And so riddled with SPAM. There are SIP bridges to it, for the legacy calls.

~~~
asark
Everyone expects you to have a phone number for some things. Certainly many
online services expect you to be reachable via SMS for 2-factor auth. VOIP
service plus a semi-decent data plan is at least as expensive as just adding
on voice, and then you have two bills instead of one. You can simply ignore
calls when you're not expecting one—if it actually matters they'll leave a
voicemail. Those get transcribed so I don't even need to listen to see whether
it was a scam or something important.

It has made phone calls probably the worst way to reach me, though. Not sure
why I don't receive more text spam, which is nearly nonexistent—must be some
technical reason.

~~~
ghaff
Maybe technical or maybe just that the person who is going to send off money
so that their social security number isn't taken away or so that the police
don't come to their house and arrest them on felony charges are more likely to
respond to a call--even a robo one--than a text message.

On my cell phone, the biggest annoyance is that I have to turn on Do Not
Disturb when traveling internationally which means only the specific numbers
in my contacts list can reach me in an emergency at all hours.

~~~
asark
> Maybe technical or maybe just that the person who is going to send off money
> so that their social security number isn't taken away or so that the police
> don't come to their house and arrest them on felony charges are more likely
> to respond to a call--even a robo one--than a text message.

That occurred to me, but you can direct someone straight to a website that can
then do god-knows-what with a text message, and they're even easier to
automate and do in quick, huge batches than phone calls, so even at a much
lower % success rate I'd think they'd be viable for scammers, and maybe even
preferable to calls. Maybe they're more expensive to send? That'd be dumb, but
then phone billing's never made any sense.

~~~
EGreg
You guys are still thinking in terms of the phone system with publicly
accessible numbers!

In future networks you’ll have to have an invitation path from the user, and
if it gets abused you just mute a subpath so those people’s invites don’t
result in auto-accepting messages. Simple!

A -> B -> C -> D

D attempts to send a message to A’s mailbox

A’s mailbox automatically accepts the message

If too many messages were sent from the subtree of invitations of B or C, just
mute that branch.

Then the others have to jump through hoops like proof of work or pay crypto to
be whitelisted and start a conversation to you.

Fixes all SPAM. You can make this compatible with an email gateway where the
invitation is added as an email alias such as “foobar@dontspamme.com” and then
emails to and from “foobar@“ would be proxied as messages to the actual non-
email system I described, where foobar was the gateway corresponding to the
“path A -> B”. It was compromised? Don’t accept emails from any new unknown
email addresses sending to that endpoint without jumping through hoops.

------
rdtsc
This is better than nothing. It won’t stop criminals who pretend to be from
IRS or Microsoft support. But maybe it might help against some US based
businesses which use phone spamming like expiring car warranties and such.

------
bfdm
Do we even need spoofing at all anymore, are there legitimate uses which can't
reasonably be resolved other ways?

------
slater
While I love that the FCC has fixed this (especially the "scammers spoof a
U.S. number, usually one in the victim’s area code" part), something tells me
the scammers won't just roll over and go "whelp, there's nothing we can do!".
They'll just find a new "loophole".

~~~
albeebe1
Nothing is fixed. The spoofed calls will continue. This just makes it illegal
but they’ve already been breaking the law scamming people.

------
rwbcxrz
Best feature coming in iOS 13 is an option to silence all calls from non-
contacts.

I installed the public beta for that alone because I get so many of these
types of calls, and it's saved me 19 interruptions so far this week.

Obviously blocking all unknown numbers isn't an option for everyone, but it's
been great for me.

------
michaco33
That's it people! They've cured spam. We can all go home... right?

------
lunias
Legal solutions don't tend to work great for technical problems.

I will just continue to block and report spam for calls from all numbers which
I did not myself enter into my contacts.

------
tinus_hn
If they want, the local phone companies can easily block international calls
that have local caller ID.

------
Thermolabile
Ooo they passed a law making it "illegal", that will stop the international
scammers. Just like the war on drugs. Pai knows this stops nothing. Fuck that
piece of shit, even when it looks like he's doing good he's actually doing
nothing.

