
Voice Phishing Scams Are Getting More Clever - waffle_ss
https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/
======
phkahler
The problem here is the ability to spoof caller ID. This should not be
possible. Regulations set up the phone system, regulations need to make this
change. I don't care what excuse anyone has, don't care about your stupid PBX
or any of that. Caller ID should be mandatory and reliable.

Having said that, always assume someone calling you is a fraud. If your "bank"
calls you, tell them you'll call back and don't call a number they provide
over the phone or in caller ID. If you can't find a reliable number to the
bank, drive over there. The bottom line is that you can't trust anyone who
calls you.

~~~
walrus01
There is no way to fix the ability to spoof caller ID with the way SS7 is
built. Not without breaking functionality to something like 85% of the
installed base of PBX and phone switch equipment, most of which is anywhere
from 10 to 45 years old. The legacy telco SS7 phone system needs to be burnt
to the ground and rebuilt, but it never will be, because people have moved on
to friend-opt-in based message platforms like whatsapp, signal, telegram,
facebook messenger, and the domestic chinese equivalents (wechat etc).

~~~
Retric
I just want the major cellphone companies numbers to show up correctly and
everything else can be ???. That does not require fixing all these other
systems.

~~~
nradov
How exactly could they do that for calls originating outside their network?
Most spammers are using VoIP, not cell phones on major US companies.

~~~
LeifCarrotson
They could not fix it. However, it would be a big value-add to me if, say, the
big 4 US carriers could add an out-of-band security check and block calls to
their networks from numbers they control but which are spoofed.

I get way too many calls from area codes and prefixes I recognize. This would
help me get some of that back.

~~~
metildaa
There are legitimate use cases like Google Voice for sending caller ID that
another carrier owns. Despite that, a basic authorized users list would be an
easy fix, doubt that'll ever happen though. Look at the mess that LRN and CNAM
data are, providers will nickel and dime for access to data that doesn't cost
much to maintain...

~~~
Retric
Google Voice could A join the system or B have ??? as their caller ID either
one would be useful. Again, they can say whatever number they want as long as
I can opt out and block unknown numbers.

However, the current system is largely useless when you get spoofed calls from
numbers you recognize.

------
CodeCube
This is 100% _destroying_ the phone for younger generations ... my kids answer
nothing, not even my own phone calls because they set their phones on do not
disturb to curb the endless robo, scam, and cold calls.

If it wasn't for [https://hiya.com/](https://hiya.com/), I'd be at the end of
my wits. Seems like the number of fake calls has ramped up exponentially in
the last months. I finally just set it up completely block all telemarketing,
spam, scam, fraud calls.

~~~
skh
I suggest downloading a silent ring tone. I got one for a dollar. The silent
ringtone is my default ringtone. I went into my contacts and changed the
ringtone associated with them to be one that makes noise. I no longer am
bothered by scam calls as a result.

~~~
emptybits
> I went into my contacts and changed the ringtone associated with them to be
> one that makes noise.

That gets the job done, but rather than modify each of your existing contacts
(and each new one), consider just turning on Do No Disturb and setting your Do
Not Disturb level to "Allow Calls From All Contacts" (or a particular Group or
Favorites). These are iOS options but I assume there's an equivalent in
Android.

~~~
nickysielicki
On my particular Android phone (Pixel) this is not a great solution because
setting Do Not Disturb alters the behavior of other things like Calendar
reminders or email alerts. You could make DND not do that, but sometimes I
_do_ want to mute other things. If you're using DND all the time, you
essentially lose that feature on your phone.

The best solution I've found is to just go into the Google Dialer app and set
the option to not ring on any call suspected to be spam. I still do get spam
calls that haven't yet been reported, but it's down to only about 3-4 a month.

Not sure if Samsung phones / other android flavors have a similar feature or
not.

~~~
xtreme
A great improvement to that would be an option to silently reject all
suspected spam calls and send them to the voicemail. This has been suggested
many times on Google's product feedback and suggestion boards but for some
reason they have not gotten around to doing it. The hard part of detecting
spam calls is already there; all it should take is adding a couple of new
check boxes.

~~~
jjeaff
There are apps like youmail and nomorerobo. I use youmail and it has the
option to give a disconnected message when a scammer calls.

------
xoa
I'm personally somewhat nervous about what voice phishers will be able to
accomplish with call ID once voice sample synthesis gets good enough and cheap
enough, which is well on the way from what I can tell. Shades of that old
Uplink game, call up a family member or friend and just get them to talk into
the phone at all, not even give up personal information but literally just
speak enough. Then the phisher can call up the target, spoof that number, and
directly have the voice sound just like someone the target knows. The voice
and the Call ID will both check out, and this should actually be a lower
target then the kind of voice synthesis work currently being done because
phone calls are highly compressed and tend to be not great quality anyway.

Once that hits general usage along with the kind of ML and social network
graphs being done up couldn't that just plain be it for phone usage if
companies can't come up with a proper cryptographically verified call scheme
(which would require new phones, for everyone)? I mean, if a call coming in
directly from a "trusted contact's number" that is literally in their voice
becomes generally a scam too I think that'd have to be a real tipping point
for the general population. I can't see any choice at that point but to
disable all incoming calls period, and move my family over to something else
as well. And that tech train is coming down the tracks pretty fast, there have
to be at least some phone providers who can see that right? Heavily
automatically run personalized ML powered social media and ad network profile
fed phishing calls in a relative's voice, yeah that'll be really fun.

~~~
DenisM
Simple workaround - you call me and leave voicemail, I call you back on the #
I know and we talk.

------
jerf
I'll give you the flip side of the scammer's deterioration of trust in the
phone... a few months back I got a phone call from what appeared to be my
bank, and they were asking me about a fraudulent charge that I didn't
recognize. Worried that this was the beginning of a scam, I delayed a bit on
the phone while I logged in independently to my bank account... and lo, yes,
indeed, there was a fraudulent charge to my account just as they described. It
really was my bank calling me about fraudulent charges. But I was definitely
close to hanging up on them, assuming it was a scam. It stinks on both sides.

~~~
aero142
It makes me laugh when my banks fraud department calls me and then asks me to
verify myself to them by giving personal information before asking me
questions. I usually laugh at them and tell them they they are the unverified
party in this phone call, not me.

I always pull up the website and confirm before telling them anything.

~~~
techsupporter
> I usually laugh at them and tell them they they are the unverified party in
> this phone call, not me.

This is one of the related reasons why I finally got my ducks in a row and
switched away from Chase three years ago. Their potential-fraud-has-happened
outreach department was, in my experience, terrible about this. It didn't help
that their potential-fraud-detection department was similarly bad. ("You used
your debit card at an AM/PM in Washington State!!!!" Yes, I know, it is about
900 feet from my house; I go there regularly.)

Point being, I got quite a few calls from their (real) fraud prevention
department about (supposed) fraud. Each time, the rep who called me would get
mad at me for not handing over the last four of my SSN and my complete address
to the calling party. I pointed out, each time, that they were the ones who
called me so I should be verifying them. "But, sir, WE are the bank and you
could be anyone who just answered your phone."

The credit union I now use just presents a message with their name and a
request to call back. "We may have detected a fraudulent purchase; please give
us a call at the number on the back of your card and reference case number
[digits]." Fortunately, their system is much better; I've only heard this
message once.

~~~
CWuestefeld
_their potential-fraud-detection department was similarly bad. ( "You used
your debit card at an AM/PM in Washington State!!!!" Yes, I know, it is about
900 feet from my house; I go there regularly.)_

A year ago I had an awful experience with this.

We were on vacation at Big Bend National Park, which is hours away from
everything in southwest Texas. When trying to pay for breakfast, our card was
denied. I tried to call the card company to tell them that it was OK, but
couldn't get through - there was no cell service. Outside the restaurant was a
pay phone (remember them?) that I was able to use to call their 800 number.

I learned then that they'd actually flagged my card as stolen, so I could no
longer use it at all, and to get it turned back on I needed to receive the
code they were sending by SMS and read it back to them. The thing was, we were
in a dead cell area, we couldn't get the SMS. And Big Bend is mind-bogglingly
huge - 1,252 of square miles of mostly desert (there's a whole mountain ranged
entirely contained within the park). As far as I could tell, I didn't have
enough gas to drive out of the park to get to cell service to achieve this
(the park is so big that it's got its own gas station in the middle, and I'd
intended to use this - but without my card, how can I?).

It seemed a perfect trap, there was no way we were going to be able to get
out. What eventually saved us was that the hotel manager overheard me shouting
at the card people, and came out to give me a map, with the places inside the
park that can get SMS text highlighted. Using that I was able to fulfill their
requirement.

They never were able to tell me why they flagged the card in the first place.
They told me that they advise all card holders to warn them when they plan to
go out of state. But I live in Texas, and I was in Texas when the charge
triggered. They just shrugged that off.

~~~
reaperducer
As someone who travels in remote corners of deserts very frequently, I can say
that you can never have too much water, fuel, or cash.

And when you're in a scrape, you can often barter with all three.

~~~
KineticLensman
My wife and I (we are both Brits) were driving in the middle of nowhere in
Washington state. We stopped at a garage to get petrol/gas and discovered that
the credit card machines in the unmanned gas station only seemed to accepted
credit cards issued in the US - IIRC the PIN equivalent was a US zip code. Our
personal credit cards (UK cards) and cash (no teller) were thus useless.
Luckily my wife had a corporate credit card issued in the US that we were able
to use, on the principle that she could ask for forgiveness from her company
when we got back.

~~~
astura
For foreign credit cards oftentimes entering 00000 or 99999 for zip code
works.

The other thing that sometimes works is entering the digit part of your postal
code and padding it out with zeros. Ex: if your postal code was 1A2B3C you'd
enter 12300.

------
hinkley
My bank's fraud department sent me a voicemail saying my card had been
deactivated and I needed to call them at 1-800...

Yeah, fuck you. I'm not calling a fraud prevention number that was given to me
over the phone and more to the point, what is wrong with you for asking your
customers to trust people that called them on the phone.

I called the main switchboard for the bank and couldn't find the fraud number
from there. They got an earful about that too. None of this is okay, including
why they flagged my card (Not for buying a TV and a bluray player, no. For
getting a $8 car wash on the way home...)

~~~
albedoa
Yes! This happened to me too and is very alarming. It’s training users to fall
for phishing.

I’m not sure what a correction looks like though. Should they call customers
and instruct them to find or verify a phone number and call back? Instruct
them to log into their online account? That would be fine for you and me, but
I’m thinking of the average cardholder.

~~~
jefftk
Telling them to call the customer service number on their credit card seems
pretty good?

~~~
jrochkind1
I just got one of these that had me call a DIFFERENT number than the one that
was on my credit card -- the whole time I was thinking it was probably a
phishing thing as I was giving them all my info, but in the end it was to ask
if I had really made a charge that I _had_ really made the day before (in a
city I'm not normally in)... so I'm pretty sure it was legit. Probably?

------
ravenstine
I believe that phone companies are complicit in this criminal activity, as
they seem to have virtually no interest in actually stopping it. I've already
turned off calls on my phone because "why bother", and more and more people I
know are doing the same thing. The phone companies probably make so much on
streaming that they don't give a shit about the phone system. This is a really
bad thing for crime, but might help accelerate the death of a decades-obsolete
technology.

~~~
vecinu
> I've already turned off calls on my phone

How do you do that on an Android phone?

~~~
ravenstine
My phone is a Galaxy S5 with Android 6, but it's here:

Settings > Call > Call Rejection > Auto reject mode

Set it to "All incoming calls".

------
rb808
How come in 2018 we can't get a reliable CallerID. Surely this is something
that could be simply regulated.

Perhaps there should be a few types of CallerID - verified, physical and
nominated. Eg a company calls you with a verified ID (like TLS), a local
number from a single line is physically authenticated and anything else is
just a best guess. That way we can filter more reliably.

~~~
phkahler
No options. Make it mandatory and make it unable to be faked.

~~~
EamonnMR
It wouldn't really need to be mandatory, just something that cell providers
and reputable businesses provided. Then phone companies could start rejecting
anything that didn't provide it.

~~~
cm2187
But how does the telco in the last node know the caller id is accurate? They
can only tell that the data is coming in that direction but it could have been
routed multiple times before (if phones work like the internet protocol). The
only telco who can ensure that must be the one who initiated the call (exactly
like IP spoofing).

------
wafflesraccoon
I'm at the point where I don't answer the phone unless I know the number
calling me or I'm expecting a call.

~~~
amelius
Yeah, even my friends don't call me (they use Whatsapp/SMS), so why should
some random marketeer have the privilege of actually talking to me on the
phone?

------
ttul
The issue, as I understand it, is that the SS7 telephone network is completely
insecure assuming that you have the ability to connect to it. Shady gateway
providers will allow you the privilege, and once you're in, you can do just
about anything.

There is precious little within SS7 to prevent or respond to spoofing. It's a
major nightmare for telephone companies.

~~~
howard941
How did spoofing work vis-a-vis those with 1-800 inbound lines? I was under
the (mis?)impression that those users were protected against spoofing because
they were (are?) billed by inbound call duration.

> It's a major nightmare for telephone companies.

Disagree. It's a bug for the telcos, and a major nightmare for the rest of us.

~~~
wintermutesGhst
Having spent a bit of time working on projects that touch the phone network, I
think it is a 'major nightmare' in the Lovecraftian sense--I for one am
forever changed by what I saw.

As for billing, it is usually based on the destination number, and your
originating telco, unless I am misunderstanding your question.

~~~
amatecha
Does this imply I should answer the 1-800 calls and keep them on the line as
long as possible? :D

~~~
drewmol
If you suspect a scammer called you, always keep them on the line as long as
possible. Feed into the scam and act as gullible as possible, give them fake
cc numbers, etc.

~~~
metildaa
Best to extract as much iinfo as possible, business name, callback numbers,
email addresses, etc. The more info, the easier it is for the FCC to bring
enforcement action against fraudulent callers.

------
King-Aaron
Can anyone offer any insight into the latest series of odd phone calls I've
been noticing, where you get either a private number or an out-of-state number
call you, and then sit in silence until you utter a word in which it hangs up
at that moment?

I've experienced a few so far over the previous months. I've even experimented
by not saying anything for an extended time - up to about 30 seconds of
silence (and then it usually hangs up itself). But the next time it happens,
if you say 'hi' within a few seconds, it immediately hangs up afterwards. Like
its waiting for a verbal prompt.

The apathetic part of me thinks 'maybe its a robocall thats bugging out', but
then the pessimistic part of me wonders 'are they trying to sample my voice'.

~~~
kalleboo
One reason for calls that get instantly disconnected is that when these
systems will call up, say, 10 people at a time, 8 won't answer, so there's no
reason to tie up 10 operators waiting for someone to answer. So they don't
connect you to an operator until you actually pick up the phone/interact. But
if they miscalculated and 4 people answered, they don't have enough operators
and they just hang up.

~~~
King-Aaron
Interesting, I wasn't aware this could be the case.

------
afo
We (Nomorobo) have a bunch of recordings of this type of scam. They're scary.

[https://nomorobo.com/lookup/844-386-9815](https://nomorobo.com/lookup/844-386-9815)

~~~
chasingthewind
Love your service! I've been using it for a few years now I think and it's
really helped. Thanks!

~~~
afo
Thanks! I really appreciate the support. These voice spam calls have gotten
out of control.

------
carapace
Who are the people manning the phones for the scam? Does it really pay better
than a real job? I mean if you have the skills to scam like this you have
skills that are valuable to legit business as well, no?

I knew a few criminally-minded people back in high school and my early 20's (I
don't associate with them anymore.) The thing that always stuck me about the
"criminal mind" is that they were ready and willing to work hard, as hard or
often more as a real job, to try to make money. I asked one guy once about it
and he basically said that it was the idea of getting over on society, or "the
Man", or something. "Getting away with it."

This same guy also refused to open a saving account, but he would buy CD's
(certificate of deposit) with ~3 month terms, and pay down the payments,
because _it felt like having twice as much money_. To him it felt like he got
to spend the money (that he used to secure the CD) twice: once with the money
the bank loans him, and then again when he pays off the CD and they give him
his original money back.

Now, this is insane. He's just giving the bank some money.

I asked him about this because it's so crazy, and he said "I can pay bills",
meaning that he can psychologically deal with the idea of having to hustle to
pay the ongoing payments on the CD, but (for whatever reason) he can't just
give some of his money to the bank and not touch it. He literally can't feel
right about savings. So he does this weird thing that basically inverts the
whole idea of banking. He even knows it's crazy but it's a working equilibrium
for him.

Anyhow, I wrote all that in the present tense but this was years ago and I
lost touch with the guy.

I am astonished that the scammer-telemarketers who can sit there and carefully
run these scam-scripts on marks don't just go get legit jobs. I wonder what
economic context they are in? Or are they just, uh, morally corrupt, or
something? The mystery of the criminal mind.

~~~
roywiggins
Reply All decided to try to get to the bottom of a specific "tech support"
scam, which might shed some light.

[https://www.gimletmedia.com/reply-all/102-long-distance-
part...](https://www.gimletmedia.com/reply-all/102-long-distance-parts-1-2)

------
xphilter
Number one advice I give my family: never give out any information (no matter
how inconsequential it seems) to a person purporting to be from a company
calling you. Hang up and call the company yourself using a trusted number
(e.g., the number on the back of a credit card).

~~~
dubhrosa
Banks should really just stop calling customers and taking them through
security. If there's something urgent, the protocol should be that they call
you, give you a ticket number, and tell you to call them back on the bank's
standard number for customer service. Anything else just conditions people to
expect incoming calls with security questions which will always result in
scammers finding a way through.

~~~
kweks
This can _also_ be scammed due to the timeout "feature" in telephone systems.
Ie, the scammer calls, tells you to call the number on your card. You believe
they hung up, but they are still on the line. When you pick up your phone
again, you're still contected, and they're playing a dial tone.

[https://www.geekrant.org/2016/05/08/phone-scam-
part-1/](https://www.geekrant.org/2016/05/08/phone-scam-part-1/)

~~~
ams6110
How many people still use landline phones? I don't know anyone.

------
hprotagonist
More and more, my plan seems wiser.

I’ll generally get a phone call like this, and hang up and re-initiate a
request myself starting from the phone number listed on my card.

~~~
misnome
This. I'm also happy to phone a direct number that they give me (e.g.
subdepartment), as long as I can find the telephone number listed on their
public web site.

The sticky ones are things that seem to somehow be tied into people at the
actual company scamming - my parents recently got a scam Openreach call within
a few hours after calling to complain that their telephone had been
disconnected a week earlier than promised. They had knowledge of the complaint
call, but did the standard scam walkthrough of looking at event viewer and
asked for the router ip address.

See also the conveyancing scams whilst buying houses where phishers
impersonate the exact solicitors email format and know exactly when the
monetary transfer is supposed to take place in order to get you to pay a
different bank account.

~~~
TrinaryWorksToo
Do we need a certificate authority for phone numbers now?

~~~
EamonnMR
That would actually be a very good idea to cut down on number spoofing.

~~~
TrinaryWorksToo
Yeah I figured as such. You could pass a hash to a certificate via caller ID

------
eyesee
If I were able, I would disable incoming telephone calls entirely (consider
that a feature request, Apple). The phone system today is fundamentally
untrustworthy because of caller ID spoofing, and the phone companies involved
are culpable for not addressing this problem.

A new ID system using PKI could eliminate the spoofing problem completely.
Yes, I'm sure it would require a huge coordinated effort. Given spam calls
will exceed 50% of all calls next year [1], this should be seen as an
existential crisis for phone companies.

[1]: [https://finance.yahoo.com/news/spam-robocalls-will-soon-
acco...](https://finance.yahoo.com/news/spam-robocalls-will-soon-account-
almost-50-calls-183157916.html)

~~~
mmirate
Public-key identity verification wouldn't even require substantial upgrades to
anything except the phone hardware itself - when making the call, just convey
the signature upon connection via a dialup-modem-like encoding, and the
receiver may at their discretion neglect to connect their audio hardware to
the line until after verifying that data.

(Could even use some kind of PoW as another option, for calls where the
receiver is unlikely to have received your public key yet.)

------
segmondy
The latest scam I've experienced is when I last sold my car through craigslist
recently. I would get voice calls, they person says hello, starts asking about
my car and the call would cut off.

Then I would get a text saying, "sorry, bad signal or it's loud where they
are" At that point, a chat bot takes over asking questions about the car and
talking about how they really want to buy it but need to make sure that it has
no accident and that I should get a car verification report and if it has a
clean history they will buy it. A link is then sent to me via text.

What I haven't figured out is if they are going to steal the CC info if
entered in the link or give me some bogus report that costs $5 to acquire and
charge me $100 for it.

~~~
fijix
Usually, the scammer is getting an affiliate commission whenever you complete
the verification report.

You see this a lot with job listings and rentals where the scammer will link
to a background check as a condition of hiring/renting.

------
paulie_a
The amount of spam calls is fucking insane, the fcc needs to seriously crack
down. Start fining telecom companies a buck a call and I think the problem
would go away. Hell make it 5 dollars for every call after the first ten
thousand, I receive at least 5-10 day. If it is an obviously spoofed number
make it 50 dollars. The telecoms have the capability to deal with it, they
simply have no incentive to bother.

I've had a conversation with my cell carrier where I asked to block Texas and
Florida, every area code in those states. Apparently that is not possible.

------
post_break
What do I have to do to get my iPhone to only allow calls from my contact
list, without using DND 24x7. Something has to happen for this setting to come
out. Will it take enough spam calls to a CEO of a major company to come out
with it?

~~~
snarf21
I like this but it will only help a little and temporarily. I've received
calls from _my own_ number. Given the amount of data out there in social media
and seeing friends of friends, the scammers will be able to call you from a
number that is in your contact list. The phone system needs a new layer but
one that is optional. If a call comes from via the old layer, your phone warns
you that this call may be fraud.

------
jor-el
I am interested to understand how does these attacks work. The article states,
after the victim disclosed the CC number there were ATM transactions performed
using it.

How are scammers able to generate a physical card in first place to perform
ATM transaction? Is it something similar to card skimming with cards having
magnetic stripe? Can this attack be performed with cards using chips?

Also I often come across a fraudulent transaction being performed even if only
credit card number is disclosed, while cvv and expiry date are not. As per my
understanding all 3 info is needed to perform a transaction.

Do anyone have some resource where these attacks are discussed in detail and
how they are carried out.

~~~
Scoundreller
Yes, some countries still use the magnetic stripe for authentication, or allow
fall-back onto it if the chip “fails”.

------
fpgaminer
We all make mistakes, so I'm hesitant to ever say they should have known
better. But...

> Even technology experts are getting taken in by some of the more recent
> schemes (or very nearly).

Rule number one about phone scams, which I've seen repeated numerously so
"technology experts" should know this ... _always_ verify and call the number
back. I was under the impression that was common knowledge?

The scams iterated in this article, no matter how complex, would all have been
prevented by that simple and pervasive rule.

> “People I’ve talked to about this say there’s no way they’d fall for that,
> but when someone from a trustworthy number calls, says they’re from your
> small town bank, and sounds incredibly professional, you’d fall for it,
> too,” Haughey said.

When someone from a trustworthy number calls, says they're from your small
town bank, and sounds incredibly professional, you follow the exact same rule.
Hang up. Verify the number. Call back.

Again, even the best of us make mistakes, so I'm not trying to be critical of
the victims here. I'm just surprised is all.

~~~
NeedMoreTea
> _always_ verify and call the number back

Fine in principle, but banks do call, and often have no direct dial, as a
matter of policy, for whoever you're speaking to.

So it becomes verify the number, call back, and spend 30+ minutes in a queuing
system before some lowly call centre worker on another continent incorrectly
tells you they can't connect you to the xyz department.

It used to work before call centres and all the small banks became just
branding on the front of one of the big 4. You were even allowed the phone
number of the local branch! That's the UK market btw.

~~~
vpmpaul
Yeah. I worked in banking during the crash. Upper mgmt literally told us to
pretend we were XXX small bank (on a list of banks) if someone called and
asked about it. Even though we were just large bank 1-4 that bought them.

------
nanomonkey
Most robo-callers feel like Phishing scams. I've been contemplating giving up
my cellphone and just using a Calyx mobile data
([https://www.calyxinstitute.org](https://www.calyxinstitute.org)) and use
Signal, email and Mumble only. Anyone else do something like this
successfully?

~~~
socialist_coder
I did it for 6 years when I lived in Germany. I had a data only sim card and a
google voice US phone number.

Verdict: It's not doable if you want it to work 100%. And in the US I would
say it's not doable at all because Android/dumbphone users are still using SMS
instead of a messenger app like Whatsapp, so you have no way of communicating
with them at all.

The biggest problem for me was online services that want to verify your
account via your phone number. They don't understand not having a phone
number. And about 20% of the time, they block VOIP phone numbers for
verification purposes, so your google voice number won't work there either.
Literally no way to move forward there other than ask a friend to let you
borrow their number or use your burner phone or something.

You also can't sign up for Whatsapp without a phone number, but luckily it
does work with google voice.

Google voice also doesnt let you set it up so your device gets incoming calls
unless you forward them to a real phone number. So you can only make calls
with it, not receive. Maybe some other VOIP solutions are better at this. The
google voice app on iOS is pretty shitty.

Now that I'm back in the US, I had to get a phone number because messenger app
adoption is very very low. iOS users are fine because iMessage is awesome, but
for people on Android, there's just nothing. They still use SMS. Maybe you can
get around this with VOIP, but I didn't want to hassle with it.

~~~
nanomonkey
Thanks!

I'm not concerned about Whatsapp, and I figured I use Twilio for text
messages. Out of service phones can still call emergency services, 911. My
main concern is being "that guy" who everyone has to make exceptions for when
contacting.

------
flyinghamster
I've had an Asterisk box for about 10 years now, mostly to deal with the tide
of junk calls, and it has worked nicely. I first just blacklisted numbers (and
sometimes whole prefixes), but now I use a CAPTCHA that handles the
robocallers beautifully. Calls from known numbers get to ring through without
the CAPTCHA.

Still, I've been paying too much for that crusty old landline, and finally got
motivated to do something about it. I just ported it out last month, and the
new VoIP service I'm using costs _less per month than what AT &T was charging
just for Caller ID._ Even funnier, they offer telemarketer blocking like I've
set up, at no extra charge.

Farewell and f*ck you very much, AT&T. You didn't even lift a finger to insure
that the Caller ID I paid for was accurate.

~~~
dredmorbius
Could you please point to guides / docs / references for setting this up?

Might make some good HN submissions ;-)

~~~
flyinghamster
Here's a good starting point:

[http://nerdvittles.com/?p=75](http://nerdvittles.com/?p=75)

Of course, with Asterisk, you can get downright crazy if you wish.

~~~
dredmorbius
A bit more a "getting started" guide than this, actually.

Hardware, configuration, concepts.

------
AcerbicZero
I haven't even had a debit card issued for my core bank account, and there is
very little chance I ever would at this point. There just isn't a good reason
to put my money at risk when I can use a variety of credit cards instead, and
just pay them off every month. On the rare occasion I need cash, I can do a
cash advance (with an associated charge....really useful motivation to avoid
needing cash more than once or twice a year).

Unrelated, but I'm pretty sure I know what credit union they're talking about.
Super nice place that is focused on the tech workers in the Portland area, and
I've always had good experiences with them.

------
JBlue42
We deal with this on a semi-monthly basis at the hospital I work at. We'll
here from one department ("Hi, this is the Emergency Dept, all our phones are
busy with a robocaller") then it will roll across other departments for about
20-30 minutes. The best our telecom team has come up with is to take the
numbers, give to the FBI, and ¯\\_(ツ)_/¯. Last time, they had spoofed the
number of FedEx so we couldn't even report that.

Most are very noticeable for being in Chinese and tying up multiple lines at a
time. That's not really great though, like in the example, when it's all the
phones in the ED.

------
neuralRiot
>That made Sasser pause. Wouldn’t an actual representative from Wells Fargo’s
fraud division already have access to his current PIN?

No, nobody has access to your PIN, if you forget it you need a new card.

~~~
roywiggins
> if you forget it you need a new card

That's not true- you can reset you PIN if you go to a physical Wells Fargo
location, I've done it.

~~~
mmcconnell1618
Reseting a PIN is different from having access to the old PIN number.
Obviously some system in the bank has to verify that the PIN you enter at an
ATM matches the one you selected but resetting is a separate operation that
does not require the original number.

------
tonymet
This highlights what I see as the biggest security weakness with banking and
online services -- identity verification is only one-sided. Protocols like
passwords , pins, biometrics, secret questions only authenticate the customer
and not the service provider. moreover, no one is talking about this huge
weakness. For there to be trust, both sides need to be trusted.

For apps, this could be a one-time code validated in the app. As a fall back
there could be a unique shared "service pin" that gets rotated.

------
tonyquart
Well, I think these scammers will always try to steal our money by using
hundreds of methods and tricks. Almost everyday I could read dozens of
complaints and reports filed at social media and also sites like
[http://whycall.me](http://whycall.me) about phone scams. We need to keep
informing our family about these scams. They are never getting tired of
trying.

------
kweks
One of the issues is that the scams adapt themselves to current "best
practices" (use known information to reassure you, tell you not to divulge
other pieces of information) - whereas the legitimate institutions use poor
practices.

When I call my bank, they ask for verification by giving an account number,
credit card and expiry details (!)

------
tormeh
Good news, everyone, the industry is moving towards SIP! Bad news is that it's
just as bad. There's no improvements in security because that would break
backwards compatibility.

Also, there's no one who wants to pay extra for security, and the telecoms
industry have the virtue of laser-like focus on money.

------
jaclaz
The sad thing is that I am old enough to remember when a call from the bank
meant that the director of my local branch office or however someone I knew
personally was on the phone, usually to ask to go to their offices because
something needed my presence/signature.

~~~
reaperducer
I remember that, too. I was a huge deal if a bank called you.

Now, when I go into a Chase or Citibank or whatever branch with a question,
all the "banker" guy does is call the same 800 number I would have called, and
wait on the same 40 minute hold as I would have. They don't even have special
in-house IVR anymore.

Meanwhile, I drink all their free coffee.

------
jader201
Why has Apple/Android not added the ability to reject (or at least send
directly to voice mail) all calls outside of contacts, and make this the
default setting?

Seems like this would solve almost all of these problems.

------
nerdbaggy
It’s a hard problem to solve since being able to set your own outbound caller
ID number is so critical for the phone business. \- Call Forwarding \- Picking
which trunking provider to send a call out -etc

------
dade_
When receiving a call from your bank's contact centre, always thank them, hang
up and call the number on the back of your card.

This should be the standard advice from banks to their customers.

------
saudioger
This is why I don't answer the phone unless it's a contact. Everyone else can
leave a message.

~~~
rustcharm
Did you read the article? The Many people have their bank or credit union in
the contacts. This won't help if they're spoofing a bank number.

> Cabel Sasser is founder of a Mac and iOS software company called Panic Inc.
> Sasser said he almost got scammed recently after receiving a call that
> appeared to be the same number as the one displayed on the back of his Wells
> Fargo ATM card.

~~~
saudioger
Might as well put your social security and pin number in your phone too. Bank
phone numbers in your contacts are a huge vulnerability. Just Google them when
needed... or you know, look at the card.

------
the_new_guy_29
I dont think i even heard about such issue in EU.

------
paul7986
Easy solution don’t answer phone calls from those not in your contacts.

~~~
rustcharm
Huh? The caller ID was spoofed. Read the article.

> Cabel Sasser is founder of a Mac and iOS software company called Panic Inc.
> Sasser said he almost got scammed recently after receiving a call that
> appeared to be the same number as the one displayed on the back of his Wells
> Fargo ATM card.

~~~
paul7986
It didn’t say.. wife, friend, mom, joe, etc.. you know people you entered into
your contacts.

Personally If someone needs to get a hold of me outside of my contacts email
or text me and I’ll get back to you accordingly.

