There's an incoming audio channel and some metadata [caller id]. You have no idea whether the metadata [email recv from] is spoofed. All you know _really_ know for sure is the carrier you're receiving the call from [sort like an IP address] and whether or not you "trust" them not to lie about the authenticity of the metadata.
If the FCC wants to tackle this problem, as another HN user said, we really just need the equivalent of DKIM and SPF signing of the call metadata.
Despite the TCPA Act outlawing the calling of cellphones...
robo callers in the USA rotate phone numbers very quickly, so as to prevent anyone from figuring out who and when placed a call.
In a world where you can watch a 1GB Youtube video in Europe that's hosted in the US at pretty much no charge, do you think it's decent to charge for texts - something that's only 160 bytes of data? Yet that's exactly what the telcos are doing.
I don't think every telco is criminal.
It's listed online by other people as a scam number. I did report it, and I ought to collect the other numbers as well.
"The constant reassignment of phone numbers creates further problems in determining which calls are legitimate and which aren’t."
I find that hard to believe. Shouldn't the phone company know up to the second exactly which numbers it has assigned and which it hasn't. And couldn't it pass that info on to peers?
This doesn't even take into account the problem that sending an arbitrary caller ID is trivial and verifying ownership of a given caller ID is impossible (this is a design choice inherent to SS7 having caller ID bolted on after the fact).
In short, no, not an easy problem.
Unless you own a business and sell a phone number as part of the business then you probably can't sell your phone number to another person.
Not to mention its hilariously easy for a thief to port a number. They still handle port requests by fax at some phone companies.
The telco already has proof of the caller in their call records, and consequently the party with financial responsibility, but that information is not normally available without a subpoena or FBI badge. This would be an enforcement of a chain of ownership of the call, and someone who receives a call will (should) always be able to find the responsible party for DNC violations and more.
Oh, but what if the bad caller is just a person who signed up for Mechanical Turk or whatever, an independent representative? They can provide proof that they were hired and pass the responsibility up the chain to BobJonesHawaiianVacations LLC.
Having an end-to-end chain of ownership for the call that can be verified cryptographically would help a lot, since even you on the receiving end should be able to verify this provided you have the appropriate software on your phone.
Bad callers using Mechanical Turk would be a minor issue - you won't even have to sue, just get in touch with their telco and they'll shut down their access for violation of ToS (in fact a lot of telcos already prohibit using their consumer-grade plans for business usage, even if not spam). Unless you're paying those Mechanical Turk contractors a lot nobody is gonna bother setting up extra lines to make those calls, and nobody is gonna pay them a lot of money because the only way this spam works is because it's dirt cheap to spew out those calls with the current situation.
My experience tells me otherwise.
The telephone network is on whole more reliable than any single component of the internet - and its certainly more reliable that the internet on whole. The internet however is more survivable - much more, because there are less common choke points to fail.
In a way you are correct though - nearly every component required for internet access is unreliable (because you can substitute another one with ease) whereas every network element in a phone call is much more reliable (because beyond a certain point, you cannot).
Luckily IP links are pretty reliable so that's not an issue - VoIP also allows for more resiliency, for example my phone has two independent network connections, mobile and Wi-Fi, and my VoIP provider has two servers (advertised via DNS SRV records). So my VoIP app can try each server over each connection to make a call. A conventional landline or mobile on the other hand has a single link to the telco, so if that's down you're in trouble.
Yes, much traffic does traverse on IP now - but its private tightly controlled networks.
This network is usually "privately owned" by the telco in the USA, but is publicly owned or subsidized in many parts of the world.
But there is in general no "separate" PSTN other than last-mile copper in most of the world.
Independent failures are only relevant if you use both networks redundantly.
On the server side you can do amazing things with high availability like floating/virtual IPs (the IP of the SIP server is actually shared between multiple machines, and if the primary machine goes down the secondary takes over its IP and as far as the client is concerned nothing happened).
There are 6,829 companies listed as Active in the Form 499 Filer Database.
For my cell, Google Voice's spam blocking seems to work pretty well.
Now I get at least a call the week about my mortgage or car warranty. At first I explained to the people that I had neither a car nor a mortgage so I could get off the list, but that hasn’t helped.
She will answer and after 20s, will say: "Sorry, I have to go fetch a (tissue, glass of water, …)" Then she'll simply leave the phone on the table and will go gardening/watching TV.
The guy on the other end will be very pissed of after having waited uselessly 10 minutes and will never call again.
A robocall never seems to be missed on Google Voice. Rather they cause a 2 second blank voicemail to be generated.
If you have Hangouts integration enabled, you still get a notification for these voicemails.
If I remember correctly the law here says it's ok for you to call people to offer services or sell things, but there has to be a human talking, which is quite the deterrent.
Varies by time and by recipient. My "bad" months only net ~10 robocalls, but I'm apparently on the low end. That's more than reaches my email spam folder! I basically no longer pick up for unrecognized numbers - which has it's own problems.
> What do they offer?
From what I can tell, the ones calling me are straight up scammers. "Rachel with cardholder services", "free vacation" nonsense, etc.
> Isn't there any kind of regulation?
Ineffective ones, yes. I may have recieved one or two legal robocalls (there are a few exemptions for e.g. political calls) but the majority I get are illegal. Enforcement is problematic - caller ID spoofing is common. VOIP lets a call center in India spoof your local area code, and even enforcement against domestic callers has taken distressingly long.
> If I remember correctly the law here says it's ok for you to call people to offer services or sell things, but there has to be a human talking, which is quite the deterrent.
We have similar here - although I'm not sure if it's legal to blind call cellphones, or numbers in the "do not call" registry, unless you've established some kind of business relationship. They're also generally required to add you to their own "do not call" lists if you tell them to (possibly an exception there for debt collectors?)
Meanwhile, these robocallers don't have a means of opting out, don't have the scammer on the line to yell at, and run the same fucking campaign for months! It'd be one thing if those ~10/month calls were varied - but no, it's the exact same prerecorded message 20 times from 20 unique spoofed phone numbers all hailing from my own area code, that I hang up 3 seconds into because I remember their intros.
I believe some of them are because literally 5 years ago, I registered a domain without using WHOIS privacy. Some of them are probably from other marketing lists, like the USPS change of address forms, and some is likely just random.
Curious, what problems? I haven't regularly answered calls from numbers I don't recognize as long as I've had a cell phone. Anyone who has a real reason to call me would leave a voicemail (or text me these days).
My experience is that this is only mostly true - and of course it's hard to tell exactly what I've missed from calls I didn't pick up except for the few times when I still hear about it later. For me this is the occasional missed social or family event - being easy to reach has it's benefits.
fwiw, my elderly father uses a cellphone. The only time we can't reach him is when he leaves it inside to go outside, and then a landline wouldn't help him, either :P
I often get back to back calls with one bearing my landline prefix and followed by one to my mobile with its prefix (both numbers undoubtedly spoofed).
Although once I did get a phone call from Adobe, back when they had that big userinfo leak. I thanked them for the call, but said I wasn't going to do anything over the phone, they could contact me through my email address, which they did. So that's one legit one, at least.
I have to leave our house fax unplugged most of the time for the same reason. It is a genuine annoyance.
Then click Continue and view the list named: "What was the call about?".
This tactic may work for landlines, where prefixes are similar in particular neighborhoods (at least in the US). But for cell phones, it's actually a dead giveaway for many people. This is because prefixes are less correlated to location. For example, I have only ever known one person who had the same prefix as my cell phone. So whenever I see a matching prefix on the caller ID, I know it's a spoofed robocall.
But it's possible that these robocallers actually don't mind that people like me get wise to them in this way, because they'd rather only reach less tech-savvy targets, who don't know about caller ID spoofing.
This is like how spammers are rumored to use well-known tropes in their messages because then the only people dumb enough to respond are "qualified leads" that are more likely to fall for scams.
(not that the cookie directive is better, but the cost is small and people usually overdo it)
Anyway, to me the issue is that exchanges that plug into the POTS service needs to be held accountable
Things like: you're allowed to spoof the number if your own that number (like IP blocks) and can receive a call on that number, otherwise call gets blocked and/or you get fined (the interchange)
VoIP call rates seem to be around 3c per min (compare that to a pre-paid cellphone minute in the US and see how it's extortionate)
Auto-dialers with spoofed caller ID are usually Indian call centres doing "Microsoft support" scam; or are UK fake invoice scammers; or are UK "phone companies" who try to convince you to change your phone/broadband (or sometimes energy supply) usually by saying someone else already agreed to it and this is just the final confirmation call.
We're on all the do-not-call lists.
Robocallers tend to not leave messages (unless it is my auto insurance on a holiday telling me to drive safe).
It's really bad. Gladly, that's my work number, so if the numbers aren't in contacts, I don't answer.
I'm not sure how they do it, but here in the Netherlands I have received _zero_ automated calls in the past few years - in fact our landline probably hasn't ringed at all in six months. Two or three times a year I'll get a [human] call from my cellphone or energy provider and that's it.
The regulatory organisation responsible for the country's phone numbers holds a root certificate, and as number ranges are allocated they issue a certificate to the new owner. This cert can in turn be used to sign more certs as this new owner is in turn allocating numbers to their customers. When a call is placed the originator uses its own certificate (issued to them by their phone provider) to sign the call request and this can be verified by any carrier in the path of the call. Any unsigned caller ID gets flagged or the call is outright dropped.
The great irony of this era of connectivity is that there's no single way to definitively reach me. I'm so inundated with spam and notification noise that I tune basically everything out.
Having tried to reach someone from jail, this is surprisingly hard when you don't have your cellphone with you, and one of the few numbers you've memorized doesn't accept collect calls.
I once received a call on my phone system which ended up in a several hour long message of pretty much every ad that was on the robocall system. Very interesting but also very disturbing in a way.
So am I to understand that the phone services don't see the spoof attempt? I know its a separate information that is passed along but the number should be sacrosanct and if not from a physical location that the phone company can verify should be represented as such on the end call. The name and text I know isn't simple to deal with but none of the robo calls I am getting provide it.
I have found that waiting for the real person to pick up and asking for company name so I can report them does tend to cause the calls to drop off for awhile. Still I would prefer them to not be on my cell. they certainly do not respect any do not call list.
There are valid reasons to have a "spoofed" caller ID. Calling out from a company phone, providing switchboard caller ID. Having multiple (or a block of) numbers. Having international number from another provider bound to your cellphone. And many others. But for that to work, whoever you're calling has to accept what the Telco sends them.
Technically, there is a pair of standards called SHAKEN/STIR that basically puts a trust model into the call flows (certificates, signing, attestation etc.) but it's not yet widely deployed. Kind of like DKIM/SPF for SIP. Companies like Neustar and Metaswitch have software to do this for example.
Same goes for "legitimate" robocalls. I don't want to take your customer surveys.
This scourge has gone on for years. How many elderly and poor have been duped?
Now fix the technology problems and prosecute the bastards.
What are these countries doing differently? More expensive calls? (I know that in the US as opposed to other countries the receiver pays the extra costs of a mobile call vs the caller, even if these days those extra costs may be zero with "all you can eat" style plans)
USPS got very upset for someone taking aim at spammers who are their major revenue source (really! and this is my government :( )
Their disdain for technology and ignoring end user desires is phenomenal (send an overnight package via FedEx, see it by the minute as the package travels; send an overnight via USPS, see "no record for package" until 24-36 hrs later by which time the package is usually delivered already). This IMO costs them a lot of potentially highly profitable business. But they do not (seem to) care.
Asking about being put on a do not call list often ends up just them laughing at me or hanging up right away. I tried the national do not call list, even was submitting every instance of these calls to their database for a month or so, but it didn't make any difference.
I was going to try pretending to be interested in their service then trying to find their company name or address. But then I heard that's not that easy, their either don't give that away easily (expending people would do this) and once you do that it's hard to sue them because then you have established a "business relationship".
If they are in another country altogether, then anything like small claims courts is just a joke and don't work either.
With the way the caller ID easily spoofed I don't see any obvious solution.
I actually get excited when I get telemarketers because the robot sometimes fools them enough to keep them on the line for a few minutes. The longer the conversation, the more irritated the telemarketers get, and that's quite satisfying. Here's some sample calls:
How far can the FCC's aim pull a semi-truck?
Why bother fining a single guy $120 million? What purpose does that serve?
Fines are designed to be a deterrent not just for the person that was fined but to others so they won't do the same thing.
Don't get me wrong, he should be fined and potentially even jailed if it is flagrant abuse but fining someone $120m makes the process a joke.
It's pointless to randomly reduce the fine because he's a single person.
They get to garnish his wages forever. They get to take any inheritance or any other windfall he ever gets.
My guess is, this is legislation designed to sting when even large, resource-heavy corporations do it. Example: Dish Network got fined $341 million in two separate TCPA violations recently (http://www.fcclawblog.com/2017/06/articles/fcc/dish-network-...). Such numbers will make even a Dish Network notice. Dish Network is not going to wince once if a fine designed for an individual scammer is utilized.