This is only partly true. Technologically the solution is difficult, but it's easy from the social side as carriers can blacklist the smaller carriers that allow this fraud to take place.
The real problem is that everyone except the consumer benefits from this. Every phone company in the chain from the scammer to you takes a penny out of the scammer's profits.
At this point these scam phone calls may be nearing the majority of the phone calls placed in the USA, so it's going to be a huge financial disruption to the carriers when they have to give up their game.
The FCC has recently "demanded" US telecoms to implement this , but at this point I don't believe there is actually a regulatory requirement to do so.
I bet that a law like this would get the problem fixed fast.
Instead, I think the regulation should focus on the outcome: if a telco allows an illegal call through and cannot trace it back to a responsible party who can pay the fine, then the telco messed up and should pay for it. Then they’ll have a financial incentive to solve the problem in a way that works.
( ) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Are you using a framework of sorts to provide this answer?
The Last-Modified header says it's from early 2004.
Telephone spam was very rare when long distance calls cost $1 a minute. No reason that could not be enforced as an option by the phone owner. It is really too bad that phone communication is being wrecked by spam like email was/is, so much so that you think the email analogy to phone calls is a valid/witty one.
1. If you want to make more than ~5k calls per month from a number, you must deposit $50,000 for every 10k calls you wish to make. If your number gets reported more than some cutoff number of times, you forfeit this bond money.
2. Call throttling. As a certain number (or customer) makes more calls, the interval between calls is increase. Let's say something like after 5k calls per month you must wait 5 seconds between calls, with the interval increasing.
Full disclosure, I worked at a telco for 4 years, but didn't do a lot with basic telephony.
(Last time I setup asterisk with a T1, this was also trivial, but that was like a decade and a half back. I couldn't tell you how to fake your number today.. it's just clear that it's easy for the scammers to do.)
The first problem we need to solve is to make it hard to fake your number.
You're right about there being a lot of little legacy problems though; The issue I see is that the carriers aren't on the hook for it: They've made it so cheap to call someone these scammers simply need to find people whose time is worth less than mine.
"your number" doesnt exist, my clients port their existing numbers thru my system, so I just let them pass those for convenience, all automated!
Are you saying my customer doesnt own the same area and prefix number as you, receiver of a spam call from India? Bad bad customer, must've been a glitch/fraud, I promise to take care of it.
Absolutely. And that's where you apply my rate limits / bond suggestions.
That said, the decisions in Apple's client side software are atrocious for the considerations of 2019.
Aside: No idea why my post went from #1 on HN to the third page in under 30 minutes, I thought we were having a fruitful discussion here
The sheer number of scammers and nation state actors that have taken advantage of this is mind-blowing, but we still use SMS as a 2FA.
If we have telephony providers responsible for these breaches the problem will disappear in 6 months.
It's not "spending money on the fix"... it's "killing our largest revenue stream"!
It's anologous to the web but that is on the way of being fixed - csrf, cors etc.
The phone number blocks are allocated to companies, and it should be trivial to ensure the incoming call comes from the legitimate holder of the block.
Add an authorized user api so you can still use your number in outgoing calls with Skype etc.
After number faking is fixed, I can safely ignore all calls from foreign countries and weird area codes.
The telecoms regulators for each country would act as a CA and have their root key capable of signing anything for that particular country code, and phones would have all of them in their trust store (it could be all managed by the GSMA or something).
They would in turn issue certificates to any telecoms company that has number ranges allocated - those certs allow signing of calls for any of the number ranges the cert is for, as well as signing further certs. The telecoms company will in turn issue certificates for their customers for their assigned number only. It could be placed on the SIM card or distributed by email (perfect security isn’t needed here - “good enough” is all that’s required).
When a phone places a call it signs it with its certificate and the current date & time (to avoid replay attacks), and any equipment in the call path can verify the chain of trust all the way back to a trusted CA before relaying the call.
As the user still holds the end certificate, legitimate caller ID spoofing is still possible by them, but not anyone else.
Most of the real phone calls I get (my insurance company, my phone company ) that aren't from know contacts are from weird area codes. I like the authorised user idea though, especially if legit companies adhere to it.
That's a shortsighted perspective. phone numbers will only survive if they solve the spam problem.
Many people don't pick up from unknown numbers anymore. It's just a matter of time before legitimate people stop trying to call as no one responds anyway.
So, the MAPS RBL (and most of the following dns-based blacklists) did this for spam; and it helped a lot - I mean, I think it's the primary reason that ISPs don't actively serve spammers (spammers as defined by the RBL)
On the other hand, it didn't solve the problem; if your mailbox isn't behind serious spamfilters, an address that has been on the internet for any period of time still gets hundreds of spam mails a day.
edit: Nevermind I can block non-contact calls in Do Not Disturb mode in the LG phone I'm using: https://i.imgur.com/ZcRSXlK.png Maybe iOS DnD has this too?
I guess I'm going to have to fiddle around with when the wife gets home and gather some empirical evidence.
Indeed it does, which makes it a non-solution for me. I apparently have the same desire you do - an option for voice calls to go direct to voicemail unless they are in my favorites list, without having to use the more general Do Not Disturb mode.
I use an app called Should I Answer? which has that feature. It also uses a crowd-sourced database to know what numbers to block, if you want that instead.
Does iOS really not have any options for filtering? I swear last time I had an iPhone (running iOS9) there was Something... but then again, I was jailbroken.
It's a bit funny that we got full web browsers on phones before proper call filtering.
(Disclaimer: I work for Google but not on phones.)
Mandate a way for me to say whether incoming calls were spam. Require my phone company to pay me money every time I get spammed. Allow my phone company to, at their option, proactively block calls from specific upstreams and/or pass the charge to the specific upstreams.
Now from those incentives, the fines will naturally follow the upstreams to the source of the spam, and provide motivation for them to clean their acts up. Voila! (And if telephone companies decide that they need a more secure protocol to make spamming harder, that's up to them.)
Instead of figuring out a more measured approach they just made them all illegal :(
In your second sentence I realised you weren't. Wow. If this is "innovation", then let it be stifled with all speed.
The UK has a solution. It does actually work, mostly:
However spoofers who know that they won't be tracked back to the source don't care about do not call lists.
I actually worked on a lawful telemarketing operation a few years back (don’t ask - desperate times called for desperate measures) and paying for TPS lookups was both a surprise and a huge problem.
The only reason it seems like it works is because the US is a much juicier market for the scammers so most don’t bother with the UK, but I still see people occasionally getting tech support scams or similar so clearly there’s nothing actually preventing them from spamming the UK - for now it’s just that the US is a bigger fish.
That's actually the only way to go. Adding support for apps to screen your calls, block unknown number or some other feature that requires an action from the user only benefits those who understand the technology and know that it's available. It leaves those most susceptible to fraudulent calls as the only target for scammers.
People often forget that those with limited technological understanding, such as the elderly, may need society to step in an actually solve the problems, rather than plastering over them with even more tech.
(Not sure how exactly they are regulated. If they're illegal by themselves or if it's a side-effect from the ban on signing contracts via phone)
Yes, this would cause false positives. However it is my belief that the general harm from false positives would be less than from current negatives, and that, given incentives, the phone companies should be able to figure it out.
It really is a nice little feature.
As a side note, CallKit on iOS doesn't support wildcard blocking, so WideProtect literally adds all the possible numbers within your specified range to the blocking database. This doesn't impact performance as far as I can tell (maybe calls ring another 100ms after they would normally), but there seems to be a delay of a few minutes after installing for it to show up as a block extension under Settings.
I wonder if the keepers of the POTS (plain old telephone system) can start putting in safeguards to curtail the ability to fake your source phone number. I get that there are myriad instances where this is above board and even necessary, but nobody's proposing any changes.
> "Under the SHAKEN/STIR framework, calls traveling through interconnected phone networks would be 'signed' as legitimate by originating carriers and validated by other carriers before reaching consumers," Pai's press release explained. "The framework digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is from the person supposedly making it."
Very easy with Twilio. As I mentioned elsewhere in this HN thread, I ported my number to Twilio about 18mos ago and use-cases like this are quick and easy to implement.
In fact, I have noticed the same behavior (spam calls coming from the same NPA+prefix as my number) and I might just implement that this evening ...
I never get robocalls. It's nice to live in a country that believes in smart regulation!
"do not call me" or previous: "bel me niet lijst" and when someone violates the list. You can submit it here: https://meldpunt.belgie.be/meldpunt/
I've always found registering in a database to object to database registrations that I didn't consent to a rather curious concept. If they call me, then at least I know who's brokering my data? I resisted signing up for the no-call register for a long time.
For example, this is how I know that TNT/PostNL has sold my data to the post code lottery after I used their post forwarding service (you pay for the service, but they will still sell your data; at least, they did back in ~2011).
I once had an extended fight with a charity (hartstichting) where they gave me all sorts of abuse after I insisted they tell me where they got my phone number from. They were offended that I could possibly object to a charity collecting my personal data from mysterious sources (I never found out where they got it from, I gave up pursuing after a while).
Eventually I caved it as I grew exasperated and signed up. Now I live abroad and miss stuff like this :-( I got far too many calls when I lived in the UK (including one at 9am on Sunday; I was not especially kind to this person), and in New Zealand they will cram my post box so full of junk mail in just 2-3 days that I can no longer receive any mail :-(
https://docs.fcc.gov/public/attachments/DOC-354933A1.pdf (Background and open letters to carriers: https://www.fcc.gov/document/chairman-pai-demands-industry-a...)
How it works, short version: https://transnexus.com/blog/2017/stop-spoofed-robocalls-with...
How it works, long version: http://www.atis.org/01_resources/whitepapers/#shaken-studies (find in page for “SHAKEN” and “Caller ID”)
After the E wie Einfach GmbH had found agencies for the advertising measures, obviously no more control took place. Therefore the E.ON daughter is occupied now with a fine of 140.000 euro. Because as a client of the call actions it must guarantee the adherence to the legal principles. This includes above all that in each individual case an explicit consent of the consumers is present. The client is responsible for this, even if the telephone calls are carried out by subcontractors. However, the decision of the Federal Network Agency is not yet legally binding: the electricity supplier can appeal the fine in court.
Translated with www.DeepL.com/Translator
"Illegal phone advertising" for those do not speak German.
It’s simple - it’s broken UI, Android has done it, people want it, it doesn’t help in any way, so why keep it? I mean why? Hell, if you really want to keep it, give an option to disable it.
(Though I agree that they should be relegated to the level of notifications now. Smartphones are computers. Imagine if Skype call would lock you out of whatever you're doing on your desktop.)
Why is this such a problem in America but not elsewhere?
But, I get a lot of robocalls; 3 calls a day is light. So clearly, some people get more calls than others, I'm just saying, I don't think the filtering criteria is particularly smart.
For example, the title of the article tells us that robocalls are "killing us".
And you never get Robocalls?
And I have shared my number in a lot of places
google for the instructions how
Presumably because (1) it's much easier to find English speakers in countries where most robocalls actually originate, and (2) the same model can scale to 320M recipients with very little marginal effort.
Sometimes I wonder what subtle differences there are between the two ecosystems, as I've never really gotten into Apple products before, with the exception of a few earlier iPods. Does anyone have confirmed differences that the other side might not understand?
We have this do not call list. Once added, calls, texts, etc, drop to like nothing. Infact I cannot remember the last time I had a call... I get the occasional text message but it's mostly shops telling me to use my store points before a certain date. A reminder.
Sounds like the problem is to do with not honoring the do not call list and no punishment for those who don't honor it. Here companies are fined if they call people who are on the list.
The number of robocalls I receive has plummeted since I started doing this. I receive hardly any these days. My theory is that due to silent answers, the autodialers eventually mark the number as bad, or as a machine-answered number. I have no proof of this, though.
I can't tell if it would have the same effect as your method though, since I've done it for so long, but I only get like 1 scam call on my cell every 3-4 months (and it's usually one forwarded from my work phone). My desk phone at work, which I have to answer and haven't tried this with, gets one call every couple of weeks.
Then I ask whether they have a do not call list.
So you are not being removed from any spam lists using this method. Not only do they have zero incentive to remove you, they have also received a reliable indication that a human answers your phone.
Hopefully they will blacklist me and no longer annoy me.
I make this comment in jest because obviously this is a very user-unfriendly "solution" unless you planned to buy an apple watch for some other reason. However I do use this feature.
As for the post's comment that dismissing the call leaks info: I don't know what the predictive dialers have any understanding of this -- if you simply refuse to answer it's simply a disconnect. I also doubt they keep stats on calls that go to vmail, if you accidentally do that or if you refuse to answer.
While singing contract for fiber connection, I had to repeat few times that I want to opt-out almost losing nerves talking with agent saying that I'm really not interested having telemarketers clogging my phone even if that means I'll miss a chance to win something - because that's how she tried to advertise that. I could either allow those calls for 5 PLN less on my bill or opt-out for same amount added to it and I did choose the latter.
Anyway, there are sites and apps which are trying to "rate" calling numbers and warn other people - most of the times they do good job.
Problems that need solving
* Companies using SMS for 2FA
* Companies still using phone numbers as part of my ID all. I'd much prefer companies contact me first via email/secure-text (whatsapp/line/messenger/...) and only later via secure voip
I feel like Google/Apple/Microsoft/Facebook whoever should basically design a new standard to replace the phone system and the government should then mandate that companies must support it (no more asking for phone numbers)
I'm sure there are lots of issues. I don't want one id to reach me, like email I want multiple IDs and if you want to know the ID I give you is me then send me a confirmation (I can crypto-sign it if need be)
I'm sure it's easier said than done but it does seem like it's getting to the point phone numbers are basically as useless as fax machines. Most people call me via Line, Hangouts, FB, Facetime, etc.. No one calls via phone number
Is there a reason this isn't as prevalent in the UK? I get maybe 2 calls a month like this. Are robocallers in the UK more likely to get in trouble maybe? Putting this on Apple isn't addressing the core of the problem.
Auto-hang up on any call from someone who's number I don't have saved. Just give me a notification immediately thereafter. If it's someone I should know, I'll either have their number saved, or be expecting it. I don't want to be bothered otherwise.
I did this about 18 months ago and love the results. I manipulate and use the telephone network in many useful and interesting ways, all programatically, through twilio.
The addition of a call-blocking API was a very good first step, but the time is fast arriving when robust blocking patterns will be table stakes similar to what basic email spam filtering is today.
Somewhat humorously, this has destroyed my ability to receive phone calls from my home town. I instinctively hang up and block.
> Call Screen doesn't save to your Google Account, your Google Assistant Activity page, or to Web and App Activity.
I'm pretty sure that over the long term, it costs me less time as it made the problem completely go away.
Things that I'd tried before that, that didn't work, include: immediately hanging up, politely and no-so-politely asking them not to call back.
Isn’t it possible to opt out of a lot of bulk mail anyway? Bulk mail can never be as bad as online spam since it’s much more expensive to mail and easier to trace a sender.
For those like doctor offices and others who need to reach you make them go to voicemail.
I have it set to disregard suspected scam/fraud calls, so they never ring my phone.