This is only partly true. Technologically the solution is difficult, but it's easy from the social side as carriers can blacklist the smaller carriers that allow this fraud to take place.
The real problem is that everyone except the consumer benefits from this. Every phone company in the chain from the scammer to you takes a penny out of the scammer's profits.
At this point these scam phone calls may be nearing the majority of the phone calls placed in the USA, so it's going to be a huge financial disruption to the carriers when they have to give up their game.
The FCC has recently "demanded" US telecoms to implement this , but at this point I don't believe there is actually a regulatory requirement to do so.
I bet that a law like this would get the problem fixed fast.
Instead, I think the regulation should focus on the outcome: if a telco allows an illegal call through and cannot trace it back to a responsible party who can pay the fine, then the telco messed up and should pay for it. Then they’ll have a financial incentive to solve the problem in a way that works.
( ) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Are you using a framework of sorts to provide this answer?
The Last-Modified header says it's from early 2004.
Telephone spam was very rare when long distance calls cost $1 a minute. No reason that could not be enforced as an option by the phone owner. It is really too bad that phone communication is being wrecked by spam like email was/is, so much so that you think the email analogy to phone calls is a valid/witty one.
1. If you want to make more than ~5k calls per month from a number, you must deposit $50,000 for every 10k calls you wish to make. If your number gets reported more than some cutoff number of times, you forfeit this bond money.
2. Call throttling. As a certain number (or customer) makes more calls, the interval between calls is increase. Let's say something like after 5k calls per month you must wait 5 seconds between calls, with the interval increasing.
Full disclosure, I worked at a telco for 4 years, but didn't do a lot with basic telephony.
(Last time I setup asterisk with a T1, this was also trivial, but that was like a decade and a half back. I couldn't tell you how to fake your number today.. it's just clear that it's easy for the scammers to do.)
The first problem we need to solve is to make it hard to fake your number.
You're right about there being a lot of little legacy problems though; The issue I see is that the carriers aren't on the hook for it: They've made it so cheap to call someone these scammers simply need to find people whose time is worth less than mine.
"your number" doesnt exist, my clients port their existing numbers thru my system, so I just let them pass those for convenience, all automated!
Are you saying my customer doesnt own the same area and prefix number as you, receiver of a spam call from India? Bad bad customer, must've been a glitch/fraud, I promise to take care of it.
Absolutely. And that's where you apply my rate limits / bond suggestions.
That said, the decisions in Apple's client side software are atrocious for the considerations of 2019.
Aside: No idea why my post went from #1 on HN to the third page in under 30 minutes, I thought we were having a fruitful discussion here
The sheer number of scammers and nation state actors that have taken advantage of this is mind-blowing, but we still use SMS as a 2FA.
If we have telephony providers responsible for these breaches the problem will disappear in 6 months.
It's not "spending money on the fix"... it's "killing our largest revenue stream"!
It's anologous to the web but that is on the way of being fixed - csrf, cors etc.
The phone number blocks are allocated to companies, and it should be trivial to ensure the incoming call comes from the legitimate holder of the block.
Add an authorized user api so you can still use your number in outgoing calls with Skype etc.
After number faking is fixed, I can safely ignore all calls from foreign countries and weird area codes.
The telecoms regulators for each country would act as a CA and have their root key capable of signing anything for that particular country code, and phones would have all of them in their trust store (it could be all managed by the GSMA or something).
They would in turn issue certificates to any telecoms company that has number ranges allocated - those certs allow signing of calls for any of the number ranges the cert is for, as well as signing further certs. The telecoms company will in turn issue certificates for their customers for their assigned number only. It could be placed on the SIM card or distributed by email (perfect security isn’t needed here - “good enough” is all that’s required).
When a phone places a call it signs it with its certificate and the current date & time (to avoid replay attacks), and any equipment in the call path can verify the chain of trust all the way back to a trusted CA before relaying the call.
As the user still holds the end certificate, legitimate caller ID spoofing is still possible by them, but not anyone else.
Most of the real phone calls I get (my insurance company, my phone company ) that aren't from know contacts are from weird area codes. I like the authorised user idea though, especially if legit companies adhere to it.
That's a shortsighted perspective. phone numbers will only survive if they solve the spam problem.
Many people don't pick up from unknown numbers anymore. It's just a matter of time before legitimate people stop trying to call as no one responds anyway.
So, the MAPS RBL (and most of the following dns-based blacklists) did this for spam; and it helped a lot - I mean, I think it's the primary reason that ISPs don't actively serve spammers (spammers as defined by the RBL)
On the other hand, it didn't solve the problem; if your mailbox isn't behind serious spamfilters, an address that has been on the internet for any period of time still gets hundreds of spam mails a day.