Hacker News new | past | comments | ask | show | jobs | submit login

"At the telelphony-infrastructure level, it’s a supremely difficult problem that lacks a short-term fix because the underlying protocol is hopelessly insecure."

This is only partly true. Technologically the solution is difficult, but it's easy from the social side as carriers can blacklist the smaller carriers that allow this fraud to take place.

The real problem is that everyone except the consumer benefits from this. Every phone company in the chain from the scammer to you takes a penny out of the scammer's profits.

At this point these scam phone calls may be nearing the majority of the phone calls placed in the USA, so it's going to be a huge financial disruption to the carriers when they have to give up their game.




There already is a proposed technological solution to this: https://transnexus.com/whitepapers/stir-and-shaken-overview/

The FCC has recently "demanded" US telecoms to implement this [0], but at this point I don't believe there is actually a regulatory requirement to do so.

[0] https://docs.fcc.gov/public/attachments/DOC-354933A1.pdf


I prefer an economic solution. Currently, you can sue a robocaller under the TCPA, but good luck collecting. Make each carrier liable for judgments against robocallers routed through their network. So, if I sue John Doe for robocalling me and I can’t collect, and I’m a Verizon customer, the make Verizon liable for those damages. This should come with some limits, but they should be large (say 10% of nationwide annual revenue, and there could plausibly be a limit per carrier that routes to Verizon). This liability should be unaffected by any terms in Verizon’s contracts with its customers (e.g. arbitration clauses), and telcos should not be able to penalize their customers in any way for collecting.

I bet that a law like this would get the problem fixed fast.


So by 'economic solution', you mean requiring litigation in the courts at tremendous cost to all parties (including the taxpayer) to create an outcome that could easily be enforced proactively by the FCC?


How is adding a burden to the courts with suits you know will be unfruitful than a simple regulatory requirement that carriers must do what is clearly the righ thing to do?


I am far from convinced that the FCC is capable of picking a technological solution by fiat that will actually solve the problem, especially since, like almost all crypto, it will surely be easy for the telcos to be lazy and mess up the implementation in a way that robocalls get through.

Instead, I think the regulation should focus on the outcome: if a telco allows an illegal call through and cannot trace it back to a responsible party who can pay the fine, then the telco messed up and should pay for it. Then they’ll have a financial incentive to solve the problem in a way that works.


Ofcourse this can be fixed. Other countries did it. The problem is that consumer protection is... lacking in the US and big business is God.


i bet that instead, you'd just get a new contract in which verizon decided that it was only free to talk to other verizon numbers, and would require you to pay extra to call outside the network. Then, they'd ask you to provide a birth certificate, SSN, CC number, and pay via direct deposit to have an account. if you want to penalize rob dialers, don't penalize companies that are not robodialing, or push the burden of law enforcement on them.


Eh. They do all of what you said in Europe and noone complains. Except it's not even free to call your own network.


Huh? Those robocalls are not originated on Verizon cellphones. A contract like that would do nothing to reduce Verizon’s liability, but it would certainly help drive customers elsewhere.


The point is that they would not do anything to reduce the calls, instead, they would erode your freedoms and charge you more to pay the fines.


We have hard enough time imposing net neutrality. Why do you want to kill it in a place where it exists.


There probably is a market for MVNO that requires to solve voice captcha before being able to reach callee.


Love it


How about people in your contact list get to call and text you for free and everyone else has to pay 10 cents? Telecoms definitely have the tech to do such billing. They could even take a cut. 9 cents for me and 1 cent for the telecom. This would solve almost all spam immediately and would be a long term solution.


This is my favorite solution. Time is money, if a caller is willing to pay me for it, I'd be ok with it. Make spam directly uneconomical, and spin the customer/vendor/3rd-party dynamic back to where it's supposed to be.


Your post advocates a

( ) technical ( ) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses

( ) Mailing lists and other legitimate email uses would be affected

(x) No one will be able to find the guy or collect the money

( ) It is defenseless against brute force attacks

( ) It will stop spam for two weeks and then we'll be stuck with it

(x) Users of email will not put up with it

( ) Microsoft will not put up with it

( ) The police will not put up with it

( ) Requires too much cooperation from spammers

(x) Requires immediate total cooperation from everybody at once

( ) Many email users cannot afford to lose business or alienate potential employers

( ) Spammers don't care about invalid addresses in their lists

( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it

(x) Lack of centrally controlling authority for email

( ) Open relays in foreign countries

( ) Ease of searching tiny alphanumeric address space of all email addresses

( ) Asshats

(x) Jurisdictional problems

(x) Unpopularity of weird new taxes

( ) Public reluctance to accept weird new forms of money

( ) Huge existing software investment in SMTP

( ) Susceptibility of protocols other than SMTP to attack

( ) Willingness of users to install OS patches received by email

( ) Armies of worm riddled broadband-connected Windows boxes

( ) Eternal arms race involved in all filtering approaches

( ) Extreme profitability of spam

( ) Joe jobs and/or identity theft

( ) Technically illiterate politicians

( ) Extreme stupidity on the part of people who do business with spammers

( ) Dishonesty on the part of spammers themselves

( ) Bandwidth costs that are unaffected by client filtering

( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

( ) Any scheme based on opt-out is unacceptable

( ) SMTP headers should not be the subject of legislation

( ) Blacklists suck

(x) Whitelists suck

( ) We should be able to talk about Viagra without being censored

( ) Countermeasures should not involve wire fraud or credit card fraud

( ) Countermeasures should not involve sabotage of public networks

( ) Countermeasures must work if phased in gradually

(x) Sending email should be free

( ) Why should we have to trust you and your servers?

( ) Incompatiblity with open source or open source licenses

( ) Feel-good measures do nothing to solve the problem

( ) Temporary/one-time email addresses are cumbersome

( ) I don't want the government reading my email

(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.

( ) This is a stupid idea, and you're a stupid person for suggesting it.

( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!


Impressive.

Are you using a framework of sorts to provide this answer?


It's a classic template: https://craphound.com/spamsolutions.txt

The Last-Modified header says it's from early 2004.


It's an old meme that has been out at least since ESR released his Bayesian spam classifier.


Yea, yea. Funny.

Telephone spam was very rare when long distance calls cost $1 a minute. No reason that could not be enforced as an option by the phone owner. It is really too bad that phone communication is being wrecked by spam like email was/is, so much so that you think the email analogy to phone calls is a valid/witty one.


I don't think the analogy to email quite works. Telecom companies currently charge money to customers based on usage.


You want to upload your contact list to your to telecom provider?


Until there is a regulation requiring stir & shaken to be implemented, you won't be able to trust your caller ID. Most of the telecom industry is stuck on legacy tech stacks that they actively resist upgrading, thus why calls are slung bareback over the web with no encryption on the metadata or the audio stream for nearly all providers.


The phone companies don’t benefit, because they are nearing a situation where people stop communicating with phone numbers. Probably there is nothing that can reverse that at this point, the telephone has fewer features and is less secure than alternatives.


There are so many simple solutions to this it's not even a challenge. Here's some simple ones:

1. If you want to make more than ~5k calls per month from a number, you must deposit $50,000 for every 10k calls you wish to make. If your number gets reported more than some cutoff number of times, you forfeit this bond money.

2. Call throttling. As a certain number (or customer) makes more calls, the interval between calls is increase. Let's say something like after 5k calls per month you must wait 5 seconds between calls, with the interval increasing.

Full disclosure, I worked at a telco for 4 years, but didn't do a lot with basic telephony.


The problem with both those suggestions is that it's trivial to fake the "from" phone number, as evidenced by the number of spam calls that share my area code and exchange numbers.

(Last time I setup asterisk with a T1, this was also trivial, but that was like a decade and a half back. I couldn't tell you how to fake your number today.. it's just clear that it's easy for the scammers to do.)

The first problem we need to solve is to make it hard to fake your number.


It's easy to fake the "caller-ID" field, but this doesn't fake the ANI: If it did, you could call 1-900 numbers and bill the White House.

You're right about there being a lot of little legacy problems though; The issue I see is that the carriers aren't on the hook for it: They've made it so cheap to call someone these scammers simply need to find people whose time is worth less than mine.


Hm, thanks. looks like you are right.


It's going nothing to do with the "from" number, get in at the carrier level. Who are they buying their connectivity from? Implement it there.


I dont have "a number", Im a VoIP provider with thousands of clients, pinky promise!

"your number" doesnt exist, my clients port their existing numbers thru my system, so I just let them pass those for convenience, all automated!

Are you saying my customer doesnt own the same area and prefix number as you, receiver of a spam call from India? Bad bad customer, must've been a glitch/fraud, I promise to take care of it.


> my clients port their existing numbers thru my system, so I just let them pass those for convenience, all automated!

Absolutely. And that's where you apply my rate limits / bond suggestions.


I agree there’s a lot the carriers could be accomplishing in flagging “inauthentic” behavior of network participants, the root cause of SS7’s lack of authentication and encryption will remain and the problem will fester. Yes, carriers are definitely on the hook for making things better too.

That said, the decisions in Apple's client side software are atrocious for the considerations of 2019.

Aside: No idea why my post went from #1 on HN to the third page in under 30 minutes, I thought we were having a fruitful discussion here


I used to work in the mobile space for 7 years and i'm still amazed nobody has proposed and monetized a solution to SS7 being unfit for purpose. The reason it's not happened is nobody wants to spend money on even talking about the fix, never mind implementing it.

The sheer number of scammers and nation state actors that have taken advantage of this is mind-blowing, but we still use SMS as a 2FA.

If we have telephony providers responsible for these breaches the problem will disappear in 6 months.


I worry you're missing my point!

It's not "spending money on the fix"... it's "killing our largest revenue stream"!


Wasn't missing your point, we're on the same page, hence my point about personal responsibility being the solution.

It's anologous to the web but that is on the way of being fixed - csrf, cors etc.


Thanks for posting! If I had to guess, the post dropped down because it tripped the flame war sensor, which I understand to be based on a ratio of comments/upvotes. When this happens inadvertently (not a true flame war), you can email the mods (hn@ycombinator.com) and ask them to look into it. They're very responsive!


I’d be happy to have a SPF like framework for calls.

The phone number blocks are allocated to companies, and it should be trivial to ensure the incoming call comes from the legitimate holder of the block.

Add an authorized user api so you can still use your number in outgoing calls with Skype etc.

After number faking is fixed, I can safely ignore all calls from foreign countries and weird area codes.


I thought about a similar system but based on cryptography.

The telecoms regulators for each country would act as a CA and have their root key capable of signing anything for that particular country code, and phones would have all of them in their trust store (it could be all managed by the GSMA or something).

They would in turn issue certificates to any telecoms company that has number ranges allocated - those certs allow signing of calls for any of the number ranges the cert is for, as well as signing further certs. The telecoms company will in turn issue certificates for their customers for their assigned number only. It could be placed on the SIM card or distributed by email (perfect security isn’t needed here - “good enough” is all that’s required).

When a phone places a call it signs it with its certificate and the current date & time (to avoid replay attacks), and any equipment in the call path can verify the chain of trust all the way back to a trusted CA before relaying the call.

As the user still holds the end certificate, legitimate caller ID spoofing is still possible by them, but not anyone else.


> I can safely ignore all calls from foreign countries and weird area codes

Most of the real phone calls I get (my insurance company, my phone company ) that aren't from know contacts are from weird area codes. I like the authorised user idea though, especially if legit companies adhere to it.


I've gotten them from the same area code and exchange as my mobile. It all depends on whether they can get a number they can use that will look reasonable to sufficient numbers of people to get them to pick up.


How do you handle number portability?


We figured out how to move domains from provider to another while still maintaining SPF. I'm sure we can figure out something similar for this.


Ah, the classic “I’m sure somebody will figure out how to fix my flawed proposal”. That’s how messed like this come to be.


>at this point these scam phone calls may be nearing the majority of the phone calls placed in the USA, so it's going to be a huge financial disruption to the carriers when they have to give up their game.

That's a shortsighted perspective. phone numbers will only survive if they solve the spam problem.

Many people don't pick up from unknown numbers anymore. It's just a matter of time before legitimate people stop trying to call as no one responds anyway.


>This is only partly true. Technologically the solution is difficult, but it's easy from the social side as carriers can blacklist the smaller carriers that allow this fraud to take place.

So, the MAPS RBL (and most of the following dns-based blacklists) did this for spam; and it helped a lot - I mean, I think it's the primary reason that ISPs don't actively serve spammers (spammers as defined by the RBL)

On the other hand, it didn't solve the problem; if your mailbox isn't behind serious spamfilters, an address that has been on the internet for any period of time still gets hundreds of spam mails a day.


Why hasn't there been a class action against carriers for failing to do anything about this problem?


Which law or contact term have the carriers broken?


Not sure. But they provide a service called Caller ID that purports to identity callers but can be trivially spoofed by people scamming their customers. Moreover, caller ID used to actually work (IE couldn't be trivially spoofed), so customers might have a reasonable expectation that it still does work. It's the telco's responsibility to present accurate caller information to customers.


Caller ID could always be trivially spoofed. It's just that most scammers didn't previously bother to do it. Telcos currently have no legal responsibility to present accurate caller information to customers. That would require a new law.


We could start by adding one.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: