The "STIR/SHAKEN initiative" was supposed to fix this.[1] There's now a whole system with signed certificates, much like SSL certs, to sign caller ID info. The info is at least good enough to find out which carrier generated the phony data.
You should file a complaint with the FCC that your carrier has not clearly not properly implemented STIR/SHAKEN, since they badly mis-identified the source of a call. While calls from outside the US can be unsigned, the carrier should detect that the number is inconsistent with the source.
There are "A", "B", and "C" level of verification. "A" calls are probably legit. The others, maybe not.
If you're in California, try making a personal data request to your carrier for the detailed STIR/SHAKEN data for that call.
The Federal Communications Commission (“FCC” or “Commission”) requires that all voice service providers (“VSPs”), with some exceptions discussed below, implement the STIR/SHAKEN caller ID authentication framework in the Internet Protocol (“IP”) portions of their networks by June 30, 2021.
So stoked that there’s finally a way to fight back against robocalls, and that carriers are being forced into compliance. Thanks for pointing this out.
My impression is STIR/SHAKEN is only for voice calls, not SMS.
I'm no longer getting almost any robocalls on Verizon as of a couple of months ago when they "turned on" STIR/SHAKEN. What I am getting instead is the same volume of spam text messages.
I’m starting to get those too. From the trump campaign, of all things. Somehow they got ahold of my number and keep asking me to go save America.
Not sure which is worse, someone trying to sell me stuff or that.
How much volume? Is it a daily annoyance? My wife seems to get hit harder than me, but as far as I can tell we’ve both been equally careless about sharing our number online. So I’m dreading the day that these people figure out how to turn text messages into a gmail spam inbox.
It feels like it’s time to just write a Bayesian filter and proxy all text messages through it. It was theoretically easy to do that back when you could send texts just by emailing a special address, but sadly I think carriers ditched that feature. Nowadays I’m not sure where to start if the goal is to proxy our texts like that, but I’d like to.
Isn't there campaigning laws around that? If a political campaign did that in the UK they'd be raked over the coals by the Electoral Commission.
Not that the country's been able to do anything about the sheer volume of scam texts pretending to be the Post Office with a parcel for you or Microsoft telling people their Windows boxes are full of viruses.
In the USA, the law makers exempt themselves from many laws. For example, political campaigns can ignore the "Do not call" list which the government maintains which allows citizens to opt out of cold calls.
Plus, political speech is the "most protected" type of speech in the US. Pretty much anything campaign-related falls under that umbrella. Couple that with the explicit exemptions ldoughty mentions and we tend to get a constant stream of political spam in the lead up to election day (where "lead up" for a presidential election starts about 2 years out - le sigh).
Even worse, SCOTUS ruling over the last decade or so have reaffirmed that donations to political causes are speech, dark-money PACs are legal (donor disclosure not required), and all sorts of other things that many of us view as problematic.
Bloody hell that's truly obnoxious. Reminds me of how MPs are exempt from the UK's surveillance programme, Orwell was bang on the money when he portrayed the inner Party members as being able to turn off their telescreens.
It’s interesting to hear that the UK has sensible laws about this sort of thing. Over here in Murica we get these: https://imgur.com/a/UjELy2y
My guess is that they’re sending this to all numbers in a certain area code. I’m in Missouri, which was mostly red. So they kindly delivered a MAGA to my phone and I’m like “thanks! … tell me who gave you my number so I can hire a hitman on them please”
The political tactics at play are actually quite fascinating to me, because they seem so dumb. But it’s the opposite. In reality it’s effective, and I’ve always wondered why. So it’s interesting to hear that politicians are prohibited from doing this in other countries, and makes me wonder if it’s an effective policy. It seems like it might be.
Of course, that doesn’t help rid us of the silagra spammers, but maybe the FCC can come up with a solution that can prohibit both. It feels sort of hopeless, but then I remember that we could literally proxy every text message through our laptops, run them through a 1997 naive Bayesian filter, and eliminate 97% of the problem with 0.03% false positives. It seems like a matter of time till some service comes along and makes that schlep effortless, and I can just pay $5/mo for the privilege of dodging spammers.
>It’s interesting to hear that the UK has sensible laws about this sort of thing.
"National Security" means the Security Services, Special Branch (the dept between the SS and Police), Police, NHS, Companies House and other Govt depts you've not heard of, can do what they like if you read UK legislation. Just look at the GDPR legislation. https://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/...
Section 44 Subsection 4d
Section 45 Subsection 4d
Section 48 Subsection 3d
Well back then Rim Blackberry's and BBM were the popular mobile phone communication method, but what alot of people dont know is that RIM Root certs for BBM where in the possession of The Royal Canadian Police, who gave a copy to the UK authorities (5eyes data sharing), so every BBM message sent during the London riots organising disruption, were decrypted and read.
There is no secure telecoms systems, there is "no law" when it comes to National Security in the UK and alot more conspiracy's are closer to the truth than people realise!
Does that mean I can get my opponent's political campaign raked over the coals by sending some false-flag spam?
After all, the whole POINT of these spam messages is that the systems are (and this simply reeks of incompetence) incapable of determining the true source of the messages.
Exactly this. I thought this was common knowledge now. You can't ban a bad actor without truly knowing the source of content. Otherwise I can just sabotage my enemies.
Federal law requires a lot of things, but that doesn't mean people comply. Robocalls are already illegal. Soliciting people on the Do Not Call List over the phone is already illegal. Yet they happen daily for me.
Are you saying that Federal law requires Verizon to truthfully identify the origin of spam text messages I receive? Because they are CLEARLY not doing that.
Getting a call claiming to be from Trump's campaign asking for money doesn't even mean it's actually the Trump campaign, it could be anyone trying to get money from people who are passionate about Trump. And that's one of the problems here: unsolicited calls are real and problematic, unsolicited calls who aren't even from the person they appear to be are also real and even more problematic.
I almost have this (text proxy) set up for myself.
My personal phone number is at twilio so I can set the messaging action to be a function.
My original intent was a proof of concept that I could flatten incoming sms to be something very tight like ascii 128 (or even smaller) and truncate extra characters and white space, etc.
Successful zero click sms would be very difficult if your message was rewritten and flattened in this way …
One time I got a bizarre (anti-Trump pro-Biden) text from the "Czech-American Voter Outreach" group, which I had never been involved with. They probably inferred (correctly) from my last name that I have Czech heritage.
But I have no idea what our coherent interests are as the Czech-American voter block. The only things I can think that would cover, are like, unfair taxation of kolaches, or required subtitles on Czech porn.
Fortunately, there were only two of them, around the 2020 general election. If I got a lot more spam texts, I'd be pretty pissed. The voice calls alone have made my phone useless for receiving calls from randos, and much less useful for day-to-day operations.
I've been getting these spam text messages for a 2-3 years now for Democrats. However, they come to my phone at the name of one of my relatives. I think they simply cross-referenced names and phone numbers to determine who to spam.
There are three items here, party affiliation, name of recipient, and target phone number. Only one of those apply to me, and one was wrong but related. This was data driven not from a signup of any sort.
That’s very interesting. How do you know the data wasn’t from a signup of any sort? I wonder about that constantly — it seems like the #1 vector. And although I’ve been careful not to fill in phone number fields, I’d be lying if I said there were zero cases of me plugging in my number into “the wrong form”. It feels impossible to tell now which forms will bite you.
And they’re always so insidious. Want to try out some new app that’s going viral? “Phone number verification please.” Oh good, now I have the choice of not joining my friends, or risking some spammer from India three years from now will be texting me at 3am to sell me silagra, because Hip New App had a data sharing agreement with Company X, who passed around my phone number like a pipe at a frat party.
The worst part is that it’s somehow possible to detect whether you’re giving them a “real phone number” and not a twilio number. And it turns out that all those services that offer burner lines are all built on twilio. Which means (to my dismay) I couldn’t just set up a damn burner number unless I literally bought a second phone.
At this point the situation is so comical that carrying around a burner phone next to my laptop is suddenly seeming like a rational totally-normal thing to do.
At this point the situation is so comical that carrying around a burner phone next to my laptop is suddenly seeming like a rational totally-normal thing to do.
Heh…as soon as I read this I glanced down at the little Nokia dumb phone I have next to my keyboard. $15/mo AT&T 4G prepaid plan exclusively for “when I’m suspicious of whoever I’m about to give a phone number to”.
Only ever gets “topped up” when I need to use it, and when it’s not in use it just sits in a drawer.
Parties maintain these datasets and then selectively share with candidates. There's always misuse and abuse.
My local (legislative district) party requires candidates sign a contract. We're one of the few (because we have geeks on the executive board). And even then, there's always some yahoo abusing the data.
I'm not aware of the relationship(s) state & national parties have with their large fund raisers. I assume the abuse is rampant. Just like with every other outsourced fund raising operation.
--
I've long been totally against voter profiling and ballot chasing. Harassing voters is another form of disenfranchisement (thru alienation). I've door belled, worked the phones, and done fund raising; voters HATE us.
But every else is utterly opposed to the alternative system. Universal voter registration, compulsory voting, and massively curtail campaigning.
In other words, be like every other mature democracy. But we couldn't possibly have that. Because Murica! or something.
TLDR: Burn it all down. Upgrade to genuine democracy.
This is particularly annoying. I was a fairly apathetic, dedicated non-voter for most of my adult life, avoiding anything political, didn't even register to vote, but once considered living with my grandmother for a brief while and uploaded a resume with her address to see what bites I could get from the local Las Vegas job market. 15 years later, I still get near daily texts during campaign seasons from some Trump-adjacent nonsense thinking I'm my grandmother because it associates my phone number with an address I never lived at, plus a bunch of calls from the 702 area code I never answer.
I've gotten nearly a dozen in the past week. It's pretty unnerving with the recent history of zero-click iMessage exploits. These are SMS, but maybe there's a privately known SMS zero-click exploit.
Spam SMS ought to be even easier for carriers to filter than voice. They need to do it and soon.
“It's pretty unnerving with the recent history of zero-click iMessage exploits.”
Someone can compromise your phone by simply sending an iMessage without the receiver interacting with the message (even to immediately block the sender)?
It's interesting to hear how many spam texts you're getting.
I've got a private phone and a work phone on T-Mobile. My private number gets maybe 1 spam text per month, but 2-3 robocalls per week, while my work phone gets 3~ spam text messages per week and about the same number of robocalls.
Overall, the number of robocalls I've been getting has gone down somewhat, but not noticeably. It's probably decreased by something like less than 10%.
I had no idea anything had been done to robocalls, I really hadn't noticed any sort of decline.
It seems to vary substantially for me. I'll get 2-3 spam calls a day for a week or two on my personal cell number, then nothing for several months, then they'll resume again.
One of the most annoying incidents was when I get new work cell from AT&T. It must have been a recycled number from someone who signed up for a lot of.... crap, because that phone got 10+ spam texts and 5+ spam calls every day I had it, from the moment I put the SIM card in a phone. Eventually had to get a different number from AT&T.
Visible prepaid here & I live in a red state. I get 1-2 Trump campaign spam texts a week and blocking the numbers isn't helping. Generic spam text almost never. Robocalls are a steady 1-10 a week which makes me miss googles automated answering service.
I ended up using VoIP for both my cellular and landline connections. I would recommend it for the latter, but not the former.
When WiFi and 3G signals are thrown into the mix, real-time communications go south fast...
To STIR/SHAKEN's credit, however, the only spam calls I've received go to the cellular number assigned to the SIM card I have that is purely for data (so I can make those VoIP calls outside of home wifi range)
Agreed. VoLTE is VoIP anyway, so there's not a lot of drawbacks relative to changing out a circuit switched landline. I believe at least in the US as well, STIR/Shaken is being implemented on circuit switched networks.
How do we protect SMS? I’m kind of confused but I understand I guess why it wasn’t also addressed in the initial rollout… does STIR/SHAKEN even allow for SMS authentication?
I guess you could keep your phone number by porting it and get the call spoof protection?
>'The"STIR/SHAKEN initiative" was supposed to fix this.'
This was only for voice calls not SMS. From a FAQ On Neustar's(SS7 provider) site:
>"5. Does STIR/SHAKEN apply to SMS/text messaging?
Currently STIR/ SHAKEN applies to phone calls only. However, work is on-going in the communications industry to evaluate the best authentication method for SMS / text messaging."[1]
It's unclear as to my why it does not currently cover SMS. Perhaps someone else could shed some light on why this is. SMS certainly uses the same SS7 infrastructure as voice calls.
And as far as blaming the carrier if a call comes in with a B or higher rating it’s going to present the number as legit. That’s not the carriers fault!
What carriers are willing to show Caller Verified when receiving a B level attestation? From my testing Verizon and T-Mobile require A level attestations.
> There are "A", "B", and "C" level of verification. "A" calls are probably legit. The others, maybe not.
TIL.
I know that makers of phone/texting apps are primarily targeting users who don't know or care about this kind of stuff, but man it would be awesome if that kind of info were available whenever an inbound call or text arrived on my phone. Just like email headers, I'd love to be able to see the raw authentication grade and other metadata.
Your phone company knows the originator info of your calls and texts (or at least enough hops until they reach some even more untrustworthy than normal phone provider). They simply don't give you that info and instead show you an unverified caller ID that anyone can basically set to anything by whoever is contacting you.
Blame your phone company and the FCC for not solving this (and for not providing you with the data to solve it yourself).
It’s interesting to me that the carriers are intentionally devaluing the one protected monopoly they have. Nobody wants to receive phone calls or even SMS any more, because the spam/spoofing is so bad. One has to assume that they plan to simply monetize it until it’s gone. Then, it will be just IP over 5G with a race to the bottom.
In the mean time anyone who can’t just whitelist phone numbers loses. Being a business must suck.
Who can just whitelist phone numbers? I get calls all the time from numbers I wouldn't have known to whitelist; colleagues, people in other companies who I'm collaborating with on some project, food delivery people, customer support calling me back, etc.
I usually ignore calls from abroad at least, but even those I can't block; I'm constantly spam called by different anonymous numbers from the UK, but I also have colleagues in the UK whom I want to be able to accept calls from. I once got an unsolicited call from a French number which I ignored, only to find out that it was the phone number of a food delivery person who was there with my food. Just last week I got a call from an unknown German number; in that case, it was a call from a colleague in Germany.
I don't think a whitelist of phone numbers is a workable solution for most people.
I get maybe 2 calls a month that are both legitimate, and from numbers I don't recognize.
Which is frustrating! Because it might seem like that's a low enough frequency to make whitelisting a viable solution. But it's not—for the reasons you outlined.
2 calls a month are important enough to me that I must receive every spam call that comes in. I'm still pretty good at sniffing out most of them. A lot are still matching my area-code and exchange numbers on the spoofed ID—a huge red flag. Many others show rural cities that I'm certain no legit caller would call me from. But then there are the in-betweens: calls I can't make heads or tails of unless I answer.
Whenever I do get one of these legit-but-unrecognized calls, I immediately add them to my contacts in some vain attempt to reach whitelist nirvana. But I don't think I'll ever get there.
Voicemail. Why doesn't it work in this case? Do you work in sales? If so, why not use a separate "business" phone? Get the cheapest pixel you can find and enjoy the benefits of call screening. Maybe just a voip app on your current phone would work?
I'm having trouble understanding how 2 phonecalls, poses such a big problem. Please help me understand.
It's not business related. These are calls from dog groomers, doctors, and other service providers. I have a separate phone number for my job (which also is starting to get spammed).
My voicemail box is about 2/3 spam voicemails.
It doesn't really fix anything, just shifts it to another place that I then have to check to weed out spam calls and find the legitimate ones.
> I'm having trouble understanding how 2 phonecalls, poses such a big problem. Please help me understand.
Okay, so it's not a "big problem". I'm being a little hyperbolic in my previous comment. It's an annoyance, and a galling one. Like email spam was back in the day. I could still find the legitimate emails among that crap, but it sucked and I would've rather not.
The 2 phone calls themselves aren't the problem. The spam is. But the 2 phone calls each month are enough that I don't want to just ignore all non-whitelisted calls. Doing that will cause its own annoyance, as I miss calls that I didn't want to, and have to check voicemail each time a spammer calls me.
I ignore nearly all unrecognized incoming calls (average ~1 per day but varies a lot, sometimes 5-10 in one day). IME only a very small percentage actually bother to leave a message. But perhaps this varies by region, or carrier, or any number of other things.
I'm on your side of the fence - but with very aggressive whitelisting. You're in my phone book or not. I block 100% of calls that aren't in my phonebook, if they don't originate with my voip provider.
All of my incoming calls go to my VOIP provider, which in turn routes to my cellphone if someone has my 'extension'. Anyone who doesn't, has their message go to voicemail, which is transcribed to email (and the audio file attached). Prior to transcription audio plays telling the caller to enter a specific code, to leave a voicemail. Turns out this eliminates 100% of fake foreigners, and locals. They can't be arsed.
I ignore SMS. I receive nothing of value other than registered numbers (as in, a registration with the state) so I actively block them and add on an as needed basis.
I remember reading one guy who said he implemented a pre-screen before a call rang through. He said his first design was simple a voice message that said "Press 1 to continue" which he planned to ratchet up in complexity until spam calls stopped. He never ended up improving it because the "Press 1" message got the job done.
My grandmother's phone company offers something similar (a simple "press 1 if you are not a telemarketer prompt), and it also eliminated the majority of spam calls, which is not what I expected.
I'd like to do this in theory, but practically I find it not worth it. Consider a case where your partner or your kid lose their phone, are stranded, and borrow a phone from someone. They won't reach you.
I really like the feature on many Android phones where you can turn on Do Not Disturb and phone calls automatically go to voicemail UNLESS they are a "VIP" contact (which you set) OR if someone calls back twice in a row relatively quickly. I wish they had more granular controls like this - I use it currently at night when sleeping (so for example my boss or my family can still contact me at 4am if there's a real emergency) but it would be nice if I could do something similar during the daytime but a bit less restrictive.
SMS should be renamed to 2FA since that's the last remaining use for me, and only until the laggards upgrade to support Authenticator apps (I'm looking at you TD Canada Trust and PC Financial).
SMS is like email for me, these days: only used for transactional messages that I'm expecting, and spam. Both are almost exclusively ways for computers to send me messages.
I just realized that if this STIR/SHAKEN thing (or something similar) was implemented for SMS it could potentially make using SMS for 2FA much more secure - there could be a relatively secure way to verify automatically that the sender of the 2FA code is legit and that the code is only being sent to the proper device.
Agreed, it isn't a great solution at all. I've been dealing with winding up my dad's estate recently and in the last couple of months I've taken more calls than I have in the last 10 years, all legitimate too.
No, it literally doesn't. I've done exactly this - 3 times, in two different countries. It's no different than saying "here's the number at my desk in work".
Probably 90% of people under 40 years old. I've blocked unknown callers for over a decade, with no issues. Honestly, I'd be fine to lose the voice call and texting features entirely and just go entirely to email. Seems to be heading in that direction anyway.
I don't use food delivery services, but I think those mostly operate over text which could as well use email. Certainly takeout orders notify me of status over email or text, not call. If I need customer support, I send them an email and operate over email.
To add a data point—I’m in this demographic and for unrelated (but maybe not uncorrelated) reasons have never elected to receive a call back from customer support (being “on call” is almost as bad as being on a call) and have never had food delivered (the concept feels disgustingly lazy and wasteful).
> Who can just whitelist phone numbers? I get calls all the time from numbers I wouldn't have known to whitelist; colleagues, people in other companies who I'm collaborating with on some project, food delivery people, customer support calling me back, etc.
I assume most "whitelist" approaches don't actually send the messages nowhere, they just remove notifications so they don't interrupt you. For colleagues / etc, you can just use Signal (or whatever company-imposed collaboration tool exists) to hold the conversation completely, or barring that you can at least schedule a phone conversation in advance (so you can whitelist the requisite number).
I'm sure if you're client-facing / in sales you don't have this luxury, and you'd rather be interrupted at any time even if it's spam, but I doubt that describes most people.
Same is true for food delivery etc... if you're expecting something that might require your attention, you can disable the whitelist and let any call through during that window.
> I don't think a whitelist of phone numbers is a workable solution for most people.
My local hospital telephones with private numbers, which is the only reason I cannot completely block them and thus cannot use a whitelist. Outside of working hours I do not answer them. I told them it is a problem and they placed a note in my record to call me from a public phone which is nice of them (not their own desk but from a service desk which has a number displayed) but I imagine they sadly sometimes forget.
The UK number is a hassle too, all kinds of +44 numbers spoofing or reusing existing non-fixed location numbers to seem legitimate since some phones provide direct listing of the name of the company. They are actually foreign redirects which cost insane amounts of money if you call them back.
I would also like a native way of blacklisting number blocks (like +44), my phone currently can't unfortunately.
>My local hospital telephones with private numbers, which is the only reason I cannot completely block them and thus cannot use a whitelist.
Can anyone with more context explain to me why a rational person decided on this? It's Biblically frustrating for me because 9/10 withheld numbers are spammers or scammers and I don't want to pick up the phone to them but 1/10 it's my local doctor's surgery who I can't ignore. It's such an antisocial thing for doctors of all people to do, but it seems to be common enough people across the world have to deal with it.
Mostly because there is usually a bunch of phones in a practice (and a shitload in hospitals), and you don't want patients to call back to for example the MRT/CT lab.
The other problem is privacy... imagine a woman consulting her ob/gyn about an abortion. The ob/gyn calls the woman back, and suddenly the abusive husband sees the phone number of the ob/gyn practice on the incoming call log.
While I do understand this reasoning somewhat I don't know why its only limited to hospitals and doctors. I can imagine thousands of situations where this abusive partner would have a problem with an incoming number hospital or not. I'm not sure its a great idea to structure our communications around hypothetical abusive people, a call directly to the number that is provided from the organization you provided it to is private enough.
> I'm not sure its a great idea to structure our communications around hypothetical abusive people
Domestic violence is far from hypothetical [1], it is the sad reality we live in. Medicine in particular has a responsibility by the Hippocratic Oath to avoid causing harm, and the laws (e.g. HIPAA) reflect that responsibility.
So, women are abused sometimes therefore doctor's must mask their numbers due to the Hippocratic Oath and HIPAA? Do the doctor's have to disguise their voices as well? Maybe they should talk in code. I won't pretend to be an expert on HIPAA but I very strongly doubt that calling from random numbers is part of it. Wouldn't the random calls look suspicious to the abuser in this circumstance? IMHO something like this would cause more abuse than just I dunno.. lying about why the doctor's office called.
Physicians want to be accessible only via specific channels, to protect their time and to ensure there is consistent process across patients. Most of the time as a patient you can’t call them directly, unless you work through the page operator or you plan ahead with them on predefined phone number and time.
Unless they're using their personal cell phone, this should be a basic feature of the hospitals phone system, it is a feature decades old. No reason the caller ID should be set to the DID of the doctor.
Not from the UK, I don't actually get why calling a local/in-country number could incur high cost. How could one identify a paid/free/local number without trial-and-error?
In my country, you only incur normal minutes when you call an ordinary non-overseas number. By ordinary, these numbers have a normal number of digits, and a known prefix. Paid call always have shorter or longer phone number.
I'm from the UK and I can confirm that I am billed for the number I dialed not any forwarding endpoint. If I am inside the UK and I dial a landline (starting 01, 02 or 03) it will usually be included in my monthly contract allowance.
It's regulated by the UK regulator OFCOM. They publish a list of number prefixes and the maximum costs that can be incurred:
Some of those costs are high, but they are published, and capped. There are no surprises here.
There are a couple of myths that circulate endlessly in this country that:
i) You can receive a call from a scammer who prompts you to 'press 1' to be connected to an agent, and if you press 1 you're dialing a premium number and can incur large costs. This is impossible, inbound calls in the UK are not billable, nor can inbound calls count against any inclusive minutes on a contract.
ii) You can dial a cheap-looking number but the call is forwarded to an international or premium-rate destination and you can incur large costs. This is impossible, you can only be billed for the number you dialed, any onward forwarding costs would be incurred by the owner of the number you initally dialed.
This is an interesting pattern that I have noticed, and much of my work is in a similar vein. I have to be able to accept unknown numbers for my work. As a result, I pick up on a lot of robocalls. When it comes to business numbers, there really isn't a good solution for this.
I'd be interested to see if an entirely new business model rises up out of this. Some kind of verified business network of phone numbers people pay a small fee per month (per call?) to get assurance that it's a legit business call. A sort of for-pay group whitelisting.
At the very least, when it comes to my private number, I decline any call I do not recognize and I figure that if they are legit, they will either:
1) Call back immediately
2) Leave a voice mail and I can call them back in a minute.
It's tedious, but a sort of call/re-call seems to be like a kind of workaround to this. It's just a very tedious thing when it comes to stuff like doctors offices calling form a new number, 2FA from some website, or anyone I might not have saved in my contacts list.
Pagerduty does something kind of interesting - they create a contact on your phone with all their possible outbound numbers so you can allow them to ring through.. would be cool if other apps could do this without needing access to read every contact in your address book (at least on iOS).
It still doesn’t solve the problem of someone unexpected calling you though, or someone for whom you don’t know the number..
I think GP's point was that this is a situation where ethics and business value align (better origin verification is a selling point for a network) and yet bafflingly carriers aren't making the right choice--by either estimation of "right".
That ship has long sailed, and I don't think young people for instance value much having a phone number, except for conforming to social norms (e.g. getting called back for a job offer) and SMS confirmation codes.
Carriers are milking it as much as they can now, as they don't have leverage to otherwise stop any progress that would make phone numbers finally irrelevant.
Those social norms are changing too, ten years ago I'd have phoned people out of the blue but these days I'd only do that for urgent matters because it's rude not to text first.
I don’t even text anymore, I just ping people on Facebook or discord or wherever. And then I’m likely to call them from my computer on one of those services too, which means the mobile carrier is 100% cut out of the loop.
I'm from the last offline generation and don't hate the telephone, but the volume of spam calls my landline receives has to be 99% of rings. I may have gone to bat for landlines if there wasn't the spam problem as I think they have upsides over cell phones. Way better sound quality, more consistent service, and answerable by anyone at home.
However, I have been getting 20+ spam calls a day for the last week and I am ready to get rid of the landline forever.
The generational decay would be much much slower if telecoms did their job.
I don’t know if phone calls decay is that much a generational thing.
Our elderly parents stopped calling us and moved to Line the moment they had an iPhone (then an iPad), and even with their friends they seem to just hit the call button from the messaging threads. They still say they had someone on the phone, though they’re on third party services, so it seems it kinda just switched in their mind.
Perhaps the same way we were switching between local calls, long distance calls, special operator calls in the offline days, but we’d still just think of it as phoning people whatever the actual service we were using behind.
My phone company apparently provides anonymous spamming service. New data protection rules forbid them to share your name and phone number, so they went ahead and created a service where marketers can call people without a phone number.
You want to reach females aged 30-35 in a city? Simply call or send an SMS from the API and you will be connected to a random one who matches your criteria.
At least, that's what my spammer told me when I insisted on telling me who gave them my phone number. Apparently, I gave the consent to be included in the pool at the time of purchasing some data package or something like that.
I don't think OP indicated the carrier shared personal information - only that they provided a way to connect a 3rd party company to a customer. That transaction doesn't need to include any information beyond the defined demographic.
That's correct. Apparently they put me in a certain demographics bucket and the spammers can pay the carrier to call or SMS random person from that bucket, sometimes that's me. So they know my gender, approximate age and location(maybe some other stuff?) but they don't know my name.
To clarify: I think you're saying they don't know your name, but at least as important they don't know your actual contact details (phone, address, email).
TBH, this a system that if it's opt-in only, I don't have much of a problem with. If it's opt-out, I'm annoyed. If it's required, we should change policy.
The system is not advertised on the carrier portal, there’s no indication that you opted in and there’s no option to opt out.
To know about it, you need to be annoying like me and investigate. Once I learned about it through questioning the spammer, I called the carrier and requested opt out. First the call center people didn’t know what I’m talking about then at some point they used some innocent sounding name for it and promised that I’m out. I still receive spam everyday.
> Blame your phone company and the FCC for not solving this
I do. They don't care. AT&T doesn't even care that their cell network barely gets above 1 or 2 bars in a major metropolitan area. They mislead consumers by displaying 5Ge as the network (it just means you're on 4G but in an area that might have 5G service). My phone is really not a phone anymore, at least 95% of the time. I do make outgoing calls myself and only answer when I have a definite expected call from a known number. I use video chat apps for both audio/video calls for family.
I would probably say this is overstated, except today I got a phone call from “Djibouti” with a fake foreign code which was obviously a call spoofing a local area code, matched a very prominent local business, and left a message about… auto warranties.
Does the FCC have the authority to do that or are they beholden to Congress as is so often the case?
Part of the conservative push to deregulate is to argue that government agencies are incompetent but the reality is that they've constructed a system where these agencies literally lack the agency to do anything more than write a nasty letter.
This is only valid if it’s a US company and many of these are originating outside of the US. Many shady companies outside of the us simply ignore the fines.
Except, when it comes to prosecuting people they usually make a deal where they pay a $50k fee or whatever, or they just don't have jurisdiction over the spammers and they'd rather sanction Russia than sanction India or other countries that are originating a lot of the SMS and robocall spam.
Well, this issue was actually trickier than it looks. The real problem is the protocols our communication infrastructures built on was designed without almost any authentication & authorization mechanism. It wasn't a big issue when it designed as copper wires were required to make calls but it means basically anyone get those endpoints details can send SMSes, make calls claiming to whoever they want given now almost everything is on IP network. Yes you were right about that those telcoes do know what was the problem and how to fix it but they simply have no incentive to fix it as: 1. it needs overhaul of the current infrastructure, which needs lots of money and effort to proceed. 2. It requires all parties in the network to coordinate. One single exception means the issue remains or you will have to drop interconnection with those are not ready yet. 3. Negative impact to their revenue. So here comes the status quo.
The good news is that Verizon has all these grand plans to intercept your browsing data and use it to target ads, but they can't even implement the most rudimentary spam protection on SMS, so I don't have high hopes that they're going to make any money by spying on everyone.
One could argue that since the more messages you receive, they more you pay, they have no incentive to reduce spam; whereas with ad tracking, as long as they find some advertiser willing to pay 100 million dollars for a 1% increase on click throughs on their overpriced toothpaste, they'll have a financial incentive to do a good job. So maybe we're actually really screwed.
Sad that a cell phone company can't be just a cell phone company. They were pretty good at that.
"One could argue that since the more messages you receive, they more you pay,..."
Laughs in €uropean.
Btw €5.99 unlimited calls, unlimited texts (that the receiver doesnt pay for [maybe my US friends do....must check] 100Gb a month. Had the same tel.no for nearly 20 years, several different operators.
My US friends are very jealous (though at least one has unlimited EU calls and texts).
Pretty much everyone in the US has unlimited calls and texts. You have to go looking for obscure senior citizen plans meant to be emergency phones for anything that is charged by the text and minute. Our service costs way more than 6€ though
Over here in India there's a DND (Do Not Disturb) registry [1].
The link [1] links to Telecom Regulatory Authority of India (TRAI) website.
You sign up to DND by dialling a number that is dependent on your carrier (therefore you need to do this separately for all your phone numbers [3]), and go through the "Press 1 for English [2]... Press 2 for so and so... " etc. Takes a couple of minutes.
Once I signed up, the number of marketing and similar silly calls/messages have been nearly eliminated.
Maybe something similar — something that allows people to opt out of such calls/messages — can be implemented in USA.
[2] The language question because there are plenty of languages in India.
[3] Tangent: do people not use multiple phone numbers in USA? Like, I wanted to buy an iphone but it does not support multiple SIM cards (unless you convert one of the SIM to an e-sim [4] which I'm hesitant to do because if I later switch back to an Android phone that does not support e-sim, I'll have to go to my phone company to get a physical sim. Too many hassles. ). Also I'm told iphones sold in China has dual sim capability [5], but I can't go to China just to buy an iphone.
We have that here too. Usually when you sign up your spam calls actually increase because spammers use the list of "banned numbers" as a list of "verified numbers of real humans".
With CallID spoofing its so hard to track down that violators never get enforced.
In India you have the advantage that the caller pays, which means you have a phone system that somewhat securely verifies who the caller is so they can be billed. In the US the receiver pays so there is no system in place to verify who the caller is.
This is the root cause of North America's broken telephony system. $30/month buys you a landline with unlimited outbound calls to both landlines and mobile phones. The system has no facility to meter outbound calls from a landline.
Well, no one pays for a 'call'- generally in the US inbound/outbound calls are unlimited on a landline and lately on cell lines as well as minutes restrictions have dissipated. Growing up in the US you only had to worry about long distance or 'local long distance,' which, ironically, was often more expensive than regular long distance.
Plus, if the call comes from overseas they're not going to respect the DND from your country unless the fake caller is also from your country of origin.
I can't say definitively but the vast majority of my spam calls are from South Asia or South East Asia (I'd guess Philistines based on accent). They typically don't respect the Australian Do Not Call register so much.
My Indian friends complain that despite being on the DND list, the unsolicited commercial message situation in India is pretty bad, due to the lack of data protection laws.
> do people not use multiple phone numbers in USA?
The e-SIM is the easiest way to get two numbers on the same iPhone. Having multi-SIM phones isn’t popular for a number of reasons, including the fact that Americans and Europeans can get a 2nd number via services like Skype and Vonage anytime they want — something India still prohibits.
Incidentally I wrote about having multiple SIMs in India a week ago[1]… they’re an interesting historical accident, and the well-to-do in India will continue to use them, but they’ll become increasingly less common as telcos raise prices.
Same here in Norway. It is an offence to make an unsolicited commercial call to a number that has been on the register for more than a month. It can cost the caller 300 USD per call in fines.
I have had perhaps two unsolicited calls in the last five years and one of those was from a number apparently in London, UK.
Most of the scam calls and texts these days come from outside of the US, and unfortunately India is a huge source of those calls - wages are low and English language proficiency is high. And it's not just the US that has this problem. Here in Norway a common scam telemarketing call are "investment opportunities" that show up as coming from a UK number, and if you answer, it's very clear that the person is calling from a call center in India.
Oh, I have no doubt, and to be clear, I'm not blaming India as a whole. I don't think India has a higher percentage of the population willing to try and scam other people, but given the number of people in the country, the economic situation, and the level of English language proficiency makes it a very attractive location to set up shop. It's also much harder for law enforcement to do much about the problem when the calls are coming from overseas.
> do people not use multiple phone numbers in USA?
Not really, no. Dual SIMs are kind of a niche feature here, and most users I've heard of do it with a US SIM plus one for some other country they travel to frequently.
Curiosity: what are the use cases for two SIMs from the same country?
> Curiosity: what are the use cases for two SIMs from the same country?
I don't know the exact reason, but here are some thoughts on that:
Hypothesis 1:
In India, only the caller pays for the call. The callee pays nothing. I say this because I was surprised to learn that in USA, the callee pays.
Long long ago — before calling via the internet through WhatsApp, Signal etc became a thing — in India if you (or rather, your SIM card) travel to another state within India (say from Kerala to Karnataka), your phone goes into a "roaming" mode.
When you're in roaming (when your SIM is in a different state from where it was originally registered), both the caller AND the callee would have to pay.
So, if you're from one state and you intend to live in another for a condsiderable amount of time (perhaps because you got a job in another state), then it makes sense to sign up for a new phone number in that new state so that you wouldn't be charged when you get calls from family and friends from your home state.
However, this reason is no longer valid because in order to stay competitive phone companies stopped charging you for incoming calls if you go to another state within India.
Hypothesis 2:
Business people tend to have multiple phone numbers to handle the high volume of calls they receive, or to separate work and personal calls.
Hypothesis 3 (my reason):
I initially had a number that I used for personal calls.
Later, a new provider came on the scene with better rates, faster internet, better clarity etc, and I signed up for that as well because why not. This was before phone number portability was introduced.
My mobile data and work calls is through one provider, my WhatsApp is signed up via the other number, and most friends also call me via this other one.
And in some places only one of the provider has a proper strong cell coverage.
It's technically possible to merge that all into one number, but I haven't bothered.
Also, calling directly via phone (as opposed to via the internet) is still very common here because it's super cheap. For example, calls from Jio to another Jio number is free I think.
> In India, only the caller pays for the call. The callee pays nothing. I say this because I was surprised to learn that in USA, the callee pays.
This was killing telcos like Airtel and Vi until they too adopted Jio’s model: every SIM has a nontrivial monthly charge whether you make calls with it or not. And that price has risen substantially in the last few years and will continue to rise.
It won’t stop affluent Indians but people on more near-median incomes will find keeping extra SIMs unaffordable.
Except in certain circumstances, I don't think this is true.
First, most calls are free now. You might have a number of minutes, but both the caller and callee have to pay for minutes at the same time. But most plans are unlimited calling within the USA now, I believe.
When calling other countries, the caller pays. Receiving a call from another country doesn't cost anything.
"Collect calls" are calls where the callee pays the long-distance charges. This is unrelated to the "minutes" above. There are no long-distance charges within the USA that I know of, but international charges will apply to the caller unless they "call collect" and then it would be the callee. The callee has to approve it, though.
Most 1-800 (and 1-888 IIRC) numbers automatically charge the callee instead of the caller. This is an agreement that the callee has with the phone provider.
1-900 numbers (and certain 1-800 numbers, for some reason) charge the caller. These are another agreement with the phone provider by the callee, and they're supposed to get consent from the caller before charging, but there are many scams here.
Because of the lack of long distance charges inside the USA, 1-800 numbers aren't as common as they used to be. For a while, almost any business that had wide-ranging customers had one. Now, it seems like only mega-corps still have them.
All that said, I vaguely remember someone saying that they had 2 sim cards because they had 2 plans. IIRC, they got better long distance rates on one or the other, and used them appropriately. That was a while back, though, and I could be remembering it completely wrong.
First of all, thank you for taking the time to explain the whole thing.
> >in USA, the callee pays.
> Except in certain circumstances, I don't think this is true.
Oh okay, so the caller pays and the callee does not pay under normal circumstances? Now I'm confused. When I said the callee pays in USA, I was working off of information from another comment[1] by jedberg in another branch on this thread. I'm pasting that comment below for convenience:
> In India you have the advantage that the caller pays, which means you have a phone system that somewhat securely verifies who the caller is so they can be billed. In the US the receiver pays so there is no system in place to verify who the caller is.
The big reason they were popular in India was that one had to pay for long-distance calls (yes, even on mobile) if you called interstate (or more accurately, inter-telecom “circle”), and many people had lives that spanned two or more circles.
The other crucial reason is that it was near-free to have as many prepaid SIMs as you wanted, you paid only if you used it to make calls (receive was, and remains, free, like in Europe). And VoIP numbers aren’t allowed in India.
These days, all the carriers have national licenses, there’s no long-distance charges, and you have to pay a nontrivial sum (nontrivial unless you’re a relatively rich Indian) every month to keep your SIM active. Whether you make calls with it or not.
This has been a slow, “boil the frog” change, and the relatively extremely well-off Indians on HN will probably be the last to notice, but the need to have multiple SIMs in India isn’t as strong as it was in the 2000s.
> Curiosity: what are the use cases for two SIMs from the same country?
Having SIMs from different carriers to take advantage of different rates. This is mostly in countries where call prices are unregulated and calling someone using a competitor carrier can be a surprise that costs sometimes 10x more.
I had it a while for a work and a personal phone number. Also when someone was sick and I took her phone calls. There are probably ways to reroute the phone calls, but this was quick, easy, and I can do it on my own without involving the phone company (any bigco tends to mess up anything you ask)
> Curiosity: what are the use cases for two SIMs from the same country?
One phone number, registered to your business, that you never give to anyone other than 2FA, contact number for bank accounts, credit card confirmation etc. And one phone number that you use for business and personal calls.
I still get spam calls on phone #1, of course, but it protects me against SIM swap attacks from people who get access to the second phone number
Separation of private mobile 24/7 and office mobile during office hours.
Office mobile is also abandoned when you switch jobs, so can we freely shared because the responsibilities won't follow you
Perhaps all of us in North America should sign up for the Indian DND list since that's where the majority of our spam calls originate! I signed up for the Canadian "do not call" lists when it came into effect and it only served to increase the spam calls/texts I receive.
Yeah, we do. It sucks because we pay for the spam calls.
Most cell plans now include unlimited incoming calls and texts, so it's not really a problem, but the sender does not pay anything either, which is a problem.
> Yeah, we do. It sucks because we pay for the spam calls.
If the robocaller/spammer doesn't pay for it, I think that explains why these things are so rampant in the US. In Netherland, it's only the caller who pays, and robocalls and sms spam are extremely rare here (at least in my experience).
Although these days, many phone subscriptions come with unlimited calls and texts, so the caller/texter doesn't pay either. Somehow this doesn't seem to have lead to an increase in spam and robocalls.
There's negative side to it -- with caller pays system, you could potentially be hit with high call tolls, even if you do not own mobile.
While in Japan, I remember calling a mobile from payphone I could see the balance of the call card going down every few seconds...
Though, these days, I think most of them seem to have shifted to texting and VoIP calling on apps, which are free.
Even with "caller-pay" model, they still have experience good share of annoyances, that many of those caller opted for "one-ring" spam where they would call, but hang up before receiver picks it up.
These days, calling mobile usually costs the same as calling landlines, but I do remember when calling mobile cost more. But even then, at least the caller gets to decide whether to call or not. And mobile phone numbers look different from landline numbers, so you know what you're calling.
The only thing is when the mobile phone is abroad and there are roaming charges; in that case, the callee still pays, because the caller has no way of knowing. But these days, roaming charges have been banned within the EU, so that problem has also disappeared.
Spam SMS are a thing here,even if your number is added to a govt DND database. As far as spam calls go, fintech companies have call centres frequently calling everyone asking if they need a loan.
The telecom authority here has been fighting against misuse of calls and SMS for years now. It all started when the Finance minister received such a call while he was speaking in the parliament :D https://economictimes.indiatimes.com/industry/telecom/raja-o...
Even with all this action the number of calls are quite a lot and this is the reason most folks have Truecaller installed to weed out unwanted calls.
What changes with region is the type of spam you get. I have never received a call for tech support, not to mention you need to provide two-factor authentication for each transaction and the fact that credit card is used by only a few.
Same im Europe (at least the parts I ever lived in). I think it's indeed the commercial incentive - once the caller/sender has to pay anything, however small the fee, it's no longer economical to spam.
I remember making sending emails cost a tiny fraction of a dollar was proposed some time back in the nineties to stop email spam. That was superseded by effective bayesian spam filters. The cost of that is that it's near impossible to self host email servers these days, as all those filters will label you as a spammer. Otoh requiring some payment solution would also be a strong barrier...
> I remember making sending emails cost a tiny fraction of a dollar was proposed some time back in the nineties to stop email spam. That was superseded by effective bayesian spam filters.
That is what made me interested in ML (it was an article by Paul Graham - "A plan for spam"), years later I am an ML engineer.
My elderly mother got a call from a Doctor for an appointment reminder saying "press 1 to confirm". It was one of those robo voice calls. What was disturbing is the doctor's name was nobody she knew or heard of. But the call mentioned a doctor's appointment she actually did have. The robocall had the day and time correct but the nurse there said they never called my mother they don't have any automated system to call patients. Mom almost answered the robo call if it wasn't for the ominous "press 1" which I tell her to never do.
I put mom and dad on the do not call registry here in Canada but it doesn't help. Constant calls from Amazon, Visa, Revenue Canada etc. It's either the robo voice or someone with an Indian accent.
> I put mom and dad on the do not call registry here in Canada but it doesn't help.
I worry about my Dad with this. I tell him constantly to hang up no matter who they say they are as a matter of habit. If he really wants he can initiate a call with that organization to ensure it's actually them.
Despite me saying this repeatedly, I've heard him give personal info over the phone to cold callers offering discount electricity rates.
Voice calls and texts are ironically the worst aspects of owning a phone these days. I recently decided to just use my phone permanently on airplane mode while at home, and the overall experience has been a lot better. I wish I had the ability to block all calls and texts while on cellular data as well. All my communication can happen a lot more effectively over iMessage, Facetime, WhatsApp, Messenger and more.
Think that's bad? Our kids have tablets with 5g data (they were basically free...)
I managed to lock them down, except they still get spam texts. There's no way to disable incoming texts, even though they're supposedly data only devices.
Can someone "eli5" why this possibility of spoofing even exists and is allowed ? What are the legitimate use cases of this feature ?
EDIT : thank you all for your answers !
I suppose it’s the same thing that allows you to receive messages from "SOME BRAND" and … why not. But this could be easily regulated. I don’t understand why anyone can spoof anything they want. Also, I don’t understand why my iPhone don’t allow me to block messages from "SOME BRAND" as if it was from any other sender.
The CLI (Caller Line ID) field of a "incoming call" message isn't adequately policed. This is sort-of baked into how telephony works. It's stupid, and it should have been thought about more. The CLI field isn't how the call routes, its just how the caller announces who you are. Telephone call routing uses other data fields, its part of SS7 and the other signalling systems the phone network uses. The field which comes up a mobile call, inside "payload" isn't how it routed.
Imagine some company has the indial range 667 2200 to 667 2299.
If you dialled from your assigned handset 667 2241 the CLI can say 667 2200 so it looks like you come from the switch (in this example we assume the company's PBX operator is on 2200, and you publish 2200 as the incoming call number) so people don't learn your office handset: thats why they permitted it.
I have no idea why they allow to to "lie" above your indial group range. But they do.
STIR is how in a VOIP world people are approaching the fix. But really? the FCC and other national regulators have to tell the telco to stomp on the fakeout, when people inject calls into their system.
This has parallels with "envelope sender vs RFC822 header" in email. Or spoofed source if your ISP doesn't do BCP38. Guess what: SPAM is a problem in email (duh) and spoofed source is how DDoS can happen. "telling lies" in end-to-end communications is not helpful.
It sounds like it shouldn't even be happening in USA. It's a trivial bit of code in the routing software to check if CLI matches SS7. If it doesn't: don't connect. You don't even need to correct it. There's no legitimate reason to connect a spoofed number.
It is trivial to implement. They don't do it because they make a ton of money every year selling origin spoofing to businesses and charging customers for incoming texts (they never asked for). Spoofing is a service that the telcoms offer. Not a weakness! At least, that's how they see it.
I used to live in Perth, and never had this problem this bad. I got the occasional spam text, but it was usually from some company I'd given my number to.
I get 2-3 spam texts and calls per month. About 1/2 fake my mobile # off by 1 digit near the end, a trick to make me "think its a number I know"
I'm on ALDI which is an MVNO overlay on Telstra wholesale. Maybe ALDI do worse for source detect?
(there is no difference between SMS and calls in regard to CLI faking. I don't know about RCS, its possible RCS gets rid of this problem. ALDI doesn't have RCS, its not ubiquitous, has to be enabled in the phone profile by the provider)
This goes back to when caller ID was introduced (80s?). There was a lot of opposition.
Anyway, a company could have what was called a PBX — a bunch of lines would come in and the operator would connect them (by plugging cables — I still remember this system). When they replaced that with electronic “exchange” — Private Business eXchange you could dial straight out from your desk. However there were fewer lines coming in than extensions. For direct dial the PBX could either set all outgoing calls to be the main number or could send the direct dial number for the desk phone that made the call.
We had a system like that into the late 80s though by that time we weren’t getting a bundle of incoming lines.
This system does have an advantage: it lets staff make calls using phone number controlled by the company. So when someone leaves they can be forwarded to the appropriate person, like email addresses.
For the last 15-20 years I’ve just used my mobile number which means when I leave a company I continue to get phone calls. I’ve always left on good terms so this isn’t terrible, but what if I had not?
Since nobody calls on the phone any more this may be less of a problem, but phone numbers are still used as authentications for services like WhatsApp. These numbers need to go away.
> This goes back to when caller ID was introduced (80s?). There was a lot of opposition.
The opposition was fascinating. Nobody predicted spoofing, of course, but I saw teary-eyed people crying on publicly televised hearings in NYC arguing both sides of Caller ID!
- One women's group was against it. "We don't want women who are in safe homes or moved in with relatives to have to reveal their location when having to call their abusive partners"
- One women's group was for it: "We want to know who calls us and says obscene things."
The idea of a phone line having a specific number is a consumer thing. In the business world your connection is some number of concurrent channels. The business’s PBX decides what number should be displayed as caller ID when setting up an outgoing call on one of those channels. Inbound and outbound routing may be different (just like a domain’s outbound SMTP server may not be the same as its MX record) so allowing only the numbers that are routed to that PBX doesn’t work. You need something like the SPF record. That thing is called STIR/SHAKEN and it’s only being rolled out now.
Thank you, I get a better understanding now. If I understood correctly, those are more or less the same issues the mail world is trying to solve with DMARC.
"But this could be easily regulated. I don't understand why anyone can spoof anything they want."
No, unfortunately it's not easy to regulate. It would involve not just all domestic operators, but also all telecom service aggregators (e.g. Twilio, Infobip, Sinch, and a thousand more), to find common ground and coordination of a working register of what company has the rights to what SMS sender name within one nation's network, whether it's numeric or alphanumeric.
STIR/SHAKEN (which regulates usage of numeric caller IDs for phone calls) has taken ages to come to fruition, and that's despite the huge technical benefit of phone numbers being inherently anonymous and already belonging to a specific network operator. With the sender of an SMS the logistics are very different, and that's before even touching on the enormous business of legitimate SMS services and how these should be able to compete on the open market.
Phone support is a good example. You may have 20 support reps that have unique numbers, but when they call out to you, the number that shows up is the support dispatch number.
Support dispatch may be subcontracted out to an entirely different company (that may change over the months/years), so you'd still need to ability to spoof numbers you technically don't own.
I agree there needs to be more controls and regulations in place though. The status quo is unsustainable.
I have the impression that this sort of problem is bigger in the US than in other countries. Is this really the case? And if so is it because the US is simply a larger target or do telecoms systems in other countries do a better job of combatting it?
In other countries the caller pays for calls/texts. The way I understand it that isn't the way it works in the US (something about callers not knowing if they are calling landlines or mobile phones?)
For example, over here in Austria you can tell exactly what type of "line" a callee uses and so you know in advance how much you have to pay (even though in practice most people have unlimited calls/texts).
This means that when running a spam bot you will soon run into big issues because it simply doesn't pay off financially to send that many texts and calls.
Having the caller pay nothing and having the callee pay for the call does sound like it invites abuse, and discourages callees from even picking up the phone.
In Netherland, it used to be that the caller pays. Technically they still do, but many subscriptions come with unlimited calls and texts these days.
Phone numbers that cost extra money tell you that before they connect you.
I think it is the ability to spoof caller id, mixer with the fact the US is a rich country, mixed with the fact a large part of the world speaks the language.
For a long time, you could get into any voicemail account by spoof calling that phone number to itself - most of the time they weren't password protected.
Send a text (iMessage) to myself on the phone. Then look at it, and block my own number. The phone then reported it would block calls, FaceTime, messages from my own number.
Since I don't expect to ever need to call/message/FaceTime myself, that seems like a zero cost solution.
I'd be more worried about these spam texts coming from my number to my own contacts that I have previous conversations with than to myself. E.g. why wouldn't my grandmother click some link I sent to her? (My first thought was that these texts could just be from some malware on the phone itself, possibly with access to the contacts. But if it's actually an externally sourced spoof, that's obviously less dangerous...unless they somehow got my contacts I guess)
The main issue is OTHER people getting spam calls or texts from your personal number.
I got one of the Android stock text messages last week for when you auto-respond to a missed call. 'sorry can't speak right now' from a phone number I never called.
So a spam caller used my phone # to call, the person auto hung up with a response, and the real text message went back to my phone... It's absurd.
This will prevent your texts from syncing between your phone and other devices, like a MacBook. I learned this the hard way by debugging a relative’s text-syncing issue.
Call ID spoofing is annoying yet plenty of people don't understand it.
I get called at least once per month from (a different each time) someone in the same exchange as me saying they had a missed call from me. Presumably they got a spam call from my number, as I get about 5 spam calls per day with caller-id spoofed to a random number in my exchange.
Sorry, I just scanned the comments and didn't find anyone mentioning this:
It's really easy to spoof a phone number for SMS if you know which network the person's phone is on. Trivial if you know how. There's no black magic to this. At least, it was so a couple years ago. The last time I fooled with that for fun, I spoofed one of my friends admitting to another that he'd slept with the other guy's wife and decided afterwards he was gay. I managed to insert it from his phone number into our group chat as it appeared on android. (I think it might've ended up in a separate chat sequence on iphone). That was funny.
Hopefully this will help some others deal with spam SMS.
A few months ago I started getting huge group text spam to hundreds of emails that were almost identical to my own
(changed obviously) if my number was : 123-454-9938 then i would get in a group chat with numbers from 123-454-9900 all the way to 9999. They were using email -> sms specifically which is a relatively new feature that allows you to text mobile devices on carriers that support email to SMS. [1]
Super annoying - but AT&T at a minimum allows you to call and request that they disable this feature for your account. If anyone else is getting constant sms spam from email addresses this is the way.
Disclaimer: I don't know and have not run into any issues where legitimate companies are using this feature yet. If so, then obviously you won't be able to receive those texts. At the moment there is no capability with carriers (that I've seen) that would allow you to create an "allowlist" of domains to accept texts from, but until that exists I won't be dealing with email to sms as it's just a huge cesspit of spam.
> They were using email -> sms specifically which is a relatively new feature that allows you to text mobile devices on carriers that support email to SMS.
I don't think this is true? In ye olden days of text messages, SMS and MMS were relayed via email, IIRC. I remember emailing pics to a friends phone using the MMS email address. The format was unique to each carrier but included the phone number, obviously.
I used to annoy my friends by sending emails to their sms email address (1234567890@vtext.com or whatever) using open email relays. You could spoof the sender name as whatever you wanted and most sms clients would just show that.
The problem with data protection acts is that they try to protect data and it won't work cause the data they try to protect is outside people houses. Everything that is outside house is public and we just need to assume you need to provide data about it so we can verify your identity like with public key. Just to give example, when you live the house anyone can ask you anything ex. ask your neighbour about your name, anyone can read your house number, can see you or take photo of you legally or illegally that's different topic but we should protect peoples privacy inside their houses instead of trying to protect something we can't cause everyone see us how we are when we leave the house.
It's basic public / private key problem.
Everything outside house is public key and everything inside is private key.
So with phone we shouldn't protect people identity, address and/or company name but protect people from disruption with calls they don't want to answer and give them ability to verify who was calling, by even seeing their photo cause yes if I'm your neighbour I can see you and if I move next to you next year I can see you too. Wow.
There should be 2 call indexes one for contacts that should behave same as it's behaving now and second index for anything else that you shouldn't receive notifications but you can check this spam missed calls index and verify anyone that called you and add them to contacts - just how the old good paper phone book worked.
This empowers people to be able to make decision if I want those people to call me or not, cause you can always call back and it should be widespread when you call someone first time expect they might won't answer your call same as if you email someone they might not answer cause your mail is in spam.
Probably because discord will send a text to the number to verify it. Spoofing a number is easy as long as you don't care about receiving replies at that number.
You can, just register prepaid phone line with top-up cards purchased in cash from a store. If you use a Google Voice or other VOIP service, this shows up as VOIP and they won't let you use it. Annoying but it's the cheapest/easiest workaround I know of.
The article says the operators are losing the war on scammers, but are they really fighting it? SHAKEN/STIR has been delayed time and again, and all signs point to operators seeing it as an additional revenue stream (”Pay $5.99 per month for Real CallerID”), not a tool to curb spam
Huh, only read the headline and the first few sentences so far, but just got a text exactly like this few hours ago!
Going back to reading the article, hopefully it’s not some zero-day.
I'd love to see a post-mortem of what went wrong here, but alas our lowly civilian eyes will probably never get to see it. We just get to sit here and hope we don't wake up one morning and blearily click on a zero-day message that gets past our mental defenses by coming from our own number. Don't click the link, citizen, if you do, it's your fault and therefore your responsibility to prove any fraud or identity theft. Fun times.
I run a SaaS, whose users can enable sending SMS from their number.
We have an agreement with a bulk SMS provider to allow us to do this (we had to show proof of our application, our mobile number verification process, and give our use case).
When users send an SMS from within our application, we send it as if it came from their number. Then recipients can then reply directly to their phone. Our users love it.
So yes, there are real use cases where the ability to do this is beneficial.
The alternative is a shared number, which then requires logic to determine which user sent a message to X. When receiving a reply from X, you must determine which user to associate the reply to and then forward it to them. This can and does go wrong. Especially if multiple users are messaging the same recipient within a time period.
If we have validated our users mobile numbers via a TOTP code, informed them that they are sending SMS as their number, then how is it different to an application like Signal or iMessage linking your messages to your mobile number? It's not.
And that's why it's allowed with certain SMS gateways. The SMS gateways are doing the due diligence to ensure you are sending spoofed messages appropriately and only as the user who actually owns the number.
Edit: The spammers are most likely using gateways who aren't doing these checks. The solution is to fine or shut these gateways down.
No, the alternative is to include proper contact information in the message. Security comes with all sorts of tradeoffs and one of them is often convenience. Is it inconvenient to have to reply to a different number? Sure. Is it worth it--if it means we all no longer have to deal with spoofed ID scam texts? Hell yes!
The solution is to completely rip out the ability to do anything remotely close to arbitrarily choosing which number is sent along with a text or phone call.
Until then, every legitimate use case pales in comparison to even a single spam call taking a second of my attention in a day.
_Calling_ a person from their own (faked) phone number was a tried-and-true technique for getting someone's voice messages back in the day. It used to be that voicemail PINs were optional, and if you called your own phone number, you'd get access to the voicemail playback menu.
It's trivially easy to fake a caller ID, whether for voicemail or SMS.
The problem isn't the SMS "protocol", but that operators still haven't been able to find an amicable solution to regulating sender names/numbers that doesn't interfer with legitimate usage, e.g. commercial businesses doing EBR texting to their customers. The problem isn't entirely comparable to that of caller ID spoofing for phone calls, and is legally and technically more complicated than you imagine.
About 6 months ago here in Australia I had a run of getting spam called by a number which was the same as my number but off by 1 digit. Seemed like a clever method to peak peoples interest but made it pretty obvious to me it was spam.
Happened to me with email. Even with DMARC active and set to reject 100% on my domain, outlook somehow found it a good idea to deliver those emails to my spam folder
Years ago, bills were introduced Congress that would've made falsifying Caller ID illegal, but certain people said it would be too onerous for small businesses. One bill passed in the House and was sent to the Senate, where it was promptly ignored (H.R.251 - Truth in Caller ID Act of 2007).
Lots of people, both those who know nothing about technology and those who know enough to know better, say this isn't enforceable because too many people are doing it.
Bullshit. Like spam, if you establish punishment for those who allow spam, you have a very simple mechanism for enforcement.
In the old days, when we got spam, we'd forward it to the administrators of the system that sent it or the administrators of the network where it originated. They'd warn, punish, and/or remove the person / system responsible for the spam.
These days, abuse@yahoo.com doesn't work, GoDaddy, Cloudflare and others won't do shit unless you find their web page for reporting abuse, then jump through hoops to shoehorn the spam in to their intentionally shitty web page, and even then they pretty much ignore it. Google just ignores everything sent to abuse@google.com.
Imagine if every spam that's ignored led to a fine. It'd be chaos and mayhem, but within a year we'd be back to how things were in the early '90s. Of course that wouldn't affect spam from the rest of the world, but imagine if large US networks stopped accepting email entirely from Chinanet until they started acting on abuse complaints.
The same can be done with Caller ID. You've got a T1 that lets you set your own Caller ID? Great. You might not get caught, but you can set what you want.
Your upstream provider might ignore it, but they connect somewhere larger, too. So let's say AT&T customers are getting complaints about phone calls with false Caller ID, and AT&T looks in their logs and sees that they're coming from your upstream. Now your upstream is in trouble unless they fix it. If they don't, they get a nice hefty fine.
How do they fix it? They force you to stop. If you don't, it's illegal, so they can contact the authorities. Or, they could just terminate you.
This is just like egress filtering in the networking world. If your network is passing along lots of spoofed traffic and someone contacts you to tell you, and you just pretend it's not your problem, you should be punished. You shouldn't allow traffic to leave your network that claims to be from sources that aren't on your network.
"But routing!" Bullshit. If it's coming on to your network from elsewhere, you should be required to say from where, so the originating network can be identified.
However, businesses don't want to be bothered putting any time or energy in to this. Businesses rarely do a thing because it's the right thing to do, unless they can make it a marketable advantage. They need to be forced to do this by law, by threat of loss of money.
Caller ID spoofing should've been illegal all along, and businesses which do nothing about it should be punishable. Because that's not the case, the old fashioned phone system might as well completely die.
Much like 3G is being shut down, maybe SMS should be shut down too. It’d be easier for carriers to make sure the last email address holdouts make accounts than trying to play wackamole with such an insecure protocol. Then we don’t have to worry as much about SMS unfortunately being used so heavily for web auth
There's no viable replacement, much like there's no viable replacement to email.
There are plenty of other ways to accomplish what SMS and email do, but you will always need SMS and email. And the world is not creating standards like SMS and email anymore, at least with any widespread adoption success.
I'm not sure about that. I almost never use SMS anymore. When I'm messaging with someone on an iPhone, I use iMessage with my email address as the identifier. When I'm talking to someone on Android I use Google Messages (again no SMS). The only time I actually use SMS is when I'm getting a text for a service like my car is ready for pickup or my table at the restaurant is ready, but those could easily be switched to IP based notifications, especially since they are already coming from a computer.
SMS is simply the lowest common denominator. If you want to send someone information given a phone number, SMS will work. That isn't true of iMessage, Google Messages or even RCS. Any method other than SMS or a phone call, requires more information than just the phone number.
That's not true. With just a phone number I can send an iMessage. Their number turns blue when I type it in letting me know that they have an iPhone. This type of support could easily be added for Android, which would cover most use cases.
My point is you're right no replacement exists today, but the technology does and could easily be expanded if the phone companies agreed to phase out SMS.
Just because apple has a terrible system doesn't mean the rest of us should suffer.
Of course the technology exist, it's not like sms is some marvel that humanity could never reproduce. It is just that noone has the right incentives to do it properly or with users interest in mind.
I have had plenty of people ask me for Whatsapp contact info. It's frustrating to tell them I don't have it. At one point it was a real estate agent who insisted on it, and refused to use email, or any of the other popular apps I use. I found it difficult to believe that he'd rather lose my business than use another system for me, but, there you go.
You should file a complaint with the FCC that your carrier has not clearly not properly implemented STIR/SHAKEN, since they badly mis-identified the source of a call. While calls from outside the US can be unsigned, the carrier should detect that the number is inconsistent with the source.
There are "A", "B", and "C" level of verification. "A" calls are probably legit. The others, maybe not.
If you're in California, try making a personal data request to your carrier for the detailed STIR/SHAKEN data for that call.
[1] https://commlawgroup.com/2021/stir-shaken-robocall-mitigatio...