I've suggested in the past that every instance of provable spoofing where they did not control the claimed number should result in a fixed fine. $100 sounds about right.
Every phone network will then quickly begin passing on that cost to anyone they "peer" with and it will be a non-issue soon enough.
Is there a compelling reason to allow such spoofs?
>Is there a compelling reason to allow such spoofs?
A few use cases to spoof the number:
* Appointment reminder systems - if I see the caller ID is from my doctor's office, I'm going to pick it up and hear the reminder. When the calls come from some other number, people think it's spam. People still expect reminder calls even if you/HN crowd would prefer an email/text.
* Outbound call centers on behalf of others companies (same reason as above)
* People who work from home but want to make business calls from a personal phone
If no one could spoof, it probably result in a huge uptick of people claiming spam calls since they would be getting tons of calls from numbers they didn't know.
There really needs to be an SPF, DKIM, DMARC for VOIP. I don't think a no spoofing policy would go over well for businesses or consumers.
The question wasn't about why spoofing exists at all. It was about spoofing where they did not control the claimed number.
If you want to place a call with spoofed caller ID info, your provider should require you to prove that the spoofed information is legitimate, not fraudulent. Otherwise, the telco should be obligated to strip the suspect caller ID information from the call so that the recipient can properly identify the call as fishy.
There's no need for any complicated cryptographic solution. Telcos should just be required to know their customer, much like banks, before allowing them to do certain things.
Yeah. I'm perfectly fine with e.g. Twilio being able to tell Verizon "oh, we have authorization to send from $x", Verizon going "uh huh, go ahead" because they trust Twilio not to mess around. But then, if there does turn out to be an issue, Verizon is on the hook, and they'll turn around and charge that to Twilio. So, they'll be fine with letting large companies like Twilio spoof on their network, but they're not going to let RandomCo spoof.
So forcing the fine on the last step in the chain forces everyone to carefully consider who they trust, which is as it should be. Nothing wrong with trust between trusted parties, but clearly the current system has untrustworthy parties given too much power.
That's the thing though, a lot of times they don't control the spoofed number, but there's a legitimate use case for spoofing it. Authorization to spoof is not the same as having control of a number.
A cryptographic solution is absolutely necessary. Most reputable telcos already restrict spoofing or require tons of paperwork to prove you own the number before allowing you to use it as caller ID (like Twilio for example).
The issue is that the PSTN is essentially a huge, worldwide message queue to which pretty much any telco can connect around the world, including shady ones - even if US law actually does fight spoofing, how do you prevent telcos from other countries from continuing the abuse?
Cryptography is needed - when a carrier leases you a number, they give you a certificate with which you can sign other carrier’s certificates if you want to let them use that number as caller ID. Every carrier on the call chain should verify call’s signatures against that and discard any calls with missing or invalid signatures. That will stop malicious spoofing while allowing its legitimate use, just like email where you can use SPF and DKIM to nominate any email provider to be able to send on your domain’s behalf.
A certificate system could work, but really all that's needed is traceability.
If I complain about a call, that should be trackable to the origination carrier and account, and if either one gets too many complaints, it gets thrown off the network (and other penalties).
Actually there is some standardization activity trying to do this. It does not solve the main problem: if you let the originating carrier sign the caller id, you still have to trust that carrier to really check if the caller is authorized to use it. Number portability prevents you from using certificates older than 24h.
In all of those scenarios, one could prove they controlled or had authorization for the spoofed number, hence it would not be eligible for my proposed fine.
I'm not suggesting no spoofing, I'm suggesting a fine on the carrier for unauthorized spoofing, which will force them to actually verify that there is authorization.
You didn't make this clarification in your first post. In the first two examples, they don't control the claimed number, which is what I was responding to.
>I'm suggesting a fine on the carrier for unauthorized spoofing, which will force them to actually verify that there is authorization.
This makes sense. Legitimate companies will get authorization agreements signed etc.
> Is there a compelling reason to allow such spoofs?
It makes telcos money. That's reason enough, since there are no economic downsides to the network operators that enable these crimes. If companies like AT&T and Verizon were also being subject to this $120M fine, we might see them decide to make caller ID trustworthy so that it could be used to block robocalls.
No, this occurs at the telco level. When a call is placed, only the number is sent. The receiving exchange must look up that number to get the name, and that lookup costs some fraction of a cent. This is why Caller ID with name costs extra money.
I'm afraid I didn't read TFA, so apologies if I'm getting the wrong end of the stick. Also it's been 20 years since I worked in PSTN stuff. But at least at that time, the security in the protocol was ridiculously lax. IIRC, with PRI there was literally a bit that you set to say that the originating number was checked and was legitimate. Every other switch on the way through would accept it blindly.
In most areas it was illegal to set that bit unless you were a telco. It was also illegal to sell equipment that set that bit unless you were selling it to a telco. But... it's not that hard to hack.
Someone who's more current can probably give you better information. As to why nobody does anything about it... well.. why should they? They literally don't care. The equipment manufacturers aren't going to change the specs (because it's pretty darn hard to change specs and they are all trying to screw each other over in the specs anyway). The telcos aren't going to demand that the specs are changed because people are making telephone calls -- exactly what they want. It's only if the governments demand the change -- and it will take laws to do that (even then, I imagine that it's cheaper to lobby against the law than to change the equipment -- you have absolutely no idea how crappy those systems are).
There are legitimate reasons for spoofing to work given how fucked up the PSTN is.
Mobile roaming is one for example - when you roam on another carrier and place a call, that carrier directly originates the call and “spoofs” your caller ID to make it look like the call originated from you.
Some companies may use different carriers for either load balancing or least-cost routing and so both of these carriers are required to “spoof” the company’s caller ID.
This can definitely be fixed with a CA system and “delegation” where the main carrier who owns the number can issue certificates for any other carrier you’d like to use to temporarily allow them to use a particular caller ID, and each call request should be signed with that certificate and the signature should be verified by call intermediate carriers down the chain, and the call dropped if the signature is missing or invalid.
I think the correct approach is economic, not technical. Make a rule that, if you get a spoofed call, then your telco owes you $100, not subject to any arbitration clause or other contractual waiver. Give a way out to avoid actually killing the telcos: annual penalties are limited to a few percent of annual gross revenues.
The telcos will find a technical solution real fast.
Or just let telephone users set a price, for someone not in there contact list, to call them. Set it at 5 cents by default. Problem solved for the most part. People that don't know you can still call you (like the person who you left your curtains at for repair) but most robo call campaigns won't be worth it. If you really hate spam, set your price to $10.
If an incoming call is saying it's coming from 555-1234 and telco owns 555-1234 and it's not one of their authorized income points then the call should get dropped.
Or if they don't own it then it's on who's inserting the call into the system.
Telco systems are fun. And by fun I mean it's a complete mess. ISDN is hard and full of caveats (look at SIP for a taste of what it involves).
How? Even in the same city, cellular and land lines aren't always serviced by the same company. In most places I'm pretty sure it's illegal for phone companies to be swapping call data. Or are you suggesting I call back all the numbers that call me to compare bills with the owner on the other end? This plan is not going to work out.
The reason I would agree with a fine is not because a caller's identity cannot be unmasked, but because phone numbers are so closely connected with identity that robocallers are essentially engaging in identity theft and slander when they use people's legitimate numbers to spoof their calls.
I had someone call me once, claiming I had just called them. I hadn't of course, so the only thing I could think of was that someone had used my phone number for spoofing.
Every phone network will then quickly begin passing on that cost to anyone they "peer" with and it will be a non-issue soon enough.
Is there a compelling reason to allow such spoofs?