Caller ID Authentication May Tame the Scourge of Spam Calls

There’s a Silent unknown callers setting on the iPhone.

1 Like

So I have 2 phones, one a 6s (that very rarely gets used, it’s only for emergencies when I am out and about) and a VOIP line on specdribble. The VOIP gets NOMOROBO service. I use the “silence other calls” on the cell, but there is a downside in that sometimes you need to open it up for calls you WANT to get that may come from unknown numbers (like a car service for example). I get a TON of spam calls on the cell… out of habit I have been blocking those numbers, but now I think why bother as I have the “silence all” active most of the time. OTOH, blocking may spare me a call or two when I DO have to turn that setting off. Of course, remembering to turn it off is also an issue.

On the VOPI, I only answer if I know or am expecting a call. Which a lot of time means I can’t include everyone I may want to speak to, so I simply don’t answer. BUT it gets really annoying as it goes through 4 “rings” (because at times I am far away from the phone and don’t move as fast as I use to). If it’s something actually important, they will leave a message and there have been times that the start of the message tells me I want this call so I just pick it up.

NOMOROBO is an effort but not that good of one. Their schtick is numbers I have reported to them get one ring then no more, indicating it was blocked.Thing is I RARELY have one of those… maybe once or twice in a month. I don’t know if the blocks they make are based ONLY on what I report, or from all reports (it should be from all reports). More and more I am feeling that the whole reporting a number is a huge waste of time. AND that just maybe I am very much alone in dutifully reporting numbers.

Recently a new wrinkle has started up. Phone rings 4 times BUT the called ID is “SPAM RISK.” Yes the phone on my VOIP announces he caller id. But STILL I have to listen to it, which many times can really screw with my concentration (trust me, at my age that is an issue!).

There is NO QUESTION in my mind the telcos (anyone that provides any kind of phone service) are responsible for all this. I believe we have more than enough technology to stop this scourge.I REALLY want to stop doing business with them, but that is kinda impractical!

One of the biggest issues of the Silence unknown callers switch is that there’s no way to create a shortcut to turn it on and off. Plus, the only way to see if it’s on or off is to look at the setting.

Silence Unknown Callers is a lot more sophisticated than most people realize. It allows through all calls based upon your contacts and whom you’ve previously called and whom you’ve texted and based upon Siri Suggestions from numbers found in your email and text messages. I’ll text someone or write an email to myself with a phone number I don’t want blocked just to prevent Silence all callers from blocking that call without having to create an entire address entry for that number.

Still, it’d be nice to easily turn this on and off.

Is this on your iPhone? T-Mobile has a Spam Likely Caller ID when it suspects it’s spam. The nice thing is that T-Mobile lets you silence any call that’s marked as Spam Likely. If you have AT&T Wireless, you can download their Call Protect app, and automatically send those SPAM RISK calls off to voicemail without your phone ringing.

I’ve worked with several of these wireless carriers. It is really out of their hands. If you want to blame a particular company, blame AT&T when it created Caller ID back in 1984. AT&T never provided a means to verify that the Caller ID was accurate. Anyone with a switchboard equipment could set it to say whatever they want. Of course, back in 1984, it was AT&T with all the switchboards. It’s not like there were thousands of scammy companies out there connecting phone calls.

Like email, it was originally setup with the idea that everyone who was on the backend could be trusted. And like with email, we’re now paying the price. There’s absolutely no security. Anyone with a few thousands of dollars can create a VoIP phone company. And that means anyone can set that Caller ID to whatever they want.

Your local phone carrier has no idea who is behind a particular call when its outside of their network, and all of these spam calls are. The dialer is usually located somewhere in the Caribbean out of reach of United States law enforcement. The voice recording is usually from another company based in the Caribbean. When you press 1 to talk to a representative, the call is routed not to a call center, but to individuals working from home reading off a script. These representatives can be working for multiple scammers.

STIR/SHAKEN is an attempt to add proven identity behind Caller ID. AT&T and T-Mobile have both implemented it. I think Verizon and Qwest will have it in place by June. That’s all of the Incumbent Carriers and the major cellphone companies. However, that doesn’t handle all the various VoIP phone companies that many people now use. That’s the issue.

According to the regulations all CIN (companies that actually have the power to dole out phone numbers) must have STIR/SHAKEN installed by June. However, many carriers get numbers from other companies (or via porting). They can’t set the Caller ID via STIR/SHAKEN because they can’t produce the security certificates needed.

There are literally tens of thousands of companies out there passing out phone numbers, providing phone service, and switchboard operations. It’s a big mess that no one controls. STIR/SHAKEN will take a while to work. You’ll probably start by seeing some sort of number verification next to the phone call. Later, you’ll be able to block out people whose number isn’t verified like you can do with the current Silence all callers.

Of course, once everything is working, spammers will probably find another way around the entire process. That’s what happened to services like Nomorobo. They used phone numbers as a means of blocking spammers, so spammers simply use random phone numbers that aren’t blocked.


This is a lot of great insight. I would add that I am rarely sympathetic to carriers, but here, the regulatory framework has made it dicey for them to block calls, because they are obliged to carry all calls except in limited circumstances. One of the only sensible things the former FCC Chair did was to provide more explicit permission for carriers to engage in call blocking across their network if they adhered to certain standards. The other thing is that all these spam-detection apps from carriers appeared—mostly free—because carriers are allowed to block when customers request it, and then they can use those signals on calls that members are blocking for better network filtering.

It’s true, but the point is always removing low-hanging fruit. On 1 July 2021, all the major carriers and VoIP providers will have to have STIR/SHAKEN in place, but there are a ton of exceptions, mostly relating to smaller carriers and infrastructure providers. Spammers will certainly move there—but because these companies are smaller, they will lack the technical and legal resources when the carriers target them as spam sources.

To some extent this happened in web hosting, where big hosts got smarter about not allowing spammers to sign up, forcing spammers into worse and worse places, until they’re more easily blacklisted and blocked. It’s didn’t stop phishing pages and the like, but the transition into ransomware is one outcome of it being harder to scam people via web pages. (That’s my theory at least! There are a lot of reasons ransomware thrives, but it all comes down to “the currently easiest way to get people’s money without their understanding or permission.”)


How does this apply to MVNOs? In my case, I pay Boost, which Wikipedia tells me is owned by Dish, and I understand my calls were routed on Sprint which is now T-Mobile. Does Boost need to have 100,000 lines to be required to have STIR/SHAKEN or would it piggyback on T-Mobile?

For what it’s worth, I silence unknown callers, I have not seen the checkmark indicating a valid caller ID (but I get very few valid calls), and I have seen “Scam Likely” in place of the phone number on many occasions.

4 posts were split to a new topic: Public key authentication of all Internet traffic

Does the prevalence of spam calls vary by where you live? Reading the comments here, people seem to get far more spam calls than anyone I know. I get maybe one or two a year. I don’t know if I’m just lucky or if there are dynamics that make some countries more susceptible to spam calls than others?

The STIR/SHAKEN protocol requires heavy processing and thus suffers scalability challenges. Especially if it ever extends beyond the network boundaries of the US telephony carriers. Considering the low value/revenue per call it may come to a point where the cost of processing a call through the STIR/SHAKEN protocol is too close to the value of the call itself.

I get more unwanted calls on my landline than on my iPhone. I tamed the landline by move it to Anveo and then setting up a workflow so only calls from people in my address book can reach me. I am now giving out my landline number more often.

My biggest problem on my iPhone is Marriott Hotel and auto warrantees but fewer than once a day. I get occasional notes from Verizon about blocking various calls as potential spam, the phone didn’t even ring.

But anything that improves the situation without requiring more work by the phone owner are welcome.

Maybe it won’t. I’ve lived and worked in several European countries. And in some of those spam calls are essentially non-existent. So I’d wager at the end of the day this is a regulation issue, not a technical problem. If I’m a country that has well regulated telcos and no spam problems, why would I go through the trouble of incorporating a tool that does nothing for me and comes from a place that’s spam hell compared to my paradise. I’d laugh them out of the room and tell them to go look up “regulation” in a dictionary.

What drives me up the wall is our office phone (which is from 8x8). Nearly every single call I get on it is spam, and because of working from home it either forwards to my cell or the 8x8 app handles it on my laptop (and the spam features on it re terrible). And as it’s a work phone you have to answer it. It’s got to the point I never say my name on the phone just in case they are trying to record it to get into my back account.

I also use 8x8 but it hasn’t been so painful. Normally, if callerID doesn’t show up I don’t answer. In my case most unwelcome calls are people trying to sell me something. If I was a salesperson or a job dealing with the public then I would feel obliged to answer every call.

Why don’t you have the 8x8 app installed on your cell phone? One advantage is that the button/slide associated with 8x8 incoming calls are blue so I know it is a work related call before I answer.

Yeah, so spam tools beyond making it easy to block phone numbers. Which is handy for me, some day I will block every phone number associated with Compare Business Solutions.

I have it on the cell too, but it’s not a particularly good product (try getting rid of the text spam). As I work for a physics magazine though we sort of have to answer all the calls, even if we think it’s dodgy. I still remember one Nobel Prize Winner who got irritated that I put him on voicemail…

Do be clear about 8x8 it’s supposed to have spam filtering it just doesn’t seem to do a very good job at it.

I will have to ask, 8x8 never mentioned spam filtering to me. Nor did any of the other competing office phone products. I will ask my communications agency about this issue since they are better at putting pressure on 8x8 than me.

A few months after getting 8x8 we started getting a few spam messages and I thought here we go. But it is rare for us and we have everyone’s contact info on our web site.

I don’t think STIR/SHAKEN will extend beyond the network boundaries of the USA.
In Europe spam is regulated, though it still exists. I’m currently involved in an interesting attempt to mitigate fraudulent calls between European carriers using blockchain and ZKP to meet GDPR requirements.

As part of my job I am also carrying a Hong-Kong cell phone (eSIM as a second number on my iPhone) and I was getting hit every night by spam calls on that number. No matter if I put my device on DND, they will call twice so it rings on the second call. I ended up using an app that simply adds all the HKG spam calls to the “blocked numbers” list on my phone. The database is updated almost every day and as a token of appreciation for my uninterrupted sleep I have paid for the app (well worth the few bucks) and even got rid of the ads. So this is a specific country solution by a third party.

T-Mobile just announced that it’s on board…

1 Like

We are peculiar here in the US in how we don’t protect people, but we allow scams to flourish. Email is the global exception, for sure. But with the phone industry, we have had both the common-carrier exception (carriers aren’t allowed to differentiate calls on their network) and the supremacy of the free market (companies will be responsive to their customers because they would lose the business…missing the idea of monopolies, combines, and so forth).

Interesting to me, T-Mobile broke the wireless market by refusing to play by the rules under their previous CEO, and his actions and aggressive pricing broke a bunch of different elements: costs fell, data limits rose, and features rose, as well as networks becoming faster.

Here in Norway we have been targeted by a lot of different spam calls. In periods it has been a nuisance. Just recently Telenor (Norways biggest telecom operator) made a statement that they had made it more difficult for the spammers. In my translation they write: “Simply explained, the new system uses network information to find out if the Norwegian mobile number that is calling belongs to a mobile that is actually located in Norway. If it does, and the calls still come in from abroad, the call is considered spoofed. It will then be turned into a hidden call, regardless of whether it is spoofing or wangiri.” No mention of STIR/SHAKEN. I can confirm that now I only get the local unwanted calls from real Norwegian business selling insurance, telecom, electrical power and so on. I use Silence unknown callers to handle them. After searching Google I found this: Telenor Norway Deploys Hiya to Stop New Wave of Fraud Calls Targeting Norwegians | Business Wire Do you know what this Hiya solution is @glennf?

The problem with Telenor’s simple approach is that there are perfectly legitimate reasons for this “spoofing” as well.

For instance, a previous employer of mine used VoIP software on a laptop PC to implement employee phone numbers. A call to my number would ring the software no matter where in the world I was at the time. And calls I place from that software would show my number on caller ID, no matter where in the world I was at the time. There were many many occasions where I was in a foreign country on a business trip making and receiving calls via that software - all of which originating/terminating with my (US) phone number.

More recently, I was on vacation in Italy. I enabled Verizon’s Wi-Fi calling feature on my iPhone to avoid roaming charges. All calls I placed had my phone number, even though I was physically located in another country.

None of the above calls were spam, none should have been blocked, but they were all “spoofed” by Telenor’s standards, since the country/area code of the caller ID did not in any way correspond to the location where the call is terminated.

Yes! Hiya has been working with carriers for several years, and powers multiple carriers’ engines for blocking and marking calls before they reach customers. Hiya also has an app that has a free and paid version for iPhones. I finally ponied up after years for the subscription version because it provides reverse number lookups on the incoming call screen. See