Caller ID Authentication May Tame the Scourge of Spam Calls

Maybe a cellular-connected iPad mini?

1 Like

Learned something new. On vzw. Checked my recent call list. Only two people, who happen to be on vzw have the checkmark. No other legitimate user from another mobile operator or any other business appears to have said checkmark. So, I certainly could not filter that way, if said filter existed.
We all get multiple spam calls per day, some blocked by youmail free, some labeled scam likely, some with a spoofed number where the first three or even six match our numbers.
It was a home number, that has been on do not call since that launched. What a joke that has been.

AT&T mobile, Frontier landline. On the iPhone, of the ~200 calls in my recent list, there are four checkmarks, and two of those were from unknown (not in Contacts) callers. The odd example is a (I presume) spammer whose caller id had the checkmark on the first attempt, and then one minute later from the same caller id, the checkmark is missing.

This leads me to ask: How granular is the chain of authentication? In other words, if I spoof a number with a valid area code, and a valid prefix within that area code, is that sufficient to pass? Or does the authentication go all the way down to the actual number?

The whole number gets signed, including area code, but it’s not so much the number as the chain of trust and validity. Each call within the system passes a signature that proves the number is valid.

1 Like

There’s a Silent unknown callers setting on the iPhone.

1 Like

So I have 2 phones, one a 6s (that very rarely gets used, it’s only for emergencies when I am out and about) and a VOIP line on specdribble. The VOIP gets NOMOROBO service. I use the “silence other calls” on the cell, but there is a downside in that sometimes you need to open it up for calls you WANT to get that may come from unknown numbers (like a car service for example). I get a TON of spam calls on the cell… out of habit I have been blocking those numbers, but now I think why bother as I have the “silence all” active most of the time. OTOH, blocking may spare me a call or two when I DO have to turn that setting off. Of course, remembering to turn it off is also an issue.

On the VOPI, I only answer if I know or am expecting a call. Which a lot of time means I can’t include everyone I may want to speak to, so I simply don’t answer. BUT it gets really annoying as it goes through 4 “rings” (because at times I am far away from the phone and don’t move as fast as I use to). If it’s something actually important, they will leave a message and there have been times that the start of the message tells me I want this call so I just pick it up.

NOMOROBO is an effort but not that good of one. Their schtick is numbers I have reported to them get one ring then no more, indicating it was blocked.Thing is I RARELY have one of those… maybe once or twice in a month. I don’t know if the blocks they make are based ONLY on what I report, or from all reports (it should be from all reports). More and more I am feeling that the whole reporting a number is a huge waste of time. AND that just maybe I am very much alone in dutifully reporting numbers.

Recently a new wrinkle has started up. Phone rings 4 times BUT the called ID is “SPAM RISK.” Yes the phone on my VOIP announces he caller id. But STILL I have to listen to it, which many times can really screw with my concentration (trust me, at my age that is an issue!).

There is NO QUESTION in my mind the telcos (anyone that provides any kind of phone service) are responsible for all this. I believe we have more than enough technology to stop this scourge.I REALLY want to stop doing business with them, but that is kinda impractical!

One of the biggest issues of the Silence unknown callers switch is that there’s no way to create a shortcut to turn it on and off. Plus, the only way to see if it’s on or off is to look at the setting.

Silence Unknown Callers is a lot more sophisticated than most people realize. It allows through all calls based upon your contacts and whom you’ve previously called and whom you’ve texted and based upon Siri Suggestions from numbers found in your email and text messages. I’ll text someone or write an email to myself with a phone number I don’t want blocked just to prevent Silence all callers from blocking that call without having to create an entire address entry for that number.

Still, it’d be nice to easily turn this on and off.

Is this on your iPhone? T-Mobile has a Spam Likely Caller ID when it suspects it’s spam. The nice thing is that T-Mobile lets you silence any call that’s marked as Spam Likely. If you have AT&T Wireless, you can download their Call Protect app, and automatically send those SPAM RISK calls off to voicemail without your phone ringing.

I’ve worked with several of these wireless carriers. It is really out of their hands. If you want to blame a particular company, blame AT&T when it created Caller ID back in 1984. AT&T never provided a means to verify that the Caller ID was accurate. Anyone with a switchboard equipment could set it to say whatever they want. Of course, back in 1984, it was AT&T with all the switchboards. It’s not like there were thousands of scammy companies out there connecting phone calls.

Like email, it was originally setup with the idea that everyone who was on the backend could be trusted. And like with email, we’re now paying the price. There’s absolutely no security. Anyone with a few thousands of dollars can create a VoIP phone company. And that means anyone can set that Caller ID to whatever they want.

Your local phone carrier has no idea who is behind a particular call when its outside of their network, and all of these spam calls are. The dialer is usually located somewhere in the Caribbean out of reach of United States law enforcement. The voice recording is usually from another company based in the Caribbean. When you press 1 to talk to a representative, the call is routed not to a call center, but to individuals working from home reading off a script. These representatives can be working for multiple scammers.

STIR/SHAKEN is an attempt to add proven identity behind Caller ID. AT&T and T-Mobile have both implemented it. I think Verizon and Qwest will have it in place by June. That’s all of the Incumbent Carriers and the major cellphone companies. However, that doesn’t handle all the various VoIP phone companies that many people now use. That’s the issue.

According to the regulations all CIN (companies that actually have the power to dole out phone numbers) must have STIR/SHAKEN installed by June. However, many carriers get numbers from other companies (or via porting). They can’t set the Caller ID via STIR/SHAKEN because they can’t produce the security certificates needed.

There are literally tens of thousands of companies out there passing out phone numbers, providing phone service, and switchboard operations. It’s a big mess that no one controls. STIR/SHAKEN will take a while to work. You’ll probably start by seeing some sort of number verification next to the phone call. Later, you’ll be able to block out people whose number isn’t verified like you can do with the current Silence all callers.

Of course, once everything is working, spammers will probably find another way around the entire process. That’s what happened to services like Nomorobo. They used phone numbers as a means of blocking spammers, so spammers simply use random phone numbers that aren’t blocked.

3 Likes

This is a lot of great insight. I would add that I am rarely sympathetic to carriers, but here, the regulatory framework has made it dicey for them to block calls, because they are obliged to carry all calls except in limited circumstances. One of the only sensible things the former FCC Chair did was to provide more explicit permission for carriers to engage in call blocking across their network if they adhered to certain standards. The other thing is that all these spam-detection apps from carriers appeared—mostly free—because carriers are allowed to block when customers request it, and then they can use those signals on calls that members are blocking for better network filtering.

It’s true, but the point is always removing low-hanging fruit. On 1 July 2021, all the major carriers and VoIP providers will have to have STIR/SHAKEN in place, but there are a ton of exceptions, mostly relating to smaller carriers and infrastructure providers. Spammers will certainly move there—but because these companies are smaller, they will lack the technical and legal resources when the carriers target them as spam sources.

To some extent this happened in web hosting, where big hosts got smarter about not allowing spammers to sign up, forcing spammers into worse and worse places, until they’re more easily blacklisted and blocked. It’s didn’t stop phishing pages and the like, but the transition into ransomware is one outcome of it being harder to scam people via web pages. (That’s my theory at least! There are a lot of reasons ransomware thrives, but it all comes down to “the currently easiest way to get people’s money without their understanding or permission.”)

3 Likes

How does this apply to MVNOs? In my case, I pay Boost, which Wikipedia tells me is owned by Dish, and I understand my calls were routed on Sprint which is now T-Mobile. Does Boost need to have 100,000 lines to be required to have STIR/SHAKEN or would it piggyback on T-Mobile?

For what it’s worth, I silence unknown callers, I have not seen the checkmark indicating a valid caller ID (but I get very few valid calls), and I have seen “Scam Likely” in place of the phone number on many occasions.

4 posts were split to a new topic: Public key authentication of all Internet traffic

Does the prevalence of spam calls vary by where you live? Reading the comments here, people seem to get far more spam calls than anyone I know. I get maybe one or two a year. I don’t know if I’m just lucky or if there are dynamics that make some countries more susceptible to spam calls than others?

The STIR/SHAKEN protocol requires heavy processing and thus suffers scalability challenges. Especially if it ever extends beyond the network boundaries of the US telephony carriers. Considering the low value/revenue per call it may come to a point where the cost of processing a call through the STIR/SHAKEN protocol is too close to the value of the call itself.

I get more unwanted calls on my landline than on my iPhone. I tamed the landline by move it to Anveo and then setting up a workflow so only calls from people in my address book can reach me. I am now giving out my landline number more often.

My biggest problem on my iPhone is Marriott Hotel and auto warrantees but fewer than once a day. I get occasional notes from Verizon about blocking various calls as potential spam, the phone didn’t even ring.

But anything that improves the situation without requiring more work by the phone owner are welcome.

Maybe it won’t. I’ve lived and worked in several European countries. And in some of those spam calls are essentially non-existent. So I’d wager at the end of the day this is a regulation issue, not a technical problem. If I’m a country that has well regulated telcos and no spam problems, why would I go through the trouble of incorporating a tool that does nothing for me and comes from a place that’s spam hell compared to my paradise. I’d laugh them out of the room and tell them to go look up “regulation” in a dictionary.

What drives me up the wall is our office phone (which is from 8x8). Nearly every single call I get on it is spam, and because of working from home it either forwards to my cell or the 8x8 app handles it on my laptop (and the spam features on it re terrible). And as it’s a work phone you have to answer it. It’s got to the point I never say my name on the phone just in case they are trying to record it to get into my back account.

I also use 8x8 but it hasn’t been so painful. Normally, if callerID doesn’t show up I don’t answer. In my case most unwelcome calls are people trying to sell me something. If I was a salesperson or a job dealing with the public then I would feel obliged to answer every call.

Why don’t you have the 8x8 app installed on your cell phone? One advantage is that the button/slide associated with 8x8 incoming calls are blue so I know it is a work related call before I answer.

Yeah, so spam tools beyond making it easy to block phone numbers. Which is handy for me, some day I will block every phone number associated with Compare Business Solutions.

I have it on the cell too, but it’s not a particularly good product (try getting rid of the text spam). As I work for a physics magazine though we sort of have to answer all the calls, even if we think it’s dodgy. I still remember one Nobel Prize Winner who got irritated that I put him on voicemail…

Do be clear about 8x8 it’s supposed to have spam filtering it just doesn’t seem to do a very good job at it.

I will have to ask, 8x8 never mentioned spam filtering to me. Nor did any of the other competing office phone products. I will ask my communications agency about this issue since they are better at putting pressure on 8x8 than me.

A few months after getting 8x8 we started getting a few spam messages and I thought here we go. But it is rare for us and we have everyone’s contact info on our web site.

I don’t think STIR/SHAKEN will extend beyond the network boundaries of the USA.
In Europe spam is regulated, though it still exists. I’m currently involved in an interesting attempt to mitigate fraudulent calls between European carriers using blockchain and ZKP to meet GDPR requirements.

As part of my job I am also carrying a Hong-Kong cell phone (eSIM as a second number on my iPhone) and I was getting hit every night by spam calls on that number. No matter if I put my device on DND, they will call twice so it rings on the second call. I ended up using an app that simply adds all the HKG spam calls to the “blocked numbers” list on my phone. The database is updated almost every day and as a token of appreciation for my uninterrupted sleep I have paid for the app (well worth the few bucks) and even got rid of the ads. So this is a specific country solution by a third party.

T-Mobile just announced that it’s on board…

1 Like