Caller ID Authentication May Tame the Scourge of Spam Calls

We are peculiar here in the US in how we don’t protect people, but we allow scams to flourish. Email is the global exception, for sure. But with the phone industry, we have had both the common-carrier exception (carriers aren’t allowed to differentiate calls on their network) and the supremacy of the free market (companies will be responsive to their customers because they would lose the business…missing the idea of monopolies, combines, and so forth).

Interesting to me, T-Mobile broke the wireless market by refusing to play by the rules under their previous CEO, and his actions and aggressive pricing broke a bunch of different elements: costs fell, data limits rose, and features rose, as well as networks becoming faster.

Here in Norway we have been targeted by a lot of different spam calls. In periods it has been a nuisance. Just recently Telenor (Norways biggest telecom operator) made a statement that they had made it more difficult for the spammers. In my translation they write: “Simply explained, the new system uses network information to find out if the Norwegian mobile number that is calling belongs to a mobile that is actually located in Norway. If it does, and the calls still come in from abroad, the call is considered spoofed. It will then be turned into a hidden call, regardless of whether it is spoofing or wangiri.” No mention of STIR/SHAKEN. I can confirm that now I only get the local unwanted calls from real Norwegian business selling insurance, telecom, electrical power and so on. I use Silence unknown callers to handle them. After searching Google I found this: Telenor Norway Deploys Hiya to Stop New Wave of Fraud Calls Targeting Norwegians | Business Wire Do you know what this Hiya solution is @glennf?

The problem with Telenor’s simple approach is that there are perfectly legitimate reasons for this “spoofing” as well.

For instance, a previous employer of mine used VoIP software on a laptop PC to implement employee phone numbers. A call to my number would ring the software no matter where in the world I was at the time. And calls I place from that software would show my number on caller ID, no matter where in the world I was at the time. There were many many occasions where I was in a foreign country on a business trip making and receiving calls via that software - all of which originating/terminating with my (US) phone number.

More recently, I was on vacation in Italy. I enabled Verizon’s Wi-Fi calling feature on my iPhone to avoid roaming charges. All calls I placed had my phone number, even though I was physically located in another country.

None of the above calls were spam, none should have been blocked, but they were all “spoofed” by Telenor’s standards, since the country/area code of the caller ID did not in any way correspond to the location where the call is terminated.

Yes! Hiya has been working with carriers for several years, and powers multiple carriers’ engines for blocking and marking calls before they reach customers. Hiya also has an app that has a free and paid version for iPhones. I finally ponied up after years for the subscription version because it provides reverse number lookups on the incoming call screen. See

Telenor has a app called “Se Hvem” it translates to “See Who”, guess that is powerwed by Hiya engine.

Nice coverage of STIR/SHAKEN!

I’m actually involved with implementing STIR/SHAKEN at the carrier where I’m employed. Let me just add a few notes that might be helpful.

(Haven’t read all the comments, so apologies if this was already mentioned).

I think of STIR/SHAKEN for spam calls as being a lot like Domain Keys for spam email. DK places a responsibility on the carrier originating the email to cryptographically sign the body and headers of emails going out, including the From header, so you can trust the email came from who it says. Then the receiving mail carrier can use a public key to check to make sure the email is authentic (including not tampered with) before dropping it into your mailbox. And they can stamp it with some type of indicator header to that effect.

STIR/SHAKEN basically does the same for phone calls.

This leads me to my second point.

Just knowing a caller is who they say they are doesn’t block the call or really help you much at all unless they really did spoof a CallerID that you know. I find those calls to be a tiny fraction of spam calls.

So to help add some real value, some carriers are implementing features that go above and beyond what is required by the STIR/SHAKEN mandate by offering Robocall Mitigation and Reputation Scoring. These extra features check the CalledID against a (typically shared) database of statistically bad offenders and so give the call a reputation score. They can then use this score to replace the Calling Name that displays on your receiving device with something like “Spam Risk”. Or they may block the call completely if the reputation is super low. This is, again, very similar to the Real-time Blackhole List (RBL) that many ISPs like us subscribed to 20 years ago to block spam email.

This is when you’re really reaping the benefit of STIR/SHAKEN. But you can see that Robocall mitigation and Reputation Scoring are useless to try to implement if someone can pretend they’re someone else, and therefore steal their reputation. That’s why getting a system that allows us to trust CallerID, as STIR/SHAKEN does, is foundational for all these other cool features.

Very excited to possibly be moving towards a more trustworthy phone network!

1 Like

Sure, this has been true for decades not only of CLECs but also ILECs (incumbents like Verizon) and IXCs (inter-exchange carriers like AT&T). This isn’t fraud. It’s how carriers compensate each other. Remember, traditionally you only got billed for outgoing calls. But it takes just as many resources (in some ways more, for determining Calling Name) to terminate the call. So the carrier that terminates the call for you is allowed to ask your phone company for tiny per-minute $.

You’re right that traffic pumping, as it’s called, has been used by some rogue carriers to generate tons of reciprocal-compensation income. We have seen it :-). But I don’t think the major carriers we’re all talking about here are likely to be driven by those goals.

1 Like

It is called an iPod Touch:

1 Like

So cell and VOIP phones are covered by this, correct? What about plain old landlines?

All US phone lines. The emphasis is on wireless, because that’s where the growth is and the majority of lines now; VoIP is called out, because some providers are the source of the problem; and landlines used to be somewhat left out of Caller ID (highly variable), but they’re a key component of it too. It’s just landlines are…fixed! So it’s easier to identify a landline as a verifiable component: it comes from a particular wirebase run by a particular carrier.

I haven’t seen ANY form of verification on my landlines whether AT&T in CA or CenturyLink in AZ. Also Robocallers start their speel as soon as my answering message begins even though the first part is the “Disconnected Number” SITs.

Fortunately after several years of my anti-telemarketing message, spam callers are greatly reduced; mainly they are the robocallers and the RNCC.

Uh, no. I wanted to be sure with enough examples before I answered this. (T-Mobile, more ‘extended warranty’ spam calls.)

The biggest problem is that carriers have no idea where VoIP calls originate. There are laws against calling cellphone numbers for unsolicited commercial purposes or for calling someone on the Do Not Call registry. Unfortunately, with spammers hiding behind fake numbers, there is just no way to prosecute these callers.

However, once STIR/SHAKEN happens, phone companies will know the calling party or the company that gave out the number (since they’re the ones who must verify the call). These bad actors can be sued and blocked.

I imagine once we have 80% of all calls verified via STIR/SHAKEN, the phone companies can offer spam blocking services. For example, T-Mobile allows me to block all calls T-Mobile has determined to be Spam Likely. I don’t have to. It’s up to me.

I can imagine the phone companies giving you the option to block all unverified calls, and maybe let me block calls that rate a certain chance of being spam. Maybe rate calls on a scale of 1 to 5 of dependability, and I can choose to block all calls that rate less than a certain number.

This is probably exactly where regulation fails here in the US. The law can require carriers to complete every call, even those coming from some untrusted VOIP source. Such law can make sense since we don’t want carriers determining if they should complete a call depending on how much the source of that call is willing to pay them. But at the same time it makes no sense to say that a call from each and every VOIP source has to be completed because that will certainly be exploited by bad actors, especially if they are far outside the regulator’s reach. But I submit that there is room for a reasonable middle ground here. A regulator could essentially have a list of “trusted” VOIP sources for which carriers are required to complete calls. Regulators then have a stick to use against shady operators and their enablers, especially those abroad for which the FCC here has no direct legal recourse. If they can threaten taking somebody off the list for which calls have to be completed, that should get most actors to fall in line rather quickly. At the same time it requires domestic VOIP operators to get their house in order. If you allow bad customers to use your service for spam, you are putting your good customers at risk of getting cut off too.

1 Like

In the current environment, the carrier has no idea who the source is and whether they’re trusted or not. All they get is that a call is coming through and that they have a Caller ID.

STIR/SHAKEN will verify the Caller ID. The carrier could still put an unverified call through, but with enough carriers using STIR/SHAKEN, they could let users know the call isn’t verified. T-Mobile does this now. I get a tiny check mark by verified phone calls. Once all the major carriers are on board, T-Mobile told me they’ll switch from marking verified calls to unverified ones, and make it more obvious.

Right now, if T-Mobile determines a call is spam, it displays Spam Likely on my Caller ID. I can then reject the call if I do desire. And I can configure my service to automatically reject all such calls, so I never hear my phone ring. I imagine they could offer a similar configuration for unverified Caller IDs or calls from a service that is known as a spam source.

The carrier is still putting the calls through and giving me the option on how I’d like to handle the calls. My choice is to tell T-Mobile to ignore them.

Once enough carriers use STIR/SHAKEN, it’ll get smaller Voip players to also use it. I had an email service that ended up on a spam list. When I found too many of my emails getting rejected, and my service didn’t want to do anything about it, I switched servers. I imagine a small voip carrier will face a similar dilemma. Either implement STIR/SHAKEN or lose customers.

1 Like

I agree with everything you said!

Yes, for prosecution, STIR/SHAKEN definitely helps. I guess my point is that for every spam call that heads towards prosecution, there will probably be 10,000 that will be nothing but annoying. The fact that the CallerID is trustworthy for those calls doesn’t mitigate you being annoyed :wink: But when carriers implement Robocall Mitigation and Reputation Scoring, then we really benefit as users. Kinda like the Junk Folder in Gmail, as you also said.

And this is the way it should be. Some people may want to receive these calls. Maybe they’re pedantic about answering every call or maybe they don’t trust the verification system, but they should always have the option to receive their spam if they want to.

Additionally, completely blocking calls (of any kind) without giving the customer a choice may cause a service provider to lose “common carrier” status. This could open them up to all kinds of legal nightmares, like being legally responsible for the content of every call carried on their network.

Off-topic. When I read this thread, I get a cookie from T-Mobile. Why is that? I don’t click or even hover on any links, but a cookie from T-Mobile shows up.

There is a reference to an article earlier in the thread that loads a T-Mobile image. They are likely tracking that. Gotcha!

Same way Facebook, Twitter, etc track you even if you don’t have an account. Your browser fingerprint combined with data from other similar more cooperative sources identifies and tracks you precisely.

1 Like

Thanks. I learn something new every day.