Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Communications AT&T Businesses Verizon Technology

FCC Chairman Warns of 'Regulatory Intervention' as He Criticizes Carriers' Anti-Robocall Plans (thehill.com) 147

The Federal Communications Commission will consider "regulatory intervention" if the major telecommunications carriers don't set up a system this year to stop spoofed robocalls, FCC chairman Ajit Pai said Wednesday. "It's time for carriers to implement robust caller ID authentication," Pai said in a statement, noting that some companies have already committed to carrying out protocols, known as the SHAKEN/STIR framework, in 2019. A report adds: Pai sent letters to major wireless carriers in November demanding that they adopt industry-wide frameworks to crackdown on the practice of "spoofing," where robocallers mask a call's origin with a fraudulent number on their caller ID. On Wednesday, the FCC chair followed up with another demand that they implement caller authentication systems this year and a threat over the repercussions if they don't comply. You can read responses from carriers FCC's website.
This discussion has been archived. No new comments can be posted.

FCC Chairman Warns of 'Regulatory Intervention' as He Criticizes Carriers' Anti-Robocall Plans

Comments Filter:
  • ..."And what have you done with Chairman Pai?"

    • He's just learning how to better play the game. He can issue regulations. But did he? No. He said he might at some point in the distant future if telecos don't say that they're working on something that they'll implement sometime after that distant future.

      "Tell me you're going to do something, and all is well." is vastly different than, "You are hereby ordered to do this, on this timeline, with this punishment if you don't comply. No extensions."

  • by 93 Escort Wagon ( 326346 ) on Wednesday February 13, 2019 @04:38PM (#58117820)

    After all, they had to devote significant time into coming up with that acronym.

  • by HalWasRight ( 857007 ) on Wednesday February 13, 2019 @04:46PM (#58117872) Journal
    Finally the FCC does something for consumers. I get as many as five robocalls a day with spoofed caller id on the T-Mobile network. The telcos need to secure their networks to stop devaluing the money I pay them. Since consumer complaints haven't gotten any action, at least the FCC is finally doing something. BTW: I got another robocall with spoofed caller ID while typing this ... I wonder if the vmail will be in mandarin, which has been a new development.
    • by AmiMoJo ( 196126 )

      I only answer calls from numbers I know now, or if I'm expecting a call from that organization. Disabled voicemail completely. SMS doesn't generate a notification any more.

  • by Anonymous Coward

    It's gotten so bad that I no longer answer calls from unknown and random numbers anymore. If they want to talk, leave me a voicemail.

  • How are they even spoofing in the first place? Shouldn't we just remove that ability?
    • Same reason a lot of attacks on the Internet are possible: the network was designed and constructed at a time when only trusted parties were connecting to it. It wasn't designed to be secure because at the time it was relatively easy to identify bad actors and disconnect them from the network.
      • by green1 ( 322787 )

        Why do idealistic engineers always fail to account for human nature?

        The security aspects of this are not technically difficult in the slightest, and yet instead the system was designed to trust everyone. Imagine designing a large corporate network that way: "I get root, you get root, he gets root, everybody gets root!", and that's also a place where bad actors are easily detected and "disconnected", yet no company would ever allow their admin to do that. Any system that gives full authority to every user WI

    • by Shikaku ( 1129753 ) on Wednesday February 13, 2019 @06:03PM (#58118328)

      Mostly because businesses now run a VOIP system that translates a bunch of machines into a business account and they need to be able to set their public caller ID as their main business number that can direct your call to who you need and not some random VOIP address of X person trying to call you which might not even be a valid number at all, or just a number of that specific caller in Y department.

      The issue has been already solved but in a different format: domain registrars for web addresses with SSL certificates, so a system like that but for phone numbers would be a good start perhaps?

      • by Doke ( 23992 ) on Wednesday February 13, 2019 @08:48PM (#58119022) Homepage
        I tried this when we first got a PRI into our VoIP system. Our provider would only accept caller id numbers in the range they assigned/routed to us over that PRI. I could spoof any of our numbers, but not anyone else's. I don't understand why other providers allow spoofing of numbers that aren't routed to that trunk. Payouts? Graft?
        • Your provider is taking steps on their own to ensure that their customers are following the rules. Imagine if you are a carrier who often works with multi-state corporations who have a huge number of phone numbers allocated to a global system, this might get unruly pretty quickly, and it would be much easier if you just accepted anything they sent you.

          Now imagine that you are an enormous phone company (ILEC) that sells service to many, many smaller phone companies (CLECs), and with number porting, the phone

          • It's expensive for the ILECs to keep track of a master list.

            How much does it cost to have a database with a few million rows these days?

            • The database is the cheap part. The Expensive Part is maintaining the records in the database, dealing with conflicts, educating staff on this new system they must now use, ensuring they are not violating any laws with the implementation of the system, etc.

  • We need a number number added to our phones which blocks 100% of all charities, appointment setters, and any sales related call . It must carry a serious prison sentence for the person that dials, the room manager and the owners of a business if even one call is made. In other words a total death for all types of phone sales and solicitations is what I seek. Why would I seek that? At 7:20 this morning I was awakened by a stupid call with the Microsoft services scam .This is despite the fact
    • At 7:20 this morning I was awakened by a stupid call with the Microsoft services scam . ... Following that i received four more calls trying to send me Medicaid braces before noon.

      And you think a law banning all sales calls would stop that? You think it was a sales call, and that it was made from someone in the US subject to US law?

      Wow. No wonder you get so many scam callers. You must be the most naive person on the planet. You're a prime target.

  • Trying to force accurate caller ID is a good START, if it ever happens. However, it will not STOP the calls from occurring. It might help us DEAL with the calls. It might help report calls (if there was a way to do so). But as long as there is no enforcement and no tools for consumers and no criminal penalties, the calls will just keep right on coming. I don't know about you, but having an accurate ID on my home phone does nothing to prevent such calls from: Irritating me. Interrupting me. Waking me

  • The calls which spoof your exchange were easy to spot. Now it will just go back to being numbers I don't recognize from other area codes. Seems criminal that Android doesn't have a standard option to use whitelisting for phone calls and disable alerts for voice mail left by numbers not on the list.

  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Wednesday February 13, 2019 @05:46PM (#58118236) Journal

    First of all, it is important to realize that there can, in fact, be legitimate reasons to spoof a phone number... for example, calling from a direct dial out line for a business, but wanting the main business head office number to show up on the caller ID instead, which might even be located in a different country or state.

    So given that, much of the problem becomes how to enable spoofing where it is legitimate, but to not present a spoofed number as the caller when it is not.

    A carrier, when receiving a call that is on its own exchange always knows the exact number that is being called from (we will call that phone number A), the number that is being called (we will call that phone number B), and also knows what number the caller is wanting to spoof as (if any, which we will call phone number C). Whether the caller is trying to spoof or not, the carrier for A adds a temporary entry int a local cache that tracks outgoing calls, indicating that it is making a call from A to B. This entry is kept alive only for a minute or two at most before being deleted.

    If the caller does not want to spoof, then assume that C = A, and the remainder of this paragraph can be ignored. If the caller wants to spoof, then the following additional steps must be performed. The carrier for A tries to tell the carrier for C that it wants to use that carrier to spoof to spoof, making a call to #B. This request might pass through a number of other carrriers, so let us assume that the carrier for C sees the number that is calling it as X, since it is possible that the carrier for A, or any intermediate carrier might be conspiring to spoof. If the carrier for C allows the number X to be spoofed with C, then the carrier for C will then ask the carrier for X if it is presently making a call from X to B. If it does, then it adds an entry in its own cache that it is making a call from C to B. If the carrier for C does not recognize X as a number it can spoof for, then the request is ignored entirely, and the carrier for C will not do anything. Please note, that if X has been illegitimately spoofed, but X is still legitimately recognized by C as being a number it can spoof for, then the carrier for X as reached by C will not issue any response, so C doesn't have any obligation to add an entry to its table in that case.

    Whether or not the caller from A is trying to spoof, the carrier for A concurrently rings the carrier for B. The carrier for B, seeing the number C as being the number claimed to be called from, asks the carrier for C (as seen from B) if it is currently making a call to B. If the answer is yes, then the number shown in call display can be assumed to be valid. If C does not respond, then no number should show up.

    This whole verification process should take a few seconds at most, and can happen concurrently with the ringing of the line. A person who answers quickly might not get a verified caller ID until after they have already picked up the phone.

    The cached entries, as I said, are temporary, and are individually deleted after being present for a short time (one or two minutes would likely be enough time to be sure that the call is really valid).

    This is just something I came up with when I had some spare time and thought about it while I was taking the bus to work one day.... there might still be vulnerabilities, but I wasn't able to find them..

    • by mark-t ( 151149 )
      Oh, as a caveat... this could be worked around if the caller spoofed its number as a number on the same exchange as its own, and the caller's carrier was willing to always answer "yes" to any query, but because these calls can be isolated to always being from particular carriers, they should be fairly easy to filter out.
    • by mspohr ( 589790 )

      Much simpler (but it will require the telcos to do some WORK) is just require legitimate businesses that want to spoof their legitimate head office number to register the spoofed numbers with the telco. The telco can then certify that the spoofed numbers are legitimate. Telcos could even charge money for this service.

      • by mark-t ( 151149 )
        What stops somebody else from using some known head office number as their own spoofed number?

        You need some kind of reverse lookup to verify that the call is really coming from where it appears to be, otherwise it can be too easy to spoof.

        • by mspohr ( 589790 )

          The local exchange knows the real number originating the call. If that caller wants to spoof a different number, they need to register with the local exchange. If there is no registered spoof number, then no spoofing.

    • It gets a lot more complicated when your business works with SIP trunks. Adding/deleting/modifying DIDs can be done pretty much in real time. Traffic also might not be routed to the expected endpoint, although it is still valid.

    • by mjwx ( 966435 )

      First of all, it is important to realize that there can, in fact, be legitimate reasons to spoof a phone number... for example, calling from a direct dial out line for a business, but wanting the main business head office number to show up on the caller ID instead, which might even be located in a different country or state.

      Already sorted in two ways in the UK.

      1. We did away with regional number codes years ago, 0141 does not mean the originator is in Glasgow any more. Modern packet switched networks have made this redundant. By modern I mean the one's we've had installed for over 25 years.
      2. Businesses do not buy a direct line for every single employee. They install what are called PABX (Private Automatic Branch Exchanges) which means you only need to plug 1 line in (but often will have more). So the person dialling out

      • which means you only need to plug 1 line in (but often will have more). So the person dialling out from that company can easily ID as the company's main number without spoofing.

        As soon as you "plug" a second line into a PBX you have a reason and a need to "spoof". Having a PBX makes it more important to be able to spoof, not less.

        There is no legitimate case for caller ID spoofing that cannot be solved though another method.

        Most blanket absolute statements are false.

  • We implemented a Do Not Call register backed by legislative penalties ages ago and I've never had a robocall on my mobile (cell). .. and there are other benefits...
    Universal Healthcare
    Never seen a gun in public in 50 years unless it was on a policeman or security guard
    Metric!
    Proper coffee.
    Kangaroos!
    Drop Bears...
    Rugby... not that costume game you play..
    No Ajit Pai
    you do have cool rockets though... we don't have rockets...

  • Doesn't bother me (Score:4, Insightful)

    by p51d007 ( 656414 ) on Wednesday February 13, 2019 @07:21PM (#58118668)
    Number isn't in my contact list, I just don't answer it. If it IS someone trying to reach me, they will leave a voice mail, and they get added to my contact list. If they don't, they go into my spam blocker. Problem solved.
    • You've minimized the inconvenience in your case, which is great. With a better system, however, you'd never have had to put in any effort to setting your system up - or be distracted again by future spoofed calls. THAT'S how it should be.

    • Problem with this method is, putting them in your spam blocker is bad for you, not them. They use a random number every time. Since they don't use the same number again anyway, you've just blocked a potential legitimate caller in the future, and not them. Spammer's next call will be from a different number.

      Your Problem is not solved. You've created another one for yourself in the future when you meet a new friend, or try to do business with someone else, and they are blocked and you don't even know it

  • Unfortunately whatever they implement will be about as effective as the Do Not Call Registry was.... not at all. The scammers always find a way around rules and they count fines as the price of doing business.

  • If he can come up with an actual plan and not just a bunch of hot air.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...