[HN Gopher] Ask HN: How can scam callers fake a mobile phone num...
___________________________________________________________________
Ask HN: How can scam callers fake a mobile phone number?
I'm with T-Mobile and I just received a phone call on my mobile
phone from another number where everything except for the last 3
digits was exactly matching my own number. I found that suspicious,
but I was curious enough to pick up the call. The other person
greeted me with "We are very important this is Interpol!" in
seriously broken English, so I suspected a spam call and hung up to
try to call them back. That didn't work because the phone number
they were calling me from does not actually exist. Like I
immediately get the T-Mobile announcement informing me that this is
an invalid number. Now I am wondering: - How can a spam caller
call me with a source phone number that does not exist? -
Shouldn't my mobile phone network verify that the caller - which
was also inside their network - is a valid subscriber? Otherwise,
how can they bill someone for this call? - How does this kind of
scam call work technically?
Author : fxtentacle
Score : 114 points
Date : 2022-03-14 14:43 UTC (8 hours ago)
| jollybean wrote:
| Because carriers are arcane companies that have a monopoly on a
| swath of infrastructure and have little care or perspective on
| what products and consumer experience amounts to.
|
| They buy and install equipment and sell out the voice/data.
|
| They actively oppose, thwart any kind of thoughtful innovation,
| competition etc. on anything relating to their networks, because
| they believe they 'own' the network and therefore 'own'
| everything going on on top of it.
|
| Remember the 10-cent 'WAP' pages? Tiny, crappy, useless little
| mobile web pages? And they wanted 10-cents each?
|
| Carriers would originally not sell BlackBerry service. They
| thought it was stupid to have 'email' on their networks.
| BlackBerry had to buy data and then sell to the C-suite.
|
| Then, BlackBerry literally became the reason that people wanted
| to buy data. The carriers then said - you can't buy network and
| resell it, you must sell your products through us.
|
| Imagine if some private companies controlled all of the roads.
| Any and business wanting to put a car on the road had to pay a
| toll, and the owners could decide which kinds of cars, when, and
| for what reason and intervene. They tried to provide the
| ambulance and transport for everyone and keep messing it up.
|
| It's also an artefact of human organization, even a fairly
| enlightened community/government body would have difficulty
| setting clear and appropriate guidance.
|
| The issue becomes problematic when there is a control of a scarce
| resource.
|
| In truth, it's absurd that people should be able to easily fake
| 'from' numbers, we should have fixed that a decade ago.
| hungryforcodes wrote:
| Just never answer the phone. If they really want to talk to you
| -- they'll find another way.
| ravenstine wrote:
| Or they'll leave a message.
|
| The real answer to the problem is to deprecate the legacy
| telephone system. It will never be as secure or user-
| configurable as just about any modern implementation of
| voice/video over IP.
| 310260 wrote:
| >deprecate the legacy telephone system
|
| The legacy telephone system is being deprecated. All three US
| mobile operators now have VoLTE (ENUM) interconnection with
| each other. STIR/SHAKEN call verification is happening
| between the mobile operators and large consumer VoIP
| operators like Comcast and Charter. VoIP is far cheaper to
| operate than POTS and most all operators are using it now and
| shuttering their legacy networks.
|
| The issue has to do with regulations around the phone system.
| Rural call completion to small operators is a requirement -
| as it should be - but has loopholes that encourage abuse.
| This rural call completion regulation also comes with the
| ability for small operators to charge certain prices for call
| completion so they can afford to keep their high-cost rural
| customers serviced. The larger carriers pay these fees to
| connect their subscribers to those of the rural carrier.
|
| However, some smaller operators have also been using these
| higher rates as a means of profiteering by allowing massive
| amounts of spam traffic through their networks towards the
| larger carriers.
| notreallyserio wrote:
| I wish phone calls came with a verified (cryptographically)
| description of the route a call took to get to me. Then I could
| use a library/app to filter by source or by bad actor (providers
| that lie about the route). That would enable services like UBlock
| Origin, allowing for user-generated blocklists.
| fxtentacle wrote:
| Great idea!
|
| Local area number but traceroute to a call center in India?
| Automatically reject.
|
| That'll also solve the issue of unusable corporate phone
| support because they outsourced it to save a few bucks.
| deadcore wrote:
| The how - depending on the protocol.
|
| Signalling System No. 7 - ISDN User Part spec (found here:
| https://www.itu.int/rec/T-REC-Q.763-199912-I/en) allows you to
| specify both a calling party number (3.10) and generic number
| (3.26) (the UK spec adds an additional presentation number so you
| have 3). This will typically require the help of an operator
| which is 'connected' to the network on the PSTN. A real business
| case can be made; like a generic, non geo support numbers
| appearing on the persons phone instead of the geographical number
| of the office which called. Either a bit of social engineering or
| findings a less scrupulous operator is all you really need to do
|
| SIP has FROM and P-Asserted-Identity headers which follow the
| same process
| drcongo wrote:
| Does that addition in the UK spec add any extra protection?
| I've never had a spam call with a spoofed number in the UK as
| far as I'm aware, and definitely never seen that thing that
| happens in the states where a call comes in showing the name or
| company name of the caller, even if they're not in the
| receiver's address book.
| deadcore wrote:
| The UK spec adds a few fields which I can not remember all
| off the top of my head. One addition is the 'presentation'
| calling line identifier, which is screened like the 'calling
| party number'. The generic calling line identifier is not
| screened, hence the addition
|
| ref what the screening bits are: https://www.dialogic.com/web
| help/csp1010/8.4.1_ipn3/exsapi_q...
|
| As for if the UK & spoofing, it's a very real thing with very
| real business cases and abuses.
| drcongo wrote:
| Thank you.
| fxtentacle wrote:
| Thank you for this rabbit hole. Today I learned a lot about
| modulation, frequencies, and how DSL works :)
|
| In the end, the most surprising snippet of knowledge for me was
| that Erlang (that Amazon S3 is built in) was invented by
| Ericsson for live patching ISDN phone routing systems without
| dropping any ongoing call.
| FigmentEngine wrote:
| I do not believe S3 is written in Erlang... do you have a
| source for this?
| garciasn wrote:
| SimpleDB is; maybe they confused them.
| barrad0s wrote:
| I don't know the answer to your question(s), but if you're
| curious, you can download an app right through the play store to
| fake your number. I used to prank my friends all the time.
| jamal-kumar wrote:
| Back in the day you used to be able to spoof caller ID using in-
| band signalling. it was like a few fun sounding handshake tones
| and some static-sounding data that you would play after the
| official one, and that was called orange boxing. That was the
| Bell 202 FSK signal and I remember hearing it on landlines up
| until a decade ago if the phone was picked up as soon as it
| started ringing.
|
| In Canada caller ID also includes the name along with the number
| from Nortel equipment, while in the USA it's just number. Nobody
| I know has a landline anymore except for businesses because if
| it's just the odd crazy person who still makes a super annoying
| life-interrupting phone call, more than half of calls are just
| fraud shit with spoofed caller ID and everything. It's so easy
| you could get started doing it yourself with freepbx installed on
| some 5$ VPS within minutes. Honestly we need better telephony
| systems, but everything is being completely superseded by chat
| apps anyways. Again only crazy people give me actual phone calls
| anymore and I have two lines between two countries.
|
| Fun things to do to the fraudsters: Talk really quietly and when
| they are like 'sir i cannot hear you' put yourself on
| speakerphone and YELL into the phone as hard as you can, and you
| win the game when you can hear them rip their headset off in ear
| pain because they turned their volume up to hear you. Either that
| or ask them what they're wearing until they get mad at you and
| call you homophobic things.
| bbarnett wrote:
| _Again only crazy people give me actual phone calls anymore_
|
| I was going to say "Wait!", but then realised all my calls were
| from recruiters and HR departments.
|
| So I guess you're right.
| jamal-kumar wrote:
| For me they always want to set up a zoom call nowadays
| smeej wrote:
| Hoping this is something that doesn't need to be said here, but
| just in case:
|
| This is why you should NEVER provide personal information over
| the phone if you didn't initiate the call. It doesn't matter if
| your caller ID says it's your doctor's office or your bank or
| whatever.
|
| Hang up and call them back at the number you normally use to
| reach them, from their website or the back of your credit/debit
| card for example. Make sure you're talking to the people you
| think you are.
|
| Otherwise they can phish all kinds of info out of you.
| matt_heimer wrote:
| So many callers get offended when you try to tell them that you
| aren't going to give you personal information to some random
| caller unless they can validate themselves first. And many
| times their direct call back number (if they have one) isn't
| the one published to the company website. I get the feeling
| that most people don't question them.
| mark-r wrote:
| If someone can't prove who they are, I don't care if I offend
| them or not.
| jontas wrote:
| It can even be a problem if you do initiate the call. My mom
| got taken in by a scam where she googled "American Express
| phone number" and a scammer's website or paid ad (she isn't
| sure which it was) was showing at the top of the results with
| the wrong number.
| weaksauce wrote:
| that's why you only call the number on the back of your card
| if you can help it. and double check that you entered it
| correctly
| soco wrote:
| Yet another example of the often discussed "Google search
| results infestation"...
| edmundsauto wrote:
| Also possible if they gave malware on the computer, and it
| modifies search results in the browser. That's always
| seemed like a serious vector although I haven't heard much
| in the way of in the wild exploits.
| b3morales wrote:
| Computer malware + phone scam sounds like a remarkably
| targeted, technically broad, and labor intensive attack.
| noneeeed wrote:
| Also, if you were rung on a landline, ring back on your mobile.
|
| I'm not sure if it's always the case, but I believe that a call
| to a landline only terminates when the caller hangs up. This
| certainly used to be the case.
|
| This allows scammers to ask you to hang up and call them back
| on the number on your card (for example), but they just mimic
| the dial-tone and ring, then they have another scammer answer
| the phone.
|
| This is not an issue on a mobile.
| throwawayboise wrote:
| Or if you can't use a different line or mobile phone,
| intentionally dial a different number, if it rings through to
| "the bank" then you know they have hijacked your line.
| alx__ wrote:
| Ah yeah I remember that trick. If you didn't hang up after
| talking to a friend, you'd could "haunt the line". Works best
| if someone is waiting to use the only phone in the house.
| Which is a phrase you don't hear that often :D
| xwdv wrote:
| Ah, a ghost in the wire.
| bluGill wrote:
| That depends on where you live. Some areas never had it. Some
| had it but got rid of it, some still have it. Check with your
| local phone company is the only way to know what currently
| applies - though they can change the rules anytime as this is
| just a setting in their switches (they may or may not also
| have legal oversight here, again depending on where you
| live).
|
| Or of course as you said, always call back from mobile.
| hungryforcodes wrote:
| I haven't seen a landline in ages...
| jonsen wrote:
| They are buried.
| zeruch wrote:
| Ah, puns. I dig it.
| localhost wrote:
| I remember many years ago getting a random phone call from
| someone who claimed they were a detective investigating a case.
| The detective sensed my skepticism right away over the phone
| and suggested that I look up the phone number for his police
| department, and to ask for badge number ZZZ when I call. I
| called back, everything was above board, they came and
| interviewed me (they wanted to see if I still had something in
| my possession which I thankfully did), they made a mark on the
| item to indicate that they had seen it already and I never
| heard from them again. Though I wonder if they ever caught
| whoever it was that was using that item ...
| glenneroo wrote:
| You can't drop a story like that on us and not tell us what
| "the item" was ;)
| xwdv wrote:
| All this could be faked, this could have been an elaborate
| scam.
| [deleted]
| gojomo wrote:
| Yes, if the stakes were large enough, & the adversary
| sufficiently skilled/resourced, it is possible an
| impersonator could also intercept & redirect your call to
| "the police" - for example by compromising phone network
| systems or the police-department's switchboard. (Or,
| somehow corrupt your usual means of looking up that police
| number.)
| grendelt wrote:
| This.
|
| A while ago, my wife got a call from a collections agency on my
| phone. They asked for her name, I asked "which one?"
|
| She said "I can only talk to ____."
|
| I said, "I understand but which one would are you looking for
| the older or younger?"
|
| "I can't share that information."
|
| "Then I can't put you in touch with who you're looking for if
| you can't tell me who you're looking for."
|
| "I can only speak with ____."
|
| I said "Ok, tell me the last 4 of her social and I'll know
| which one you're looking for."
|
| "That's private information, sir."
|
| "No, that's the public portion of a social security number.
| Tell you what, since you're learning how this works, I'll make
| it easy on you: I'll give you the first digit and you tell me
| the last. That way we both know we have the same 'protected
| information'. If I give you the wrong starting number or you
| give me the wrong ending number, we both know we have the wrong
| person."
|
| "I need to speak with _____."
|
| I gave her the starting number but she didn't budge.
|
| I finally said "okay, since you can't verify who you're looking
| for, I'm going to just tell you you have the wrong number. This
| is _my_ cell phone, not ____ 's. You may send a letter, but
| this is not the correct phone number for who you're looking
| for. Please, do not call me again."
|
| While all this was going on she gave me the name of the
| collection company which I was able to Google and determine it
| was a legit operation and located not too far away. A medical
| provider never got our correct address, but it just showed me
| how overly trusting some companies expect people to be. Nah,
| this is a two-way verification. If you're gonna call me, you
| need to give a little to prove to me you're legit.
| srvmshr wrote:
| The last time I received such a call, I just told them in
| Hindi to not to call me again, and that I knew it was an
| obvious fake. I could hear them muttering something in Hindi
| on the other end while hanging up.
|
| The tongue-rolled accent & peculiar pronunciations / choice
| of words is a giveaway. A large number of these IRS &
| collections call originate from call centers in India.
| pwg wrote:
| > A while ago, my wife got a call from a collections agency
| on my phone.
|
| I occasionally get calls on my number from a caller asking
| for my brother.
|
| My standard response has always, from the first time one came
| in, been: "there is no one at this number by that name".
|
| > You may send a letter, ...
|
| If one /ever/ gets a call from anyone purporting to be a
| "collections agency" then this ("send a letter") is the
| /only/ correct response that should ever be given. You may
| want/need that legal record later.
| ceejayoz wrote:
| > No, that's the public portion of a social security number.
|
| It really isn't.
| abofh wrote:
| Indeed, the first three are dependent on the state that
| issued your SSN, and the next two often are sequence bits
| roughly correlating to when it was issued. If anything,
| those are the public bits
| 0des wrote:
| They are not numbered by state anymore
| jcranmer wrote:
| The change was done in 2011, so very likely the
| geographical-based system applies to anyone fielding
| collections agency phone calls in the present day.
| 0des wrote:
| True, I'll give you that
| xwdv wrote:
| It is, and you _must_ set aside your personal feelings and
| treat it as public info.
|
| If people think these digits are like some secret password,
| they will be treated as such and used to gatekeep access to
| even more restricted info and accounts. Which would be a
| disaster because many people have had these last four
| digits exposed over time. Knowing them does not prove
| identity.
|
| They are public.
| throwawayboise wrote:
| You might as well assume your entire SSN is public. Most
| of them have been leaked someplace or other, and for
| anyone who was an adult before about 2000 it was common
| to have them pre-printed on your personal checks. It's
| only in the past few decades that they have suddenly
| become "secret."
|
| That someone who called you on the phone happens to know
| your SSN last four or even the entire number should not
| confer any trust on your part.
| xwdv wrote:
| The second you believe your SSN represents privileged
| information, that's when you get taken advantage of.
| ceejayoz wrote:
| Like it or not, many banks and other industries use it as
| a verification question. A collections agent is going to
| be explicitly and strictly forbidden by policy from
| disclosing it to an unknown person on the phone, and
| that's a _good_ thing.
|
| Yes, I'm pretty sure everyone has my SSN and other
| details, but collections agents should absolutely follow
| the rules. The ones that don't tend to be abusive.
| adonovan wrote:
| Regardless of original intent, at this point, it really is.
| BeefWellington wrote:
| > Hang up and call them back at the number you normally use to
| reach them, from their website or the back of your credit/debit
| card for example. Make sure you're talking to the people you
| think you are.
|
| This is not foolproof either. In _some_ older landlines even
| hanging up doesn 't necessarily disconnect you.
|
| This means an attack works like:
|
| 1. Attacker dials their victim, alleging to be "Interpol",
| "VISA Card Services" or some other similar thing.
|
| 2. Victim takes this advice, "hangs up" and picks up and dials
| back.
|
| 3. After victim hangs up, attacker plays dialtone noise down
| the line, which they have not disconnected.
|
| 4. Victim picks up and "dials" the actual thing they want to be
| sure of, but is really just listening to a fake call the
| attackers play to them.
|
| 5. Attacker answers "Thanks for calling X".
|
| This isn't to my knowledge true of mobile calls but it's
| important to know it's not foolproof either.
|
| There's some discussion of that here:
| https://security.stackexchange.com/questions/100268/does-han...
| downrightmike wrote:
| Caller id is just a user settable field. There are two numbers,
| ANI which is how telcos are supposed to keep track of who to
| charge. NO one uses it, because users don't like it. And caller
| id is sent out on the second ring, but again, user can set that
| to anything. Corps have to adhere to the TCPA, others don't and
| SIP calls are cheap and globally routable.
| https://www.fcc.gov/sites/default/files/tcpa-rules.pdf
| bufferoverflow wrote:
| That's a ridiculous system design.
| downrightmike wrote:
| Brought to you by Ma Bell
| xad6 wrote:
| Similar to the original SMTP implementation, it was designed
| in an era where folks often assumed that only "trusted
| parties" had access to the network backbone (whether that
| network is circuit-switched or packet-switched).
| colejohnson66 wrote:
| It's remnants from a time where security wasn't a concern.
| The original intent of the From: field in email was that it's
| definitive, but now it's just a legacy field that many
| systems ignore because it's fakeable.
| exabrial wrote:
| You're correct, but back in the day, all nodes were trusted
| nodes, so would have been a lot of overhead to authenticate
| all this stuff. Hasty regulatory oversight in a fledgling
| industry led to the current situation.
|
| STIR/SHAKEN actually has the potential to do things
| correctly, as a call Digital Attestation Certificate has to
| be supplied... but telcos make quite a bit of money off of
| scam callers so don't expect them to move quickly, and I'd
| expect them to implement it in the absolutely poorest way
| possible.
| litgab wrote:
| I just got a call from the Microsoft Security Team. They informed
| me my computer was highly infected. I spent 1 hour with them
| executing all cmd commands they wanted & told them the output.
|
| In the end i told them my wifi was broken and the technician
| should come by soon to fix it. She turned very aggressive and
| told me to call my brother Internet provider right now, as this
| is urgent because the hackers are already in my system. I told
| her to call me again the next day.
|
| I might have forgot to mention i am using a mac (and had to
| google the result of all commands & screens). I wanted to setup a
| VM and trace them or maybe even let them execute a manipulated
| cmd.exe to create a reverse shell. But after my attempts to buy
| some time so i could set everything up, they gave up and never
| called again.
|
| So sad, i am still scared of all the ,,viruses of very dangerous
| hackers"...
| toast0 wrote:
| > I just got a call from the Microsoft Security Team.
|
| They used to call be, but they said they were from 'The
| Windows'. I tried to get them to play Zork, but they weren't
| very interested, and it took me a little too long to get it
| started anyway.
| wbobeirne wrote:
| You'd probably enjoy the content of Jim Browning, a guy who
| tries to flip the tables on these kinds of tech support scams:
| https://www.youtube.com/channel/UCBNG0osIBAprVcZZ3ic84vw
| jaywalk wrote:
| > Shouldn't my mobile phone network verify that the caller -
| which was also inside their network - is a valid subscriber?
|
| Since the advent of number portability, the area code and prefix
| no longer signify anything about what carrier a particular number
| belongs to. You could very easily take your T-Mobile number to
| Verizon, for example.
| xp84 wrote:
| The number itself is no longer permanently their network, sure
| - however, they have instant access to look up* any number and
| find who presently owns it - which they must use to be able to
| route calls successfully. It's completely true that say,
| T-Mobile could today refuse to connect a call when the caller
| pretends to be calling from a T-Mobile owned number and yet is
| calling from outside their network.
|
| Sure, it would only kill a subset of the spam if they could
| only do this when they currently control the spoofed number
| themselves, however it would still do something!
|
| * Source: https://teraquant.com/local-number-portability-and-
| how-to-tr...
| moron4hire wrote:
| I think a much better question is, _why_ can scammers spoof a
| phone number? We hear lots of excuses from the carriers about how
| this is out of their control, this is how the system works, etc.
| Why don 't they feel like they have a fire lit under their asses
| to fix the issue?
|
| My immediate guess is that they must make money off of scam calls
| somehow. A scam call is still a call.
| doliveira wrote:
| Yeah, and the net effect is that they're shooting themselves on
| the foot: I don't even pick up phone calls anymore. And I don't
| think I'm alone in this: most families and friends claim only
| to answer calls of close contacts. Legitimate services nowadays
| just contact you in WhatsApp instead.
| heffer wrote:
| The same principle is applied when you use call forwarding on
| most SIP providers. They "spoof" the real caller's Caller ID
| when forwarding the call, so that the forwarded call reaches
| your phone with the number of the actual caller, not some
| random number assigned to your account or the provider. If they
| didn't do this you wouldn't be able to call the original caller
| back directly from your call log.
|
| This would be a legitimate use case for Caller ID spoofing.
| moron4hire wrote:
| Yeah, no, not buying it. I mean, not buying that's the only
| way it could be done.
| bombcar wrote:
| This is why I like having my number from where I lived in 2005
| (see https://xkcd.com/1129/ ) - any calls from "my area code" are
| automatically spam unless it is a particular number I know.
| nwsm wrote:
| I have this convenience as well. If I don't have a number from
| my home area code, I don't need it. Although I basically do not
| answer any unknown phone numbers at this point unless I'm
| expecting a call from a company for something.
| brk wrote:
| This is the same thing for me. Short version is that I'm from
| Detroit area, lived in NH for a while, and now reside in Tampa
| area. My cellphone has a 603 area code (NH). But since I'm not
| from there, the only 603 numbers I care about are already in my
| address book, any others are guaranteed to be spam calls. This
| lets me easily ignore 95% of them (I also occasionally see an
| 802 (VT) number or a 978 (MA) number).
|
| What is interesting is that I have started to receive more 727
| (local area code) spam calls, maybe 2-3 per month. I suspect
| this must be from local friends and contacts leaking my number
| through sharing address books with various apps.
|
| I am at the point now where incoming phone calls are near
| valueless, other than from a very small set of numbers. Most
| people text me, or contact me through other apps/methods. Even
| for business purposes, incoming calls are almost always
| scheduled and the very very few that are not, and from an
| unrecognized number, can leave a voicemail.
|
| It is somewhat amazing how the telco's have let their core
| product, voice calls, become nearly worthless by not handling
| these spam call problems. Now I'm using contact methods and
| apps that are not provided by telcos and not strictly reliant
| on their networks.
| philovivero wrote:
| I get scam phone calls with area codes from most of the major
| metro areas all over the USA although since it's a California
| area code, it seems most are from somewhere in California.
|
| Your final paragraph is pretty on-point.
|
| > It is somewhat amazing how the telco's have let their core
| product, voice calls, become nearly worthless by not handling
| these spam call problems
|
| I have more than once thought about just giving up on having
| a phone number at all. Unfortunate that isn't an option yet.
| abofh wrote:
| Ported my "2005" number to a voip carrier, and have an
| automated lookup - not in my known caller list? Straight to
| voicemail. Known caller? Forward to my direct number with a
| known caller ID, otherwise muted.
|
| I should not have to put this much effort into not being
| contacted, but otoh, it saves me quite a bit since dropping the
| US cell line.
| [deleted]
| jijji wrote:
| Being able to set outbound Caller ID is something that is common
| with SIP providers and T1/PRI providers. The most common case
| today is using SIP. The billing happens at the provider level,
| and is not based on the user defined Caller ID field. Anyone can
| setup an Asterisk instance and make the caller ID value on the
| outgoing calls whatever they want [1].
|
| [1] https://www.voip-info.org/setting-callerid/
| ghostpepper wrote:
| I live in Canada, and I and most people I know receive spam calls
| from spoofed numbers on a semi-regular basis.
|
| Sometimes the number only a few digits off from my number, but
| other times it has a name like TOLL FREE SERV. A common lure is
| claiming they are Service Canada or Canada Revenue Agency (or the
| nonexistent Revenue Canada), and the call will open with
| nonsensical threats like "A warrant has been placed in your
| social insurance number". I have a hunch they often target
| wealthy international students, as sometimes the messages are
| entirely in Chinese.
|
| Recently I received three calls in one day. It's been happening
| for years, and the phone companies don't appear to be
| able/willing/motivated to stop it. Most people I know have just
| resorted to not picking up calls from unknown numbers.
| heffer wrote:
| If you are on Telus or any of their other brands you should be
| able to configure "Call Control". This feature prompts an
| unknown caller to type a given digit before the call is
| actually connected. Filters out 100% of all spam and other
| automatically dialed calls. Very very rarely I had people miss
| the prompt and as a result not being able to reach me. We're
| talking like 2 calls in 3 years. They reached me via email and
| all was good in the end.
| cjauvin wrote:
| I live in Canada too, and these particular calls are rapidly
| destroying the notion of answering a number that is not in your
| contact list.
| mef wrote:
| on iOS, the "Silence Unknown Callers" feature has completely
| eliminated this for me.
| fxtentacle wrote:
| I was actually waiting on a call back from a parcel company,
| so the scam caller in this case just had very lucky timing.
| marckemil wrote:
| Canadian physician here: yeah, this is hell for us trying to
| reach patients through the hospital system, which is
| "unknown" by default. Straight to voicemail and you can't
| really leave a message. Totally agree though, this problem is
| very time consuming, if only for the time it takes me to look
| at my phone and decide not to answer the call - a few seconds
| of my life each time. My worst day was a few days ago; 7
| calls.
| ryandrake wrote:
| You're going to hate me then: I go a step farther than OP:
| Do Not Disturb mode 24 hours a day, 7 days a week. No
| notifications, no messages, no phone ring at all. I make
| sure my voicemail is never full. Leave a message and if
| it's important I will get back to you.
|
| If I have a sick relative and explicitly expect an urgent
| call, I can easily and briefly turn off DND mode.
|
| If the concept of a telephone never existed, and "Phone
| App" was invented today, it would be considered extremely
| intrusive and likely not (at least on iOS) pass App Store
| review. Think about it: Here's an app that allows any
| random person to cause your device to 1. interrupt whatever
| foreground app you have running with system-level UI
| (notification or full-screen takeover), and 2. ring and
| vibrate your device without your consent. If we weren't
| already familiar with telephones, we would never accept
| such an obnoxious app!
| sgc wrote:
| That is just the android facebook app in lite mode! I
| tried it for about 24 hours once after much social
| pressure. Now I just look at my wife's feed if she
| mentions something interesting.
| 0des wrote:
| Developer here, the cost is more than a few seconds. That
| call can derail productivity for much longer, like pushing
| a heavy stone that must gain momentum
| lattalayta wrote:
| Out of curiosity - what do you mean by "Can't really leave
| a message" ?
| martyvis wrote:
| Not the OP, but if you are a doctor and need to ring a
| relative or a friend to inform them about a very sick
| patient, leaving a message without the opportunity for at
| least brief interaction isn't something particularly
| pleasant for either party. ( You either leave too
| nonspecific information that not being sure what to do,
| or too much that potentially is breaching patient
| confidentiality or is going to panic the recipient)
| gvb wrote:
| STIR/SHAKEN is supposed to stop the spoofing. For an explanation,
| see https://en.wikipedia.org/wiki/STIR/SHAKEN
| herendin wrote:
| Isn't it already possible for a phone to display the
| STIR/SHAKEN Caller ID verification status of each incoming call
| now?
|
| This would be useful in the interim as this system rolls out,
| and would also encourage adoption by mobile carriers
| lkbm wrote:
| > The Federal Communications Commission requires use of the
| protocols by June 30, 2021
|
| Spoofing still exists, though. Is the issue now that our phones
| are backwards-compatible with the insecure system?
| eli wrote:
| That deadline has been repeatedly extended
| lvs wrote:
| jaywalk wrote:
| The problem is that carriers (especially smaller ones) have
| been dragging their feet on implementing it, and nobody can use
| it to actually block calls until essentially everybody supports
| it and is interoperating. Until then, phones will just show
| calls between STIR/SHAKEN carriers as having verified caller
| ID.
| skyde wrote:
| would it be possible to tell my carrier to simply block all
| call that are not (STIR/SHAKEN)?
|
| If all my friend are on carrier that support it, I am not
| interested in receiving call from people that are not on a
| carrier that support it.
| pxx wrote:
| You can do this in software on your phone (assuming
| Android).
| jmholla wrote:
| How does one do that? Do I need another app? I don't see
| a setting for this in my Android settings.
| mullen wrote:
| In the Phone App, under Settings -> "Spam and Call
| Screen", there are bunch of Spam and Call Screening
| options.
| andrewshadura wrote:
| There's also an app called YACB which offers advanced
| filtering.
| jaywalk wrote:
| I highly doubt any carrier would offer this, especially
| with the current adoption being where it's at. You'd be
| better off using your phone's capabilities to restrict
| calls to only your contacts.
| lowlevel wrote:
| This is what I do, and feel is the only solution now.
| Phone always on DND/only allow contacts to ring. A
| whitelist approach if you will.
| thesis wrote:
| This is great and all until there's an emergency and
| someone is trying to reach you.
| xp84 wrote:
| Yeah, it's less than ideal, but this is the future that
| the lazy carriers have brought us to. Hopefully, someone
| trying to reach me in an emergency would have the brains
| to send a text.
| encryptluks2 wrote:
| STIR/SHAKEN hasn't worked correctly or stopped robocalls like
| promised. Congress basically told everyone that this was the
| answer and would stop robocallers for good, but in reality did
| barely anything at all. The real solution is to label
| robocallers as terrorist and sanction countries with large
| amounts of robocalls for sponsoring terorrism. Before long,
| everyone will be too scared to even consider working in a
| robocall center and they will start turning on each other and
| reporting their bosses. They should even offer monetary rewards
| and protections for providing intelligence on the people
| operating these.
| egberts1 wrote:
| And if they do not comply, to follow through with a Hellfire
| missile, right? /s
| busterarm wrote:
| If someone and the coworkers on their floor are calling and
| scamming old people out of their retirement money, then
| there is no sarcasm needed here. That should be perfectly
| justifiable.
|
| I'll paint the targeting laser myself.
| encryptluks2 wrote:
| I mean, think about how many people scammers are killing
| prematurely as is. Once these countries that we previously
| let shit on Americans for a long time have some serious
| sanctions, I'm sure they'll find ways to deal with the
| problems themselves.
| tabtab wrote:
| This should be an easily solvable problem. All calls should come
| from a paid account and be trace-able to the payee (by the phone
| company). I don't get why there is so much phone spam. If we need
| new standards, let's get on it!
| PaulHoule wrote:
| https://en.wikipedia.org/wiki/Caller_ID_spoofing
| [deleted]
| toast0 wrote:
| > - How can a spam caller call me with a source phone number that
| does not exist?
|
| The same way they make a call with any source number. The two
| source numbers in a call (ANI and CallerID which don't need to be
| the same) have historically been not required and not validated.
| See stir/shaken for a modern effort to change this. Coming soon
| to a carrier near you; maybe.
|
| Being able to set the source number enables many useful things as
| well as some spam/harassment/fraud uses. It requires a lot or
| coordination to allow the former and restrict the latter.
|
| TLDR: don't trust caller id. Don't call people back unless you
| know the number/it's an expected call.
|
| > - Shouldn't my mobile phone network verify that the caller -
| which was also inside their network - is a valid subscriber?
| Otherwise, how can they bill someone for this call?
|
| Call billing records don't use caller id in the way you're
| thinking. If you pay for incoming calls, they're charged
| regardless of the source number, but it's recorded for
| informational purposes.
|
| For outgoing calls, the call record is made closer to the source
| and is tied to the line that made the call, not the source
| number.
|
| For intercarrier calls (which almost certainly the case here),
| the source carrier bills its customer and the interconnecting
| carriers count minutes on calls and settle up for net difference
| in flows (calling carrier pays, but interchange fees are going to
| zero among US carriers)
|
| > - How does this kind of scam call work technically?
|
| Get a phone account where you can set the caller id and calls are
| cheap; call a lot of people; successfully scam one or two; take
| the money and run.
|
| Some voip accounts let you set caller id. Traditional primary
| rate interfaces (T1) usually do too.
| bombcar wrote:
| To go further on this, the T1/DID allows you to set various
| numbers for the outgoing (for example, so that all calls from
| your company appear as "main company number", or all calls from
| support people come from the "support number"). The CallerID is
| very easy to replace with anything, but even the ANI can be
| replaced, and until recently, nobody verified anything at all.
|
| And lots of "back end" things depend on this silliness - for
| example, some MVNO actually have TWO phone numbers associated
| with the phone: a VOIP "real number" and a secret "actual cell
| number" - Republic Wireless had this for sure. The VOIP number
| is what you'd give everyone, and they'd do routing weirdness to
| use Wifi whenever possible. The "real" cell number would go
| direct to the phone but not normally appear anywhere.
| throwawayboise wrote:
| Yeah when I was on Republic Wireless I'd sometimes get calls
| from people who had called the "secret" number because it had
| been recycled. I used to get calls from the county clerk's
| office reminding me of my upcoming court dates and probation
| appointments. I called them back and said you must have a
| wrong number, they checked and of course had no record of my
| phone number on any of their records and could not understand
| why I was getting these calls, nor could they figure out who
| _should_ have been getting them. Later I realized that
| someone must have had that "secret" number recently and it
| had been recycled into Republic's pool.
| seba_dos1 wrote:
| Do you know how e-mail lets you set anything you want in 'From'
| field and only relies on optional stuff like DMARC to, maybe,
| verify it?
|
| It's almost exactly the same with phone calls, that 'From' field
| is just set at a provider level instead of user level - and there
| are _many_ providers over the world, including some that allow
| the user to set this field however they like.
| jdofaz wrote:
| Since you are on T-Mobile verify you have scam id and scam block
| enabled: https://www.t-mobile.com/support/plans-features/self-
| service...
|
| > which was also inside their network
|
| A phone number isn't like an IP address, the call isn't coming
| from that number and almost certainly didn't originate on the
| t-mobile network
|
| The FCC recently reduced the amount of time some companies have
| to implement STIR/SHAKEN to June 30, 2022.
|
| https://docs.fcc.gov/public/attachments/DA-21-1593A1.pdf
|
| >The Commission recently shortened the extension for a subset of
| small voice service providers likely to be the source of illegal
| robocalls.
| pwg wrote:
| Because the design of the original caller-id system allows the
| initiator of the call to attach any set of numbers they like as
| the caller-id value that is shown on your phone.
| phkahler wrote:
| Which is hilarious because the phone company used to charge
| extra to bring you this information as if they were telling you
| who was calling. That's a service I'd almost be willing to pay
| for today if it actually worked.
| pwg wrote:
| Which is also why it is simply an "initiator settable field".
| When "the phone company" brought out the service (for a
| monthly fee) there was only one "phone company" and so they
| could be assured that they themselves were setting the value
| to the correct source.
|
| Now that the phone network looks more like the internet (many
| different companies all exchanging "calls" with each other)
| that decision, way back then, has the unintended side effect
| of allowing the robocall spammers to set whatever set of ten
| digits they like on their outgoing calls.
| taubek wrote:
| If you hang up be sure that you have really disconnected the
| line. https://bc.ctvnews.ca/beware-of-the-delayed-disconnect-
| phone...
| TesterVetter wrote:
| smegsicle wrote:
| paris hilton knew how to do it back in 2006, checking lindsey
| lohan's voicemail by pretending to call her from her own phone
|
| https://www.infoworld.com/article/2658949/paris-hilton-accus...
| JoshGlazebrook wrote:
| It still seems crazy that even though carriers knew how easy it
| is to spoof numbers, even back then, they still decided to just
| skip any voicemail passcode authentication if you were calling
| your own number from your own number to get to your voicemail.
|
| It's like letting someone in your house because they're holding
| up a paper cutout of someone else's face that you know in front
| of their actual face and that's good enough.
| awinter-py wrote:
| seriously, never pick up the phone unless you know the caller.
| every stranger who calls you is trying to waste your time in some
| way
|
| even 'legit' businesses that call you from random numbers are
| basically a spam channel / are training you to get phished -- for
| example health insurance and credit card. every time I call back
| on their official # to ask what they want, it's 10-20 minutes to
| figure out what they wanted (if they even know!)
|
| we somehow aren't a society that can legislate to prevent
| spammers from using the phones. at this point let's pivot and
| punish _legit businesses_ who use the phones to waste my time
| TACIXAT wrote:
| It is actually incredibly easy! If you are using a voip line, it
| is just a configurable field in the UI. You can do it with any
| voip phone app (e.g. [1]) and a voip provider (e.g. [2]). I have
| an old archived video showing it here [3]. It is not so
| interesting though, just me poking around in a voip provider's
| UI.
|
| To address the other question about phone providers verifying
| stuff. SHAKEN/STIR [4] protocols are supposed to address this,
| but I think the telcos are still in ramp up time.
|
| 1. https://www.zoiper.com/
|
| 2. https://voip.ms
|
| 3. https://odysee.com/@cybering:1/spoofing-call-id-using-
| voip:2...
|
| 4. https://www.fcc.gov/call-
| authentication#:~:text=STIR%2FSHAKE....
| sschueller wrote:
| It's ridiculous that phone companies allow this. Anyone wanting
| to set caller ID via voip should be forced to provide some sort
| of verification that the number is theirs and the phone company
| should not route it if it fails verification.
|
| We only have 3 major cell carriers here is Switzerland, it
| should be trivial for the 3 to verify each other's numbers to
| see if those customers even exist. Unlike the US each cell
| provider has his own number prefix. Numbers are portable but
| only between certain providers.
| tonfreed wrote:
| Welcome to the wonderful house of cards that is the SIP
| protocol
| ale42 wrote:
| It's not as easy... For example, it is possible and legal to
| use your own number to call from a VoIP provider, so the
| recipient can call you back on your actual phone.
|
| On the other hand, it should be possible to detect at least a
| percentage of spoofed caller IDs and block them (e.g. non-
| existing numbers).
| MichaelBurge wrote:
| The VoIP provider could forward the call to your phone as a
| middleman, or there could be 3 numbers(1. Who to bill 2.
| Calling number 3. Reply-to number) and only #3 is user-
| configurable.
| zitterbewegung wrote:
| They are doing ANI spoofing. By using a service they can show you
| any number you want. The law only states that you can't do this
| if you are trying to commit a crime.
| cryptonector wrote:
| Signalling system 7 has no authentication.
|
| That's the bottom line.
|
| Adding authentication is pretty obviously not trivial, not just
| because of protocol upgrade issues, but also because end-to-end
| authen. won't be easy to add at all, and hop-by-hop authen. w/
| something like "egress filtering" won't work in the age of phone
| number portability.
|
| What might work is a TCP-like return routability test. I.e., have
| the network ask the ostensible device "did you mean to make this
| call?", though that might have other issues (think of how SYN
| spoofing can be used for DDoS attacks).
|
| I.e., preventing caller ID scams is really hard.
| contingencies wrote:
| Here in China they aggressively egress filter since ~15 years
| ago (source: had an E1 on fiber way back then). You can set
| caller ID to any number you are assigned and nothing else.
| bigmattystyles wrote:
| What about charging a penny or 5cents per call? Nominally cheap
| for regular users, would put a dent in scammers. And don't let
| the phone company keep the money, put it towards the
| infrastructure.
| cryptonector wrote:
| Billing is one of the highest costs for telcos.
| Terry_Roll wrote:
| > Ask HN: How can scam callers fake a mobile phone number?
|
| International Telephone Standards. VoIP VoIP Companies like
| https://www.sipgatebasic.co.uk/tour
|
| And if you set up a VoIP number and a pbx like freeswitch or
| asterisk, they will send the ringing tones down to the caller so
| if you have the pbx set to record calls you can listen to what
| the caller is chatting about whilst they are ringing you, hearing
| the ringing tone at their end waiting for you to pick up. All a
| bit spooky but thats the technology for you!
|
| > - How can a spam caller call me with a source phone number that
| does not exist?
|
| Again they have the VoIP number but when you ring it they can
| play a dead line tone down to you instead or a ringing tone. With
| VoIP and Freeswitch/asterisk and probably other PBX's you control
| all of that.
|
| > - Shouldn't my mobile phone network verify that the caller -
| which was also inside their network - is a valid subscriber?
| Otherwise, how can they bill someone for this call?
|
| Depends on the telecoms standards in the country and/or the
| telecoms provider.
|
| > - How does this kind of scam call work technically? Any member
| of the public can set up VoIP number and PBX's like freeswitch
| and asterisk and do this.
|
| If its not a VoIP then telecoms companies and the security
| services in your country, or maybe you mobile phone is hacked and
| your mobile has logged onto a local fake cell instead which is
| slightly different to the VoIP setup above but I dont know how
| much this device can do.
| https://en.wikipedia.org/wiki/Stingray_phone_tracker#Active_...
|
| and you can do things like this
| https://www.wired.com/2010/07/intercepting-cell-phone-calls/
| icedchai wrote:
| Caller ID is for "presentation" only, not billing. Anyone with
| the appropriate access can set their caller ID to whatever they
| want. Some VOIP providers don't do any validation that you "own"
| the number you are providing. Years ago, when I had an Asterisk
| PBX set up using a super cheap SIP provider, you could put
| anything you wanted in for a caller ID.
|
| There are legitimate use cases for this. Imagine if you are a
| company with 1000's of physical locations. You want them all
| calls to appear that they are coming from the corporate
| headquarters.
| bloodcarter wrote:
| Try https://assistant.dasha.ai/ to block such calls.
| cookiengineer wrote:
| The easiest way is to have a SIP gateway that uses a too long
| number to display. Usually it's around 12-13 digits for the
| subscriber number depending on the country code, so all digits
| before that (after in SIP) will be cut out on most phones.
|
| I think the relevant spec for that is E.164 which enforces 15
| digits overall (1-3 for country code and 12 for subscriber
| number).
|
| There are also lots of SIP gateways that have an ISP license or a
| phone provider license. They're the same types that allow to fake
| the numbers for their customers, and usually you can transfer
| some still in use mobile numbers to them as well. Because
| apparently law enforcement doesnt do anything against them.
|
| And yes, never use 2FA via SMS. Never.
| Spivak wrote:
| Saying no to 2FA SMS is a little harsh. It's strictly better
| than 1FA password. What you probably mean is don't use SMS for
| _account recovery_.
| winternett wrote:
| I hate to sound like a conspiracy theorist, but it's pretty easy
| for a carrier to determine devices that are making spam calls
| because they log everything, and they could simply create and
| distribute apps to their customers to enable reporting of spam
| calls, but somehow for years they've left it up to dodgy 3rd
| party app providers and the calls keep rolling.
|
| I don't think carriers have any incentive to stop spam calls
| because they gain a lot of money every year in billing minutes
| for those spam calls (mostly prepaid accounts are affected by the
| billing unfortunately)...
|
| I wouldn't dare go as far to say that the calls are possibly even
| sponsored or conducted by profiteers in the game... (People who
| sell prepaid and metered phone services)
|
| Just a personal opinion though.
| arcticbull wrote:
| Used to take about 5 minutes to configure an Asterisk [1] PBX,
| obtain a provisioned DID from a VoIP provider and set your
| outbound caller ID with Set(CALLERID()) [2]. Doing so allows you
| to configure both your text label and call-back number.
|
| [1] https://www.asterisk.org/
|
| [2] https://www.voip-info.org/setting-callerid/
| mrozbarry wrote:
| One thing people don't know is that the phone network is actually
| a bunch of duct-taped technology that is pretty old. There has
| been advancements, and if you're in the US, you'll be happy to
| know that mobile carriers require stir/shaken handshaking, which
| is _mostly_ equivalent to https on the web (this is a gross
| simplification).
|
| The short/simple answer is carriers don't care, because they make
| money when a call is placed on their network. There is also a
| difference between what is a valid number (digits are correct) vs
| a real number (someone owns a number). It is cheap for a carrier
| to check validity, but not "realness" - to check a real number, a
| carrier may have to do some sort of data request to any number of
| carriers to determine if the number is owned.
| mark-r wrote:
| I always figured that the ability to set an arbitrary phone
| number was a feature for the benefit of large corporate PBX
| systems. Every person at the company gets their own phone number,
| but the number of physical connections to the phone company is
| limited. The PBX can set the identity on an outgoing call to
| match the phone number of the person who initiated the call, no
| matter which physical line it uses.
| closeparen wrote:
| Worked in business telephony, this is correct.
___________________________________________________________________
(page generated 2022-03-14 23:01 UTC)