FCC proposes $10 Million fine for spoofed robocalls

Thu Dec 19 19:53:47 UTC 2019

Fact is the telcos make lots of money off spoofed robocalls so they have 
zero incentive to stop the practice.

-Dan

On Thu, 19 Dec 2019, Keith Medcalf wrote:

>
> "CallerID" is a misnomer.  It is actually the "Advertized ID".  However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for.
>
> Pretty canny business model eh?  And apparently y'all fell for it, thinking it was related to the Identification of the Caller, rather than being what the caller wished to advertize.
>
> -- 
> The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
>
>> -----Original Message-----
>> From: NANOG <nanog-bounces at nanog.org> On Behalf Of Brandon Martin
>> Sent: Thursday, 19 December, 2019 10:25
>> To: nanog at nanog.org
>> Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
>>
>> On 12/19/19 12:09 PM, Andreas Ott wrote:
>>> I have also been told that there is no equivalent of uRPF in the phone
>> world.
>>
>> This is the biggest issue, and unfortunately (and my knowledge of the
>> PSTN is admittedly a bit lacking, here), there's likely no good way to
>> add it.
>>
>> Calls on the PSTN are routed essentially based on "who do I feel like
>> handing this off to, today", and then that entity may do the same, and
>> so on.  It's pretty routine for an outfit to have multiple contracts for
>> termination that may not even be aware of the "legitimate" numbers from
>> which their customers might "source" a call.
>>
>> Further, it's entirely normal and perfectly legitimate (to varying
>> degrees) for an outfit to purport in CID a number that is not directly
>> assigned to them nor which will actually result in a callback being
>> routed to them.
>>
>> Think of caller ID more like reverse DNS.  It's largely advisory and,
>> outside some situations where you deliberately want a higher degree of
>> repuatation/identity verification and are willing to accept a
>> potentially large number of false flags, there's no real reason to rely
>> on it outside of human nicety.
>>
>> The rough analogy to the source IP address is the ANI information that's
>> not even passed to most end users.  That's "who should I bill this to?".
>>  But even that can get overwritten sometimes during call routing, from
>> what I gather.  It's also rarely a valid callback number for any
>> non-trivial call source.  Or, at least, if you did call it, the person
>> who (might) answer the phone will have no idea what prompted you to do
>> so.
>>
>> SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a
>> way albeit very much re-envisioned based on circuit switching rather
>> than packet switching.  Each intervening network can attest to what
>> degree they are able to verify the CID (and maybe ANI?) information in
>> the call.  Unfortunately, a perfectly valid attestation is "I cannot
>> verify it", and indeed that's likely to be most of the attestations
>> you'll see at least at first.  The best it really lets you do is figure
>> out some networks at which to point fingers.
>>
>> When "full attestation" is present, i.e. the network operator has been
>> able to verify that the CID field represents a number authorized for use
>> by the entity originating the call, it's maybe more like DKIM in that
>> you can, with cryptographic certainty, know THE network at which to
>> point fingers as they're the ones who admitted the call into the PSTN
>> with authority that the CID field (among others) is "valid".
>>
>> [And all the old PSTN folks will please forgive me if I'm inaccurate,
>> here, though corrections are welcome]
>> --
>> Brandon Martin
>
>
>
>