Ask HN: What can we do about spam calls with spoofed numbers?
I received 14 spam calls in the past two days. I just called back one of the numbers and the person on the other end was not the person that called me. She told me that this has been happening to her too.
It looks like spammers are using other people's numbers to make these calls. What can we do to stop this?
82 comments
[ 4.2 ms ] story [ 168 ms ] threadThen any "local" call is likely to be spam. Filter as needed with a rule matching this areacode.
Anytime I get a call that is local to my actual location, it's almost always someone who has a legitimate need to get a hold of me (or my ISP trying to upsell me to landline phone)
If I don't recognize your number, I immediately send it to voicemail. If it's something I need to worry about, I call back.
My hope is that eventually spam callers will catch on to the fact that they've had no hits on my number and drop me from the list. I assume that no amount of interaction I have with them will get me off the list, so I simply choose not to interact with them.
Broadly speaking, you could also probably set up Do Not Disturb settings on your device, and I'd love it if we could filter calls unless they're from specific people during a specific time (e.g. family calls during work).
Long term, the best way we fight this is with our vote. The current FCC administration seems uninterested in this problem, and I think voting in a new administration may provide different results. Engage with your federal representatives as well!
You can do this on android. I usually have Do Not Disturb enabled while I work and I put my buzzer number on the whitelist for deliveries.
The phone system is designed to accept anyone calling on it, and there's no authentication mechanisms in place for securing it since it all has to interoperate and is built on dated standards.
There are basically two solutions to stopping the problem (instead of treating the symptom). The first is to increase costs to make phone calls (voip made this basically free and it gets abused). This was the old deterrant.
The other is to have providers work on an authentication method for their network, they are starting to do this with STIR/SHAKEN: https://transnexus.com/whitepapers/stir-and-shaken-overview/
Legislation won't help unless it is on the providers to require authentication.
[0] https://catalogchoice.org
[0] https://mysudo.com/plans
Industry solutions are supposedly forthcoming - see STIR/SHAKEN standards for caller verification. T-Mobile says they're doing something with this: https://www.t-mobile.com/news/caller-verified-note9
Is there an app for this?
They either hang up or start shotgunning large company names. I try to stall them a bit.
Then aggressively use Google fi to block and report as spam.
It's ridiculous that cell networks actively allow this. This should not be possible. And for US based spammers, they should arrest and prosecute every single person at the company. No exceptions. You are involved in a criminal conspiracy to commit fraud. Fuck throw Rico their way.
Many of the operations are overseas but there are plenty in the US.
TLDR; this is a technical approach to preventing number spoofing except where authorized. Presumably to be implemented by the international telecom industry.
[1] https://transnexus.com/whitepapers/understanding-stir-shaken... [2] https://datatracker.ietf.org/wg/stir/about/
Just this morning I had 4 calls between 5 and 8:00, and I can't turn my phone off. (On-call for work.)
Our government is busy shutting itself down over nonsense, yet pathological problems that are meaningfully impacting citizens are going entirely unmanaged for years. (To the FCC's credit, STIR/SHAKEN is a good step but I think it's very much a too-little-too-late situation; I haven't been able to empty my voicemail box in years lest it get filled up again within a day by spam.)
To make this not just be a rant (and since I see others who are concretely affected in similar ways) Shouldn't we be pursuing our govts/reps to be more aggressive in everything from investigating and prosecuting violations (spammers) to ensuring proper incentives for carriers to help defend against this? Is there anyone who has been a champion for this in the past?
I got my current phone number when I first moved to the US. Now I live on the other side of the country. The spam callers always use the same area code as my phone number in an attempt to appear like local numbers. Anytime I get a call from a California number that isn't in my phone I can safely ignore it.
But the more people do it, the less useful it will become.
Any unfamiliar senders get an autoreply asking for them to pay a fee to send the email. You as the receiver get paid this fee (-30%) for each email received (not read)
https://www.youtube.com/watch?v=9JxhTnWrKYs
https://en.wikipedia.org/wiki/Premium-rate_telephone_number
Honest to god, the new call screening feature on my Pixel is the most useful new feature from my phone in the last 5 years.
For the caller, they'll hear a Google Assistant voice that says, "Hi, the person you're calling is using a screening service from Google and will get a copy of this conversation. Go ahead and say your name and why you're calling."
As the caller speaks, the conversation is transcribed in real-time to your phone. If you know the person, you can pick up. If it's a spam call, you can press "Block Number and Report Spam."
"when call screening is enabled:
If the caller's name and phone number are in your Google Contacts, or the caller is a business known to Google (e.g. it shows up in Google Maps with an information box), then that name will be played to you. If the caller's number is not in either of those places, then their calls will be screened every time, until/unless you add them to Contacts."
Extremely effective, runs headless on a $5 VPS box by proxying calls through VoIP, but the added latency is a bit of a no-go.
PHONE on
PHONE off
...when the calls reach a certain volume, I just forward all calls immediately to voicemail, which also says, "I don't answer this phone anymore -- leave me an email."
After a few days or a week, I turn phone back on and see how it goes.
It ebbs and flows.
For business calls, I direct everything to Google Voice.
For personal, my friends/family know they can still FaceTime me or text me and I'll call back.
I don't actually get a lot of calls to my cellphone, and would gladly pay for data without calling.
From a previous thread, here or on Reddit:
"You actually can turn off cellular network calling altogether, if you are willing to do that.
Dial (star)#67# (or call 611 if it doesn't show up there) to see what number your voicemail center is. Then dial (star)21(star)1(that number)#. That will automatically forward all calls, at the network level, to your voicemail.
To cancel this, dial #21#."
Snark aside, sometimes I‘m happy about that the bureaucracy monster EU I happen to live in simply forbids crap like this.
https://www.youtube.com/channel/UC3OxCWLEmoIhNMm-hnvBm9Q
Same thing happens in all sorts of real-life situations; whitelisting to numbers in your contacts list can be a serious problem.
Cryptographically Authenticated caller ID, including a human or organization name, seems to be the only real solution.
Sure, it's a risk. One day someone could try to phone me with life-or-death information, completely out of the blue (if I was waiting for a life-or-death call, I'd be expecting the phone to ring so might answer it). This is a risk I choose to take, in exchange for not answering the phone. I'm usually not near it anyway, so miss most calls as it is. It's the future, everyone; stop answering the phone!
Interestingly, a while back, I got a call from a number that looked so familiar but I didn't recognize. I didn't answer but I couldn't get that number out of my mind. So I started looking through my contacts to see if it was someone I knew. Turns out, it was my own number. I couldn't believe it. These spammers were somehow spoofing my own number to call me.
CallerID name is more complex [3], as some providers will pass it along and some won't, and the termination provider (the one that receives the call) may or may not accept it. However, many VoIP providers have a way to register CNAM entries, this just also isn't totally reliable due to the way CNAM database sharing works [4].
Take away is: CallerID name and number are ENTIRELY unreliable as a means of identification or authentication. In fact, the only thing it's really useful for these days is that you get a call from a number in your contact list, it probably really is that person because it's unlikely that (a) by random chance the spammer choose a number that is in your contacts, and (b) has compromised your contact list and is using it to choose caller ID numbers.
[1] https://en.wikipedia.org/wiki/Caller_ID_spoofing#Technology_...
[2] https://www.voip-info.org/setting-callerid/
[3] https://en.wikipedia.org/wiki/Caller_ID_spoofing#Caller_name...
[4] https://www.onsip.com/blog/how-caller-id-works-why-it-might-...
So was annonymous e-mail resenders and open proxies in a more genteel and dignified age.
Today, clearly the feature is being misused too much, so we need to shot it down. Make the CEO of any telecom company who forwards a spoofed call personally liabled for 100k in damages and that problem is solved. Some businesses may want a callback to go to their main-number, but frankly if somebody calls me I want a way to call them back.
The ability to set your outgoing number is very useful for a number of reasons, but only being able to do it from a list of numbers you've verified you have ownership of would go a long way. They could even do something similar to how SSL providers do domain verification.
[1] https://en.wikipedia.org/wiki/Direct_inward_dial
[2] https://wiki.freepbx.org/display/FPG/IVR+Module+User+Guide#I...
Consumers as a group can contact regulators or legislators to urge this be fixed. The technological fix is not that difficult: telcos should whitelist numbers for specific customers so a customer can only use a number as outbound caller id if they are assigned or have otherwise validated the number. Reputable providers like Twilio already do this. This solves the oft-repeated claim that there are legitimate reasons to "spoof" caller id. You can't say it's spoofing if it's your number and you're the one calling...
But telcos don't do this. They don't care if caller ID is accurate, because their customers don't care if caller ID is accurate; most pay for it anyway.
[1]: http://tasker.joaoapps.com/
I'm seriously wondering. If anybody can enlighten me, I'd appreciate it.
https://www.gimletmedia.com/reply-all/102-long-distance-part...
it gives a lot of information about the subject
Maybe the challenge is doing all this in such a way that's compatible with legacy systems, though I'd think all of the complexity would live on the business exchange servers and the network itself, so "dumb" phones shouldn't have to know the difference.
Either way, I've learned to never underestimate the laziness and capacity for anti-consumerism of telecom companies.
As I suggested elsewhere you make the CEO personally liable and a technical solution will be found. It will probably just mean that the telephone company sent the relevant information and ignored what came from the subscriber.