63 comments

[ 3.0 ms ] story [ 132 ms ] thread
I am so sick of those calls! Go get 'em, Mariott!
Nice! Good to see a company being proactive about this nonsense.
It's a pure PR stunt unless they have a concrete plan for what they're subpoenaing the telecom companies for.
(comment deleted)
Can one trace where a call originates from?
The phone companies know, but they won't tell you without a court order.
This is a good thing. Companies should not release user data without a court order.
...or consent. Seems like Marriott should get a say in the tracing of calls from people claiming to represent Marriott.
They (or whoever is transiting their lines) know the account number of the entity that pays for the line that the robocalls are originating from. If the phone company made it possible for end users to block numbers based on who is funding the calls I think they would go away fairly completely.
Even with this, it’s probably not going to be of much use when they all turn up from countries with a low standard of living (in terms of USD payment per month). I doubt Marriott would spend the resources suing some company across the world.
If the government cares enough there's still a way to deal with that. Telcos could be forced not forward spam calls and allowed to not accept connections from known spam sources. Then the foreign telcos would have to choose between cleaning up their act or not being able to route calls to the US anymore. Technically that's easy to implement on peering level.

But international routing is still relatively expensive. In most cases your "international" incoming call is just a local one with spoofed source.

or someone whose story is "idk someone on craigslist paid me $300 to set up a business phone account". They'd want these anyways to ensure that they retain access in case of the network actually shutting them out.
Sure, but that doesn't necessarily do all that much to stem the tide. The spam callers care a hell of a lot more about maintaining access and call volume than the telcos care about ensuring spammers stay off the system; if they don't have multiple redundant systems run by facially independent cut-outs, they're organizationally incompetent.

Like, employing someone to hire people off craigslist to help "set up their new business" by opening an outbound phone account under the craigslister's name is cheap compared to the gains from running the spam network.

"We traced the call. It's coming from inside the house!"

Telcos make a bank facilitating the spammers.

Yes and no. The problem is that if you make a call from AT&T then AT&T knows you made the call. But AT&T also has to treat calls from other carriers - including carriers from other countries - as valid phone calls, without knowing if the information provided by the other carrier is accurate. Most of these spam factories are based offshore in countries with lax regulations. Others use legitimate services like Twilio to launder their calls so you have to subpoena their carrier, then subpoena Twilio only to find out that the call is coming from a country or jurisdiction where what they're doing isn't illegal. It's a slow and painful process to track these scammers down.
According to the stats mentioned, robocalls are almost doubling every quarter. What is the technology that empowers this?
It's not really technology so much as investment; i.e. the initial wave of robocalls generate enough income that scam operators can afford to invest in more call centers, phone numbers, infrastructure, etc. Just like a real sales division in a real sales company would.
Everything is a numbers game. Taking revenue from phone companies allowing this to happen is the only way to squash it.
Phone companies at least in the US are taking initiatives to screen spam callers, but there is only so much you can do when there are untrusted actors on the network. Truly ending robocalls would require a global treaty encompassing both hemispheres, and probably the creation of some new UN agency responsible for registering network endpoints (like ICANN). As it stands you can just move to another country that lets you hook up to their infrastructure if you are ever kicked out of your current base of operations. Given that there are still countries where you can e.g. host content that is illegal in the US or other countries, it seems unlikely such a treaty would ever make it into international law.
Spam calls are simply not a problem in many countries outside the USA, so it must be possible to tackle the problem without a global treaty.
Untrusted / unauthenticated does not mean not traceable. You don't need an international agreement to tell companies in your country "you're responsible for not forwarding spam calls, but you also don't have to accept calls from peers with bad spam ratio". Telcos know where the spam comes from either directly or indirectly. They just don't have a good enough incentive to drop partners.
Originally it wasn't a thing to be able to transfer phone numbers between companies if you wanted to switch providers.

The industry pushed back hard saying it was too complicated, would cost them too much in development time, etc. Govt. still pushed and got it through, and now we have more control over our numbers.

If they're fined significantly for forwarding spam, then you bet they'll try to find a way to stop it.

My understanding is that all calls on the voice networks are unauthenticated, the network can’t validate if a number calling is legitimate or spoofed.

In Australia, this problem exists too.

Surely these large telcos can band together and add an auth layer, I’d happily reject unauthenticated calls to me.

They can but they are loosing profits as internet services swallow their market share. They won't do anything that expensive until they legally have to. The best way to fix this is to complain to your government.

The tools exist https://en.m.wikipedia.org/wiki/STIR/SHAKEN

I actually think the majority of robocalls are from call centers with access to blocks of phone numbers they shuffle around.

I wouldn't even be surprised if phone companies got kick backs in some way too. Very few people are willing to change their cell number to protest.

I get ones with my number but the last 4 digits different - this worked the first few times I got them in 2019 but they’re definitely spoofed and I imagine they have a higher success rate than using real numbers.
The protocol exists, and is in use in a number of places. [0]

Whilst it isn't widely deployed yet, it is being rolled out across several nations currently - albeit very slowly.

Telstra is rolling it out as well [1], but they've coupled it to their 5G efforts.

[0] https://en.m.wikipedia.org/wiki/STIR/SHAKEN

[1] https://www.linkedin.com/pulse/tackling-changing-face-our-cu...

T-Mobile in the US has implemented it pretty extensively AFAIK and I rarely get spam calls these days.
Hopefully phone UIs can start showing the check mark with more prominence (and information - it should say ‘not spoofed’ instead of ‘verified number’) since it seems the big 3 US carriers have implemented it.
It's convenient for them to use spoofed numbers now, but it's not strictly necessary. They'll revert back to using large pools of real numbers soon after auth is enforced.
But then you'd at least know which calls you can most likely ignore based upon whether they're in your contact or not. As of now, I've received more than a few calls from random contacts that turned out to be spoofed car warranty expiration warnings.

Newsflash scammers -- I drive a '98 Tacoma. That warranty has been gone for years now.

Why isn't this a problem at all in Europe? I've lived in Switzerland, where I would get 1-2 calls per month trying to sell me some insurance. Now I live in Romania and I don't get any calls like this. And I haven't heard friends complaining about it either.
Most of the EU countries have an opt-in policy: no unsolicited calls are permitted unless the company calling you has your permission.

But that's not the case in e.g. Belgium, where I live. Belgium has a do-not-call register.

Last week, I made a tool to automatically add phone numbers to that list (the do-not-call website API was unprotected,and all I did was automate what anyone could do manually via the website) so that we'd arrive at a de facto opt-in situation, but at 700K numbers the do-not-call website went into maintenance :)

Might have something to do with disposable income disparity. Language barriers also play a role.
As of some years ago, Asterix, but I wouldn't be surprised if there's more specialized software nowadays.
Singling out Asterisk here is not a great example. Autocallers are pretty simple to implement over VoIP anyway. But even with POTS before call centres existed - they just required more expense up front.
It's less technology and more operations research. Dumping large volumes of unwanted calls into the US market can be monetized and scaled, and the response from US industry/regulators/law-enforcement is anemic enough that being fraudulent and illegal doesn't put a damper on things.
Google Fi has a setting where you can have all unknown incoming calls screened by default. I wonder if that can be mandated across all telecoms.
I just block all calls that aren't pre-scheduled on my Google calendar and use Twilio to filter them. Whitelist for SO/parents only.

It's not even about screening, I want anyone calling to make an appointment and not just interrupt whatever I'm doing.

Take my money. No seriously, make it a product I can pay for.
I just leave my phone on mute and never answer it.
Any phone have this option. At least my iPhone have it. I’m pretty sure Android have it too.

If it’s not from a known contact, it’s probably not urgent and they can leave a message.

> If it’s not from a known contact, it’s probably not urgent and they can leave a message.

Debt collectors, doctors' receptionists, local police departments...all of these can be relatively urgent calls and will likely not be known contacts.

Well, I don’t see how is this a different situation than just putting your phone in silent mode or leaving it somewhere in your house (while it’s charging).

This feature is not blocking calls, it just disable ringing / vibrating. You get the notification of a missed call.

Nobody can expect you to be available at any time, even police officers. If they really need to speak to you now, they’ll come at you.

I typically let them leave a voicemail and then call them back immediately if I need to.

A big difference between spam callers and normal callers is that normal callers are extremely easy for you to contact back. Spammers want to call you, but don't want you to know who they are.

It's actually a good security practice to not give out any personal information to people who call you. It's easy to spoof your doctor's office's phone number and start the conversation with "please validate the last 4 of your social so we know it's you". The only way for me to validate that it's actually my doctor's office is for them to give me some info about me that isn't public knowledge, which they won't do until I've already given them private info.

Even if I did pick up when they answer, all I'd say is "Hey, I'm not comfortable giving out information to people who call me. I'm going to go look up your number and call you back, so I know you are who you say you are."

The only time I ever have an issue with calling back is when my doctor needs to talk to me directly, but I recognize my doctor's voice. Someone could spoof my doctor's voice, but I heavily doubt that anyone would go through that much trouble to get my SSN or anything. I'm just not that interesting of a target.

>Google Fi has a setting where you can have all unknown incoming calls screened by default.

It does? I've only ever seen the option to block calls identified as spam.

I've found the Google phone app's call screen to be nearly 100% effective at screening out spam calls. The ones that make it through and ring are those that don't engage with the assistant's questions at all, which is dumb. If I could reject callers that don't say anything to the screening questions I'd be golden.

Great!

Is this going to work any better then me asking the robocallers to put me on their do-no-call list?

I have a very important comment on this that I need everyone to read: your car insurance is expiring and needs to be renewed.
Wait, but the voicemail you left said it was my warranty, not my insurance... Which is it?!
I get 3-6 spam calls a day these days. It has increased from 0-2 a day last year, and 1-2 a week before that. It’s getting to the point where I dread my phone ringing. I can’t ignore unknown numbers because I’m getting ongoing medical treatment from half a dozen different specialists who all call from unknown numbers, and also have kids so can regularly get calls relating to their schooling etc from unknown numbers.

The more recent calls (last 6 months) have also started spoofing local area codes with valid numbers, whereas before this they always came through either as unknown or an international number which were at least a clearer sign that it’s “possibly” a spam call.

It’s infuriating. Something needs to change.

I strongly suspect that once you answer a few spam calls, or a few calls where they hang up immediately (this has to be some sort of probe)-- you end up with many more spam calls.

My personal cell, I do not answer voice calls unless I know your number-- I get one or two calls a week.

My house phone however-- much like you a family member had a medical issue-- and we had to start answering the phone. Over the course of a week the number of spam calls went from 3-4 a day to 12ish a day. After the medical issue was settled, we stopped answering random calls, and within a few weeks the number of calls settled back down to a few a day.

> I strongly suspect that once you answer a few spam calls, or a few calls where they hang up immediately (this has to be some sort of probe)-- you end up with many more spam calls.

I think it's more luck of the draw on which lists the phone# is.

I have an old cell phone (had since ~2006) which gets no spam at all!

I have a new cell phone number which is relentless, easy double digits spam per day every day. And I've never answered any call on that phone except from known family member numbers.

The house landline gets maybe 1 per week or so. Probably less.

My cell phone number is in a neighboring area code I have never lived in and don't know anyone in, so I automatically know those are spam (or rare wrong numbers). Spoofed local area codes have definitely been coming in for a lot longer than 6 months for me.
Marriott is looking ahead. The STIR/SHAKEN system for tracing robocalls is going live by June 30, 2021.[1] It's like TLS certs for phone companies. Voice call source spoofing is about to get much harder. A few robocall companies have already been caught. Marriot is filing a case which will allow them to subpoena the data which tells them who to sue.

[1] https://www.fcc.gov/TRACEDAct

Great observation. It's frankly sad that it took this many years to implement such a common sense system, even though it comes with it's own flaws.

I highly doubt it's gonna do anything for call systems in general though. They've burned enough faith to last a long time.

Does this apply to out of country calls from call centers and online services that provide number blocks that are commonly for cell phones?
(comment deleted)
I'm curious how well this will work from a legal perspective.

I assume the lawsuit will allow them to do discovery with various 3rd parties to try and identify the perpetrators.