Years ago I heard that SHAKEN/STIR were being implemented and would allow robocall blocking. I still get tons of robocalls. I've had this explained as "SHAKEN/STIR were the crypto that will eventually allow blocking, but the blocking will happen later." Is it later? Is this the start of the actual blocking?
It has started. SHAKEN/STIR are what gives the FCC the ability to trace the source of these calls backwards and hold responsible the gateways acting in bad faith.
Hasn’t changed for me. I am constantly pestered by spoofed-local-number spam calls at both my personal number and my work number, in two different area codes. My job requires me to be available on the phone so it’s particularly frustrating because of how often I have to pick them up just to hear about a warranty on yet another car I’ve never owned.
Similar experience here. I got absolutely ridiculous numbers of spam calls up until maybe early 2022? Now I get almost none in comparison. Like 2-3 a month as opposed to tons every week before.
The traceback rules are really what did that but I think those were in the same bill that mandated STIR/SHAKEN. STIR/SHAKEN just makes spoofing caller ID more difficult.
Are the provisions of STIR not necessary for the traceback rules to be applicable?
My understanding is that without STIR a gateway acting in good faith can't definitively identify malicious traffic, and a gateway acting in bad faith can claim any malicious traffic they forward appeared legitimate.
2) Deploy policies to make inter-telco tracebacks easier and increase liability for carrying too much spam.
3) Drop unsigned traffic and shutdown spam friendly portions of the PSTN (analogous to open email relays).
4) Use the tracebacks and KYC to deter robocalling operations from getting onboarded and ban current customers who are robocalling. And keep them banned when they open new sockpuppet accounts. It'll never be completely eliminated.
You can get local phone numbers for a trivial amount of money - no caller ID spoofing required! Robocall operators have realized this which is why a substantial amount of robocalls are attested: https://commsrisk.com/calls-with-stir-shaken-c-attestation-n...
Even if there is thorough, mandatory KYC for VOIP services, we will just have robocalls being routed through simboxes filled with prepaid SIM cards. The whack-a-mole game will move there and the carriers will lose just like they do in Africa and the Middle East where people use them on a giant scale to arbitrage termination rates.
>we will just have robocalls being routed through simboxes filled with prepaid SIM cards.
it would cost a lot of money, especially if carriers limit the number of numbers you can call each month before an additional charge (100-200 numbers / month then extra fee ?)
> You can get local phone numbers for a trivial amount of money
and companies that provides phone numbers them can also monitor suspicious traffic.
I remember that when I first opened an account at Callcentric, they froze it until their support could reach me to ask a few questions.
Now, I've had it for a few year, did just a few calls, and I no longer have to go through that to subscribe to more services.
On a slightly different topic, cloud providers have learned to keep their IPs clean, even if you can get some for cheap. They just check what you're doing.
it would cost a lot of money, especially if carriers limit the number of numbers you can call each month before an additional charge (100-200 numbers / month then extra fee ?)
Anything like this would still have to be affordable enough for call centers and businesses. A pharmacy can easily have 10-20 lines: A few for the cash registers, a couple for the office, and a bunch for the pharmacy (they might still have a fax line too). It is easy to see how a call center or a large department store (wal-mart) might reach 100 lines.
And on top of that, you'd somehow have to make this international and get other folks to enforce this - and this is assuming the scam call centers are following the law in ways that the country in question can actually enforce.
I always like the sound of the simple solutions, but every time I get look into these details, I can understand why they don't just work.
SHAKEN/STIR are implemented but the providers have given no tools to the end users to actually do anything actionable with it. Heck, they haven't even exposed it unless you are a megacorp.
The telcos might be a common carrier, but as the end user I sure as shit should be able to block calls originating from providers I see abuse from constantly. I'm looking RIGHT AT YOU, TxtNow.
> Heck, they haven't even exposed it unless you are a megacorp.
Cell phones surface the SHAKEN/STIR attestation status to the user via a checkmark in the telephone UI.
If you want to programmatically act on that data to filter calls... Android provides access to the attestation level via the android.telecom.CallScreeningService API. (I can't speak to what iOS provides.) For VoIP, many providers will also either pass along the attestation level in the SIP headers or by appending some text to the Caller ID string.
IMO the attestation level isn't really actionable data though. A legitimate call may come through missing attestation for reasons that are not malicious. Similarly for things like B2B, the calls themselves may be attested and legal, but I'd still want to block them. We really need to be able to get the entire payload.
If end users could directly and simply block carriers that waste their time by delivering shit calls, this entire issue would have worked itself out years ago. I just don't think that the current strategy of having the FCC yell big numbers at foreigners is really doing all that much...
Personally I've seen very few robocalls these day.
I think all the IP based providers in the US have implemented SHAKEN/STIR. There is still a small amount of non IP based systems which FCC is looking for solutions. And international calls will take some time as other countries look into implementing similar methods.
A little yes, a little no. Your phone knows when it's receiving a call from an unauthenticated number, but it would be very unreliable to use this metric alone to decide when a call is untrustworthy. My understanding is that carrier telemetry is what drives the final yes/no verdict.
This method basically has not yet been used much, but it is in place.
The dangerous issue is that if a spam operator has 33% legit traffic, do you kill the spam operator and the good traffic with it, or what? Kill the traffic... innocent people harmed, or leave the traffic, spam continues.
> if a spam operator has 33% legit traffic, do you kill the spam operator and the good traffic with it, or what?
Yes, we should with these long-time, serial offenders. Having legit traffic is just a fig leaf cover for them anyway. Any legit reseller clueless or negligent enough to accidentally stumble into business with these guys will switch providers as soon as their customer's calls stop connecting.
Also, no real telecom providers are routing meaningful amounts of traffic through these shady operations. Any legit traffic on their networks is mostly coming from fly-by-night, bottom-feeding telecom resellers in the same countries the spam calls originate from. Any retail customers of those resellers are probably paying ripoff prices for unreliable per-day or per-call service anyway. It's not people with normal pre-paid monthly service from any legit telco you've ever heard of.
If a bank is comprised of 66% of their customers being narcos, the bank gets shut down.
You don’t get to facilitate in illegal shit and hide behind your legitimate customers. Likewise, if you are a customer of theirs and know they heavily transact with illegal services, it’s on you for getting blocked.
Their legitimate customers are. If that means getting the operator to clean up their act, so much the better. If they won't, then at some point their legitimate customers will suffer.
And will probably have to jump to a more expensive provider who isn't subsidizing them with spammer revenue.
> The dangerous issue is that if a spam operator has 33% legit traffic, do you kill the spam operator and the good traffic with it, or what?
You are implying that "you" means the telco or FCC decides on behalf of "everyone." That is not the correct viewpoint. If the telcos are the common carrier, they dont get to decide. I am the customer; I get to decide. Problem solved. No additional regulation or debate is needed. This isn't hard.
If the spam calls have spoofed source numbers, the provider should be within their rights to refuse the traffic regardless of common carrier status.
I am the customer and I would love to see the data of which providers _originated_ each call that I'm about to answer. That would make it trivial to set rules about which ones don't even ring. But until I can have that data, I wish they'd just drop the obvious junk.
>I am the customer and I would love to see the data of which providers _originated_ each call that I'm about to answer.
The telcos have this information, but they only usually relay the CallerID (which is user-specified, ie "spoofable") to the end user. ANI, RPID, and now SHAKEN/STIR information which does identify the origin and origin carrier are simply not passed to end users to do anything with, or at least I have not been able to get them to do it despite having capable interfaces.
> I am the customer; I get to decide. Problem solved.
If only we actually had that ability. The best mechanism available to me is what I do: if I get a call from a number that isn't in my phone book, I don't answer it.
"We" do, if people would ask properly for it instead of trying instead to break the customer/common carrier contract.
The carriers withhold information from customers that is useful to determine the nature of traffic and whether it should be accepted or rejected. The amount of metadata that accompanies a modern phone call is substantial, and the carrier typically relays only ONE FIELD to the customer.
Customers should demand access to all call/circuit/packet metadata that is necessary or useful to implement their own traffic policy. To the average person, I can see why it might seem that the carriers appear to be ideally suited to police this problem, but the correct way for them to do it without violating their obligations as a common carrier is to empower their customers with the information and the tools to do it on their own.
The Spamhaus approach (and one that is increasingly popular in telecom) is to say "f*** it, kill the provider." A lot of people disagree with this obviously.
This is technically true but practically irrelevant. A Spamhaus listing is the Internet equivalent of a sanctions designation and the process to get removed is equally as Kafkaesque as OFAC's. Not to mention the fact that addresses in the [DROP list](https://www.spamhaus.org/drop/drop.txt) effectively can't even connect to the broader Internet because every important tier1/tier2 uses these lists and drops all their packets.
