RE: FCC proposes $10 Million fine for spoofed robocalls

[Dan Hollis <goemon () sasami anime net>]

Fact is the telcos make lots of money off spoofed robocalls so they have 
zero incentive to stop the practice.

-Dan

On Thu, 19 Dec 2019, Keith Medcalf wrote:

> "CallerID" is a misnomer.  It is actually the "Advertized ID".  However, the telco's realized you would not pay to 
> receive advertizing so they renamed it to something they thought you would pay for.
>
> Pretty canny business model eh?  And apparently y'all fell for it, thinking it was related to the Identification of the 
> Caller, rather than being what the caller wished to advertize.
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
>
> > -----Original Message-----
> > From: NANOG <nanog-bounces () nanog org> On Behalf Of Brandon Martin
> > Sent: Thursday, 19 December, 2019 10:25
> > To: nanog () nanog org
> > Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
> >
> > On 12/19/19 12:09 PM, Andreas Ott wrote:
> > > I have also been told that there is no equivalent of uRPF in the phone
> > world.
> >
> > This is the biggest issue, and unfortunately (and my knowledge of the
> > PSTN is admittedly a bit lacking, here), there's likely no good way to
> > add it.
> >
> > Calls on the PSTN are routed essentially based on "who do I feel like
> > handing this off to, today", and then that entity may do the same, and
> > so on.  It's pretty routine for an outfit to have multiple contracts for
> > termination that may not even be aware of the "legitimate" numbers from
> > which their customers might "source" a call.
> >
> > Further, it's entirely normal and perfectly legitimate (to varying
> > degrees) for an outfit to purport in CID a number that is not directly
> > assigned to them nor which will actually result in a callback being
> > routed to them.
> >
> > Think of caller ID more like reverse DNS.  It's largely advisory and,
> > outside some situations where you deliberately want a higher degree of
> > repuatation/identity verification and are willing to accept a
> > potentially large number of false flags, there's no real reason to rely
> > on it outside of human nicety.
> >
> > The rough analogy to the source IP address is the ANI information that's
> > not even passed to most end users.  That's "who should I bill this to?".
> >  But even that can get overwritten sometimes during call routing, from
> > what I gather.  It's also rarely a valid callback number for any
> > non-trivial call source.  Or, at least, if you did call it, the person
> > who (might) answer the phone will have no idea what prompted you to do
> > so.
> >
> > SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a
> > way albeit very much re-envisioned based on circuit switching rather
> > than packet switching.  Each intervening network can attest to what
> > degree they are able to verify the CID (and maybe ANI?) information in
> > the call.  Unfortunately, a perfectly valid attestation is "I cannot
> > verify it", and indeed that's likely to be most of the attestations
> > you'll see at least at first.  The best it really lets you do is figure
> > out some networks at which to point fingers.
> >
> > When "full attestation" is present, i.e. the network operator has been
> > able to verify that the CID field represents a number authorized for use
> > by the entity originating the call, it's maybe more like DKIM in that
> > you can, with cryptographic certainty, know THE network at which to
> > point fingers as they're the ones who admitted the call into the PSTN
> > with authority that the CID field (among others) is "valid".
> >
> > [And all the old PSTN folks will please forgive me if I'm inaccurate,
> > here, though corrections are welcome]
> > --
> > Brandon Martin