Hacker News new | past | comments | ask | show | jobs | submit login

The Feds already started on this with STIR/SHAKEN protocol which has been mandated by the FCC for most carriers in recent years.

However, just like email spam, stopping spoofed calls is harder in practice than in theory.




It can be very easy, depending on your comfort with breaking existing systems. Disable all inbound international calling and you no longer have a problem. That would remove 99% of spam and would have zero negative impact to 99% of individuals who receive calls.

Of course, businesses with a lot of money care about use cases in that last 1%.


Can't you disable international calls only for individuals who don't need them?


A carrier could probably do that, individuals could not. The challenge is that caller ID is generally kinda like your email display name: It doesn't mean anything. The important part, which STIR/SHAKEN is adding verification requirements to, is what telcos are actually involved in the exchange.

I'd love a setting I could flip to disable inbound voice calls from any carrier that isn't like... Verizon, AT&T, T-Mobile, and Comcast.


Can't they implement DKIM, SPF etc. like system? Not aware of technical reality of Telcos but international number spoofing should be easily solvable as billing is done through the origin location


It's still in the early days of even deploying signing. Telcos are dragging their feet asking for exemptions and delays. Once virtually all calls are signed, then there has to be agreement on when to block unsigned traffic, and finally whack a mole with banning spammers and KYC to keep them banned.


>However, just like email spam, stopping spoofed calls is harder in practice than in theory.

Is it really? Couldn't the carriers simply require a certificate to allow you to spoof a phone number?


Yes, that's exactly what STIR/SHAKEN does - in theory. In practice, like most complex systems, mandating a change like this requires software and hardware upgrades and compatibility testing, all of which takes time. The FCC tracks >10k telcos and providers. Last time I checked, only a quarter of the companies had fully implemented STIR/SHAKEN since the deadline and the FCC has recently started enforcement action on telcos that have ignored it. There is some evidence it has reduced spoofed calls, but just like email, the scammers have also moved to adapt their techniques.

https://www.fcc.gov/document/fcc-remove-companies-robocall-d...


The most legacy of systems. They didn't even get rid of human operators until 1970 on Catalina island. https://youtu.be/jitW_yLwihI

SS7 doesn't have a clean way to do this hence needing to make SHAKEN/STIR, but I don't think anyone did the signalling work for POTS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: