Hacker News new | past | comments | ask | show | jobs | submit login

That's still not a technical reason why the barn door needs to be wide open. Google being able to set the originating phone number should be the exception rather than the norm. Just like money transfers, there could be an obligation for telephony services to provide valid identifying information, enforced through a chain of contracts where a link doesn't get to set originating info unless it also agrees to the contract.

There will always be holes, but at least this would provide a mechanism for eliminating them. Also, a "green zone" could start in the US and expand outwards, eventually kicking scammers off of VOIP links situated in the US, forcing their costs up.

PS Google has been experimenting with verifying email senders.




Law enforcement can already request whatever identifying information there is for any phone call (which amounts to much more than a 10 digits number). Caller ID is a customer service that is intended to serve customers, not to catch criminals. Criminals are only being able to use it as an attack vector because there are people who believe it's some kind of authenticity certificate.

If any laws were to be changed I'd mandate a mandatory "This is the number the caller chose to identify oneself with" sticker around caller ID display on any phone witch such a feature.


I don't know if you've ever tried to report a nuisance call, but, as the article hints at, there's a wall of apathy at the phone company and law enforcement end to overcome. If they go the extra step to look up ANI, well, that is spoofable as well. Do they regularly go further than that? Making it not so trivial to spoof caller ID would reduce abuse just like some ISPs have elected to implement egress filtering.

Just because the service is currently wildly untrustworthy doesn't mean that it should be or is required to be. There IS a market for better authentication and filtration of nuisances that companies like Google seem to be aware of.


>> Law enforcement can already request whatever identifying information there is for any phone call

So why did we just read the linked article where the IRS (government agency) is warning people about scams but doesn't tell them to report them?


>Google being able to set the originating phone number should be the exception rather than the norm.

Most non-residential buildings have a PBX which is interfaced with the PSTN (actually, a telco like AT&T) via some "trunking" system. Trunking systems, like SIP (which runs over IP on the regular old internet) and PRI (which runs over a T1), unlike simple analog circuits, carry multiple calls for multiple numbers at the same time.

The telco decides internally which PBX a call will be routed to, then presents the audio stream and signaling data (caller ID, destination phone #) to the PBX, which can do pretty much whatever it wants in response.

In a typical business installation, some numbers might be routed directly as calls to specific people's extensions (we call these DIDs), while others might ring several phones at once (and go to the first person to answer), a call queue, an IVR menu, a prompt to "dial your party's extension number," etc.

Or you could do something exotic, like Twilio.

The PBX is also responsible for connecting outbound calls to the outside world. It sends signaling data (CID, destination phone #) to the telco along with whatever audio it pleases, and the telco responds accordingly.

Hundreds of different phone numbers might route to a PBX. No one except the PBX is in a position to know which one makes sense to send as caller ID.

You might say we should only let PBXes send CID of numbers which are routed to them. But this breaks a use case where a business with many branch offices wants the same caller ID (in at least some cases) on outgoing calls from all its locations. To present the "main" number, you would now be forced to route the call over the internal network (typically a VPN, or else a leased line) to the main location's PBX, then out its trunk. This can get really hairy as you have a lot of load on this device as well as a single point of failure for potentially hundreds of locations.

So to support lots of different branch offices presenting the same CID, we now have to be in the business of maintaining a list of authorized CIDs we can send on a specific trunk line. Could it be done? Absolutely, but it isn't simple and telcos don't seem to think it's worth the effort/overhead. And all it takes is one telco who doesn't implement this requirement to make it worthless. (Just run your call spoofing website off an Asterisk instance trunked to that telco).

It might be nice to have a WHOIS equivalent for telephony - some way to find out the legal name of the entity which pays the bill for receiving calls at a specific number - but no one has gone to the trouble of creating an exhaustive database and forcing telcos to participate in it.


"we now have to be in the business of maintaining a list of authorized CIDs we can send on a specific trunk line"

Yeah, that's what I was thinking. Similarly, some ISPs have implemented egress filtering to reduce abuse. At least a few speedbumps in the way of total anonymity over the phone would make scamming less trivial.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: