[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FCC proposes $10 Million fine for spoofed robocalls

On Thu, Dec 19, 2019 at 9:25 AM Brandon Martin <lists.nanog at monmotha.net> wrote:
> Further, it's entirely normal and perfectly legitimate (to varying
> degrees) for an outfit to purport in CID a number that is not directly
> assigned to them nor which will actually result in a callback being
> routed to them.

Hi Brandon,

Correct. Consider this scenario:

You have a Vonage phone.
You use the "simultaneous ring" feature to have calls to your Vonage
phone also ring your Verizon cell phone.
I call your Vonage phone from my Verizon cell phone. Vonage initiates
a call to your Verizon phone purporting to be from my phone number.

Because, of course, it is. But Verizon receiving the call from Vonage
has no view of the original call in I made in to Vonage. To present
you with the caller ID information you want, they have to take
Vonage's word for it that the call really is from a number Verizon
itself owns.

Think of a phone call like a long chain of proxy servers and you're
being asked to accept the source claim made by the first proxy server
in the chain.

Anyway, the FCC's track record collecting fines for spam calls is even
worse than its record for imposing the fines in the first place. This
isn't a legislative problem, it's a technical one. If I had the "in"
with a call center company, I'd build a solution this way:

I call your phone number.
Your phone company compares my number against your whitelist. Ring
through on match.
If no match, "You have reached Name. Press 2 to leave a message. Press
3 to enter your code. Press 0 or stay on the line for an operator."
Ring through on a valid code.
If 0, the call connects to a call center where a live operator
evaluates the call. Who am I? Why am I calling? Do I meet the
plain-English criteria you've established for calls to allow through?
If no, the operator offers to connect me to your voicemail. If yes,
the operator dials you, explains who's calling and asks your
permission to connect the call.

You can spoof the automation but your hit rate spoofing the live
operator is not going to be good enough to keep trying. And if you do
keep trying, the operator company has lawyers and a financial
incentive to go after you.

Bill Herrin

William Herrin
bill at herrin.us