Ask HN: What can we do about spam calls with spoofed numbers?

Interestingly, a while back, I got a call from a number that looked so familiar but I didn't recognize. I didn't answer but I couldn't get that number out of my mind. So I started looking through my contacts to see if it was someone I knew. Turns out, it was my own number. I couldn't believe it. These spammers were somehow spoofing my own number to call me.

Consumers as a group can contact regulators or legislators to urge this be fixed. The technological fix is not that difficult: telcos should whitelist numbers for specific customers so a customer can only use a number as outbound caller id if they are assigned or have otherwise validated the number. Reputable providers like Twilio already do this. This solves the oft-repeated claim that there are legitimate reasons to "spoof" caller id. You can't say it's spoofing if it's your number and you're the one calling...

But telcos don't do this. They don't care if caller ID is accurate, because their customers don't care if caller ID is accurate; most pay for it anyway.

[1]: http://tasker.joaoapps.com/

I got my current phone number when I first moved to the US. Now I live on the other side of the country. The spam callers always use the same area code as my phone number in an attempt to appear like local numbers. Anytime I get a call from a California number that isn't in my phone I can safely ignore it.

The phone system is designed to accept anyone calling on it, and there's no authentication mechanisms in place for securing it since it all has to interoperate and is built on dated standards.

There are basically two solutions to stopping the problem (instead of treating the symptom). The first is to increase costs to make phone calls (voip made this basically free and it gets abused). This was the old deterrant.

The other is to have providers work on an authentication method for their network, they are starting to do this with STIR/SHAKEN: https://transnexus.com/whitepapers/stir-and-shaken-overview/

Legislation won't help unless it is on the providers to require authentication.

Industry solutions are supposedly forthcoming - see STIR/SHAKEN standards for caller verification. T-Mobile says they're doing something with this: https://www.t-mobile.com/news/caller-verified-note9

PHONE on

PHONE off

...when the calls reach a certain volume, I just forward all calls immediately to voicemail, which also says, "I don't answer this phone anymore -- leave me an email."

After a few days or a week, I turn phone back on and see how it goes.

It ebbs and flows.

For business calls, I direct everything to Google Voice.

For personal, my friends/family know they can still FaceTime me or text me and I'll call back.

I don't actually get a lot of calls to my cellphone, and would gladly pay for data without calling.

From a previous thread, here or on Reddit:

"You actually can turn off cellular network calling altogether, if you are willing to do that.

Dial (star)#67# (or call 611 if it doesn't show up there) to see what number your voicemail center is. Then dial (star)21(star)1(that number)#. That will automatically forward all calls, at the network level, to your voicemail.

To cancel this, dial #21#."

If that were in place, then the answer would be "put your number on the do not call list". But for whatever reason, that fix doesn't currently work.

On, then, to the problem you're trying to address. It needs to become illegal and/or technologically impossible to spoof caller ID to a number that you don't own. That is, if you're Apple, and you want all your outgoing calls to present as your main number, that's fine, because you own that number. But masquerading as a number you don't own? No way. It needs to be either impossible or illegal, preferably both.

But what about someone who's, for example, a whistleblower, and can't give out their number without blowing their identity? They could still block the number, but not change it. The caller ID shows up as "Unavailable" or "Blocked" (I just had one of those while making this comment, in fact.) The recipient can then decide to reject that call simply because of the lack of caller ID (as I in fact did).

Just this morning I had 4 calls between 5 and 8:00, and I can't turn my phone off. (On-call for work.)

Our government is busy shutting itself down over nonsense, yet pathological problems that are meaningfully impacting citizens are going entirely unmanaged for years. (To the FCC's credit, STIR/SHAKEN is a good step but I think it's very much a too-little-too-late situation; I haven't been able to empty my voicemail box in years lest it get filled up again within a day by spam.)

To make this not just be a rant (and since I see others who are concretely affected in similar ways) Shouldn't we be pursuing our govts/reps to be more aggressive in everything from investigating and prosecuting violations (spammers) to ensuring proper incentives for carriers to help defend against this? Is there anyone who has been a champion for this in the past?

They either hang up or start shotgunning large company names. I try to stall them a bit.

Then aggressively use Google fi to block and report as spam.

It's ridiculous that cell networks actively allow this. This should not be possible. And for US based spammers, they should arrest and prosecute every single person at the company. No exceptions. You are involved in a criminal conspiracy to commit fraud. Fuck throw Rico their way.

Many of the operations are overseas but there are plenty in the US.

Also helps with bots because it gives off number disconnected signal not just forwarding them to a voicemail or something, which I think helps kill it pretty quick.

You can do whitelists (no one but these people can get through) or blacklists (everyone but these people can get through).

Let me know your thoughts. Additionally there are others that do similar things, but I built mine out of this pain. :)

Honest to god, the new call screening feature on my Pixel is the most useful new feature from my phone in the last 5 years.

If I don't recognize your number, I immediately send it to voicemail. If it's something I need to worry about, I call back.

My hope is that eventually spam callers will catch on to the fact that they've had no hits on my number and drop me from the list. I assume that no amount of interaction I have with them will get me off the list, so I simply choose not to interact with them.

Broadly speaking, you could also probably set up Do Not Disturb settings on your device, and I'd love it if we could filter calls unless they're from specific people during a specific time (e.g. family calls during work).

Long term, the best way we fight this is with our vote. The current FCC administration seems uninterested in this problem, and I think voting in a new administration may provide different results. Engage with your federal representatives as well!

TLDR; this is a technical approach to preventing number spoofing except where authorized. Presumably to be implemented by the international telecom industry.

[1] https://transnexus.com/whitepapers/understanding-stir-shaken... [2] https://datatracker.ietf.org/wg/stir/about/

Snark aside, sometimes I‘m happy about that the bureaucracy monster EU I happen to live in simply forbids crap like this.

https://hiya.com/

Then any "local" call is likely to be spam. Filter as needed with a rule matching this areacode.

I'm seriously wondering. If anybody can enlighten me, I'd appreciate it.