FCC proposes $10 Million fine for spoofed robocalls

On Monday, U.S. FCC Chairman Pai and Canadian CRTC Chairperson Scott made the first official cross-border SHAKEN/STIR call.
https://www.fcc.gov/document/pai-scott-make-first-official-cross-border-shakenstir-call

Today, the U.S. FCC announced a proposed nearly $10 million fine for spoofed robocalls.
https://www.fcc.gov/document/fcc-proposes-nearly-10-million-fine-spoofed-robocalls

A U.S. telemarketing firm spoofed the caller-id of a competitor to make approximately 47,610 political robocalls shortly before a California State Assembly primary election.

I think this case is somewhat unusual for robocall spoofing, because the alleged perpetrator, victims, and 'crime scene' occured within the same jurisdiction.

While the FCC likes to announce large enforcement actions in splashy press releases, its actually bad about collecting fines. The FCC must rely on the Justice Department to initiate separate prosecution to enforce payment from non-license holders because the FCC can't do that itself. So don't expect anyone to actually pay soon (or ever).

It is so bad that I am not above us bribing politicians in foreign countries to crack down on this.

Would be nice to have these stopped. I received 10 of them yesterday, pretending to be apple icloud support

~ $204 per spoofed call.

How is it envisioned that this will work?
I mean, I'm all for less spam calling... and ideally there would be
some form of 'source address verification' on the PSTN/phone
network... but in today's world that really just doesn't exist and the
motivations to suppress fake sources are 'just as good' as they are on
the intertubes. (with crappier options in the gear - SHAKEN/STIR are
really not even available in the majority of the switch 'gear' right?)

How is it envisioned that this will work?

My prediction for 2020: it still won't work, like in 2019 and the years
before that. A call originated, transported and delivered equals revenue
for all involved parties, so it is in their best interest not to block
them, unless the fines are really magnitude(s) higher than the revenue.

I mean, I'm all for less spam calling... and ideally there would be
some form of 'source address verification' on the PSTN/phone
network... but in today's world that really just doesn't exist and the
motivations to suppress fake sources are 'just as good' as they are on
the intertubes. (with crappier options in the gear - SHAKEN/STIR are
really not even available in the majority of the switch 'gear' right?)

When I tried to pay my AT&T uverse VOIP "landline" bill this morning they
offered me a free "CallProtect App" but when I click on more info it's
in fact only a link to open their "control call forwarding and blocking"
part of the home phone features web site. All their suggested controls
are enabled, still I am receiving only unwanted calls on this line.

In the call and voicemail history list for my number I have at least these
examples for you to laugh at. Hint: look at the numbers. and I have also
been told that there is no equivalent of uRPF in the phone world.

Name Number When Length Actions
Suspected Spam 888-194-1242 11-30-19, 10:56 AM 0:00 Add to Address Book

From Number When Size
NAME NOT FOUND 408-145-1341 08-12-19, 09:14 AM 29 Kb
NAME NOT FOUND 213-141-5163 05-17-19, 10:22 AM 353 Kb

-andreas

This is the biggest issue, and unfortunately (and my knowledge of the PSTN is admittedly a bit lacking, here), there's likely no good way to add it.

Calls on the PSTN are routed essentially based on "who do I feel like handing this off to, today", and then that entity may do the same, and so on. It's pretty routine for an outfit to have multiple contracts for termination that may not even be aware of the "legitimate" numbers from which their customers might "source" a call.

Further, it's entirely normal and perfectly legitimate (to varying degrees) for an outfit to purport in CID a number that is not directly assigned to them nor which will actually result in a callback being routed to them.

Think of caller ID more like reverse DNS. It's largely advisory and, outside some situations where you deliberately want a higher degree of repuatation/identity verification and are willing to accept a potentially large number of false flags, there's no real reason to rely on it outside of human nicety.

The rough analogy to the source IP address is the ANI information that's not even passed to most end users. That's "who should I bill this to?". But even that can get overwritten sometimes during call routing, from what I gather. It's also rarely a valid callback number for any non-trivial call source. Or, at least, if you did call it, the person who (might) answer the phone will have no idea what prompted you to do so.

SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a way albeit very much re-envisioned based on circuit switching rather than packet switching. Each intervening network can attest to what degree they are able to verify the CID (and maybe ANI?) information in the call. Unfortunately, a perfectly valid attestation is "I cannot verify it", and indeed that's likely to be most of the attestations you'll see at least at first. The best it really lets you do is figure out some networks at which to point fingers.

When "full attestation" is present, i.e. the network operator has been able to verify that the CID field represents a number authorized for use by the entity originating the call, it's maybe more like DKIM in that you can, with cryptographic certainty, know THE network at which to point fingers as they're the ones who admitted the call into the PSTN with authority that the CID field (among others) is "valid".

[And all the old PSTN folks will please forgive me if I'm inaccurate, here, though corrections are welcome]

"CallerID" is a misnomer. It is actually the "Advertized ID". However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for.

Pretty canny business model eh? And apparently y'all fell for it, thinking it was related to the Identification of the Caller, rather than being what the caller wished to advertize.

On top of that, there's also the issue of many telcos deciding that, no, you
can't just shove whatever you want on the wire, it needs to be a DID and name
registered on your trunk... unless you pay us an extra fee per month and say
you'll be good, then you can spoof to your heart's content.

As far as actual enforcement of all this goes, this morning spam and robocall
blocking legislation came into force in Canada. Coincidentally, this morning
so far I've received six robocalls from the same "your social insurance number
has been hacked and you are breaking the law by not paying us to fix it" scam,
two of which were before the sun came up. Prior to today I usually got one a
day on average.

At least one of the big three carriers has said they're going to be rolling
out network-side call blocking "in the coming weeks" but I'm expecting my cell
to continue to be a source of annoyance for the foreseeable future.

Hi Brandon,

Correct. Consider this scenario:

You have a Vonage phone.
You use the "simultaneous ring" feature to have calls to your Vonage
phone also ring your Verizon cell phone.
I call your Vonage phone from my Verizon cell phone. Vonage initiates
a call to your Verizon phone purporting to be from my phone number.

Because, of course, it is. But Verizon receiving the call from Vonage
has no view of the original call in I made in to Vonage. To present
you with the caller ID information you want, they have to take
Vonage's word for it that the call really is from a number Verizon
itself owns.

Think of a phone call like a long chain of proxy servers and you're
being asked to accept the source claim made by the first proxy server
in the chain.

Anyway, the FCC's track record collecting fines for spam calls is even
worse than its record for imposing the fines in the first place. This
isn't a legislative problem, it's a technical one. If I had the "in"
with a call center company, I'd build a solution this way:

I call your phone number.
Your phone company compares my number against your whitelist. Ring
through on match.
If no match, "You have reached Name. Press 2 to leave a message. Press
3 to enter your code. Press 0 or stay on the line for an operator."
Ring through on a valid code.
If 0, the call connects to a call center where a live operator
evaluates the call. Who am I? Why am I calling? Do I meet the
plain-English criteria you've established for calls to allow through?
If no, the operator offers to connect me to your voicemail. If yes,
the operator dials you, explains who's calling and asks your
permission to connect the call.

You can spoof the automation but your hit rate spoofing the live
operator is not going to be good enough to keep trying. And if you do
keep trying, the operator company has lawyers and a financial
incentive to go after you.

Regards,
Bill Herrin

Would you please unsubscribe your address from the nanog mailing list?

Ah crap. Sorry for the noise folks. I didn’t catch the return address before I hit send.

It really doesn't (currently at least -- until robocallers start using
voice recognition to defeat my system) need to be this complicated or
over-engineered. A simple audio captcha works wonders.

   Hello. If you are a telemarketer, press 1. If you want to speak to
   somebody at this number, press 5.

Anyone pressing 1 gets their caller-id added to my blacklist and is
asked to add our number to their do not call list. In reality all
telemarketers use robocallers so they don't even get that far.

Anyone pressing 5 rings through (with additional processing described
below).

But that's it. That has blocked 100% of robocalling from actually
ringing the phones in our house for the last few years.

I couple the captch greeting system with a whiltelist (i.e. only
callers not on the whitelist get the above prompt -- callers on the
whitelist ring through directly with no greeting). One gets on the
whitelist because (a) I add them explicitly, (b) their number was
called from our house phones (i.e. the PBX automatically adds all
outgoing numbers to the whitelist) (c) they pressed 5 at the prompt.

The result of that last one (c) is that people only ever hear that
prompt once and if they press 5, they never hear it again. Unless of
course I remove them from the whitelist. That has never had to be done
to the best of my recollection.

Of course I cannot know how many legitimate (robo)calls have not made
it through the gauntlet, but I also have not had anyone complain about
not being able to reach me. I figure if it's really important, some
human from wherever the failed legitimate robocall is coming from will
eventually get in touch with me.

I do also get notified when a (i.e. a robo)caller doesn't choose either
1 or 5 and have noticed the very odd robocall that I would have liked
to have received (very few and far between -- maybe 1 or 2 a year), and
add them to the whitelist which works well since failed robocalls
typically get retried so I get it the next time around.

One might argue that having to deal with the notification on each
failed robocall washes out the value of the system, but I would argue
that reading a text message about a failed robocall, when I feel like
reading it, is a more than fair trade-off for not having to interrupt
what I am doing to answer the phone and get frustrated at another
phishing/scam/etc. attempt, and it gives me peace of mind that I will
catch (the very very few) failed robocalls that I did want.

b.

Hi Brian,

I don't want to start an arms race with the spam callers, I want to
end it. That means: jump directly to something they can't easily
defeat.

Regards,
Bill Herrin

Fact is the telcos make lots of money off spoofed robocalls so they have zero incentive to stop the practice.

-Dan

Fact is the telcos make lots of money off spoofed robocalls so they

have

zero incentive to stop the practice.

That is an easy one to solve. The telco simply needs to provide a free
"Call Screening" service that you can activate on your line such that
the telco terminates all calls with a message "Please enter <random
three digit number> to ring the subscriber line". No valid code,
disconnect the call. They still get to charge a termination fee to
whomever handed the call to them.

Additional features (whitelisting/blacklisting) available for extra
charge.

"CallerID" is a misnomer. It is actually the "Advertized ID".

However, the telco's realized you would not pay to receive advertizing

so

they renamed it to something they thought you would pay for.

Pretty canny business model eh? And apparently y'all fell for it,

thinking it was related to the Identification of the Caller, rather

than

It's my opinion that STIR/SHAKEN is trying to solve the wrong problem. Telephone numbers are oh-so last millennia. I don't care about telephone numbers any more than I care about ip addresses. What I care about is the From: address, be it email, sip or anything else that uses an email-like address. Unlike the e.164 quagmire, domains can vouch that they actually sent a message ala DKIM (in fact, when i was developing DKIM, i for shits and giggles, DKIM-signed SIP messages too). If a message comes from gmail (and verifies), I have a pretty good belief that it really is that user since I know they don't allow their users to spoof other email accounts. Same can be done with SIP. That is the road forward here, not an ugly complex bandaid on an outdated form of identity.

Mike

Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email.

Mike

There are robocalls that you want to get. Here in california, our wonderful electric company sends out robocalls when they are going to cut our electricity so they don't get blamed for burning down cities (and then still manage to anyway). I'm not sure if our earthquake alerts can robocall or not, but that would certainly be another one that you'd want to get. There are plenty more examples.

Mike

There are laws against many of these SPAM calls today. I suppose the agencies that are responsible for prosecuting these could answer some of their SPAM calls to see who was calling. Same thing with SPAM faxes, we didn't get a technical fix, just used the law against anyone who tried. Fax SPAM isn't fixed but its not being abused.

Technical fixes might will no doubt be part of the problem. But enforcement will also address this.

But yes I see everyone's lack of apathy for this problem as only accelerating the death of the PSTN.

Kevin Burke
802-540-0979
Burlington Telecom
200 Church St, Burlington, VT