[walrus01]

Re: #1, nothing is ever going to fully fix that. SS7 and the PSTN are built on 30+ year old tech where the phone carriers all trust each other. SHAKEN/STIR isn't going to fix it either. The only thing that's going to fix caller ID spoofing and calls coming in via grey market VoIP SIP trunking providers is to burn the PSTN to the ground and start over.

Breaking interoperability with the world's installed base of circuit switched, 25+ year old PSTN equipment is not on the table for the big phone carriers.

[pbhjpbhj]

I think the phone companies are complicit in #1. They sell a lot of phone minutes to companiess using foreign call centres that want to seamlessly spoof local calls so they choose not to change. There's no reason, for example, for call coming from a foreign country to - when received in my countries routing centres - get a local phone number in caller ID.

That should be illegal. Foreign calls, if they're really running against PSTN tech limitations (which I doubt as I thought offshore calls were all routed via internet) then they could easily create hardware to blank out offshore calls caller ID info (and preferably replace with just the international dialling code).

But then your bank would have to admit where their call centres are, and they pay more to phone companies than individual customers do.

Which comes to why there's no legislation (in UK) demanding action from local phone companies; presumably because they pay the politicians more than we do too.

[gowld]

Huh? Banks would be happy for caller ID to verifiably say Bank Foo or 1-800-certified-callback-number.

[wildrhythms]

I don't think the previous commenter is saying that banks don't want verification; they're saying that banks (among other large companies that outsource their customer service) benefit from caller ID spoofing to conceal the true geographic origin of the call. I think the underlying issue is that current telecom carriers permit spoofing to entire swaths of number blocks without much verification.

[pbhjpbhj]

Yes, that's what I was trying to express, thank you.

[viraptor]

It's not possible to solve on a technical level, (lots of edge cases) but this is my recurring "make the provider hurt" comment.

Every call should be possible to report and the last organisation which can't justify the caller ID sent gets fined for each such call. Ideally this will end up with a scammer. If not possible, it will end up with a telco which will assign blame on their international partner until they get cut off. No properly run telco wants to get cut off from sending calls to a large country.

But the fines have to start due to correct regulation which applies to everyone.

[Nextgrid]

The carriers somehow have zero trouble figuring out who to bill for the calls. There's no reason the same system can't be used to identify the real originator behind malicious calls and cut them off.

[tgsovlerkhgsel]

Why wouldn't STIR/SHAKEN fix it well enough? And isn't SHAKEN designed specifically to pass authentication over SS7?

It's fine if providers trust each other as long as they only do that after verifying that the other party is trustworthy, and quickly fix it if that turns out to be a wrong assumption.