Forcing telecos to authenticate phone calls would probably be the single most important change.
But instead of forcing them, we have been letting them drag their feet while while regular people are losing billions to scams.
The whole phone system is ancient and long deprecated. When I get a call from my bank I should see their name and a badge of authentication. Not a random phone number.
Imagine you could register irs.gov and start sending e-mails from that domain. That is pretty much the current state of the phone system.
Un-fucking-believable no one is forcing change here.
Telcos have systems in place that are specifically to allow international phone calls to appear as if they're local calls. This is to "facilitate business".
They have these services and continue to offer them because they get paid for having them, despite the double decker bus sized hole this provides for scammers.
I agree 100% that there should be much tighter regulation on telcos.
What I'm not sure of is actually whether it's possible without having to rebuild a lot of their networks almost from scratch.
Phone numbers should just be deprecated and move towards a DNS like system.
Phone numbers have nothing to do with the spoofing problem. Hierarchical identifiers would have the exact same problem. The problem is that VOIP callers can set whatever phone number they want. Email is also vulnerable to spoofing.
The solution is to roll out signing for phone numbers. The owner of each phone number is known. It could even be published in DNS with ENUM. Most phone calls are from big companies like telcos and mobile providers. The VOIP callers would be harder to update, but could be restricted so can't spoof known numbers.
If going to roll out new identity system, easier to use existing phone numbers than make a whole new identifier system.
Afaik, VoIP is just the easiest onramp to spoofing numbers.
Anyone with BGP-equivalent access to the phone network can spoof numbers, even if they're coming from a landline. Might even be able to when you have a business landline terminated in a PBX.
i.e. the phone network backend is built on trust.
The older I get the more I realise how much of an anchor legacy systems are, so the more I appreciate forward planning in many contexts.
I like to do things in a modular fashion; sectioning off related parts.
I admin the phone system for my phone company, for any user I can change the outgoing CLI to be literally any number in the world, I can even call out as "1" if I want to.
Are there good reasons for having that kind of configurability?
Do you use it?
Our provider don't support toll free numbers - so we can dial out using ours even though it's not in the system. Also helpful when you're doing a migration from one platform to another
It's worse than that.
I got a call with the caller id of my (credit union) credit card company. They had my name and address, knew I had a card, and were claiming they were investigating fraudulent charges. It sounded more official than my actual credit card company. The only real things to tip me off was that the list of fraudulent charges kept changing, and they were super keen on me reading the entire credit card number back to them.
There were never any fraudulent charges, and the actual fraud department didn't seem to care.
I'm guessing it was due to the Experian leak.