What ever happened to SHAKEN/STIR? I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume? I still get loads of spam phone calls, so clearly something went wrong (or slow enough to be indistinguishable from wrong).
I love a good tortured acronym:
> SHAKEN system, short for Signature-based Handling of Asserted information using toKENs [...]
> The name was inspired by Ian Fleming's character James Bond, who famously prefers his martinis "shaken, not stirred". STIR having existed already, the creators of SHAKEN "tortured the English language until [they] came up with an acronym."
https://en.wikipedia.org/wiki/STIR/SHAKEN
(Unrelatedly, seeing a slash used casually within the URL slug feels so wrong)
I like backronyms because it tells me someone with a soul was involved
LLMs are really good at making backronyms, in fact it might be one of the things they're best at. Try prompting any soulless overlord with "give me a backronym for <WORD> that relates to <SUBJECT>".
So maybe it's bad backronyms that demonstrate the soul. I don't know who's idea it was to allow a computer to generate whimsy, that should be interdicted by a fourth law of robotics.
I'm not certain, but I think on my phone incoming calls that fail SHAKEN/STIR show the caller id in red rather than black text. I'm on T-Mobile. It also shows "Number Verified" or something like that.
Now that you mention it, I believe I have seen a couple of red flagged calls, but I still get ~3 calls a day from a very aggressive business loan spammer, it's always a new number and never flagged.
That's because they are bulk purchasing numbers from voip providers, cycling through probably hundreds per day.
Do they actually need to purchase numbers to do that, though?
I always imagined that there are certain shady providers ("grey-market Twilio" sort of idea) that just let you run single outbound call/text requests through a giant pool of numbers shared with other customers of the service. Perhaps specifically a bank of residential numbers plugged into banks of regular cell phones, like a residential IP proxy service provider.
Somebody at some point is purchasing them, probably not the spammers/scammers themselves.
It's very unlikely anybody is placing spam/scam calls with regular cell phones when VoIP numbers are easy and cheap to get, and when VoIP systems are far easier to manage.
[dead]
Anybody desperate enough to consider telemarketed merchant cash advances (MCAs) should look into them very carefully first. The contracts often have stipulations that allow them to draw money from your bank account at will, penalty interest rates that jump up 400% APR, have been known to use mafia enforcers to violently extract payments, and the list goes on. There was a more perfect union video (titled something about texting back a loan shark) with a bracing, if sensationalized, look at some of the worst ones.
According to a defcon talk, spammers just make sure all their spam gets routed through legacy TDM systems which discard the shaken/stir header because they're too old to support it. The other side then re-adds a "we got this from somewhere that didn't support this header" header.
> legacy TDM systems
Easy fix. It should be opt-in to accept a call that is routed through one of these. I know they allow it so some grandma in rural France that still uses a dial phone on a copper line that hasn't been touched since 1962 can call her son in New York, but for the rest of us who are not in that situation, we can just blacklist all those calls and lose nothing. This would even fix spam for the people who opt-in, because so few people have grandmas in rural France that it's not worth it for the spammers to bother anymore.
It is opt/in. There's three categories (according to that defcon talk): call originates from the number it says it does, call originates from our network but we're not sure about the number, and call came to us unverified (only allowed by regulation on legacy links).
Now, operators of those legacy links make A LOT of money for operating them since they carry 100% of the country's spam traffic, and they're not going to shut them down just because you think they should. The government would have to make them do it and they'll pretend upgrading is super expensive.
Sure, but why do I care? Let them run the legacy links. Just don't make my phone ring.
> Easy fix. It should be opt-in to accept a call that is routed through one of these.
Easier (and correct) fix: Telecoms operators should not be permitted to provide transit to a call that's routed through one of these.
> I know they allow it so some grandma in rural France that still uses a dial phone on a copper line that hasn't been touched since 1962...
This doesn't make sense. Even my inexpensive Mikrotik switches can augment packets with the ID of the port that they originated from. I do not believe for even a second that Telecoms Grade switching equipment is unable to do the same. The fact that that grandma can send and receive calls tells you that both that that equipment exists and that it knows what port her phone is connected to.
> I do not believe for even a second that Telecoms Grade switching equipment is unable to do the same
Mikrotik is a young spring chick compared to the dinosaurs in telecom.
> I do not believe for even a second that Telecoms Grade switching equipment is unable to do the same.
The example should rather have been some telecom carrier in Africa or India. Telco equipment is expensive, the technology is ridiculously complex and getting companies especially in less well-off regions to replace aging stuff and updating it to modern standards is next to impossible. Think about it, the globally connected phone system includes countries where you get 10 GBit/s symmetric fiber in your home and it includes countries where people don't even have running water because they're so poor.
The fact that we in Western countries can have a realtime conversation with someone in the Saharan desert or in an Indian village that requires days worth of travel [1] is nothing short of a miracle.
[1] https://www.aljazeera.com/gallery/2024/5/8/an-election-booth...
I am, more in tune with "just get it over with" than ever. Ipv6? 25 years of this crap? should have just said, Jan 1 2001, all routers must support 64 bit ipv4 addresses. Like the chrome HTTPS switch over, JUST DO IT
You mean 128 bit? That's called ipv6. It's ipv4 with 128 bit addresses.
Just because a call is a spam call doesn't mean it is spoofed. STIR/SHAKEN ends spoofing but anyone can ultimately buy a phone and make calls that are spammy.
Spoofing isn’t ended at all
Almost every spam call has that I get, is spoofed.
Someone here explained it, once.
I think the spoofed calls use a legacy transport tech that can’t be forced to validate.
Can't that legacy transport be blocked / not-be-peered with then? That's what usually happens with old insecure tech that is being phased out.
How do you verify it is spoofed? Have you asked your carrier to drop unverified calls from your service?
> How do you verify it is spoofed?
Not my job to "verify," in the technical sense.
When a call for an Indian crypto pump comes in as "SMITH, ROBERT", and a local exchange, I call that "spoofed."
Mine literally come from the verified coinbase phone number and say coinbase and everything. If I didn't know for sure they are not calling me I'd think it was real 100%.
Sure, but with phone numbers that can't be spoofed, telcos can terminate service, and filtering technologies can block calls. Spam gets expensive if you have to buy new service every five calls.
It does. But the spammers still do it. Because eventually they hit one person who gives them a thousand dollars or whatever and it pays off.
Preventing spoofing doesn't have to make spam cost-prohibitive for every spammer to greatly reduce the volume, and it does not interfere with ordinary people obtaining phone service anonymously.
Nobody is making spam calls with cell phones. Spammers use VOIP services and old TDM systems.
There’s SIM card banks for SMS spam… I’d be surprised if there wasn’t anything similar for calling. Not that I support this bill but it is a thing.
From what I’ve investigated as a recipient of spam calls, I’ve been called from legitimate mobile numbers from my own mobile telco. The only thing that explains that are SIM card banks.
Unfortunately there isn’t an easy way to report abuse to the telcos (and regulators).
STIR/SHAKEN up to this point has only been a self-certification that a telecom company has the right to use a number. What the FCC is trying to do is set up a legal obligation for the STIR/SHAKEN header to match a KYC verified identity.
If the FCC implements this, I expect a lot litigation because of the burden and legal liability this would place on telecom and VOIP companies. There are other less burdensome approaches to preventing spam that the FCC has not tried.
I am constantly amazed how few people understand that preventing spam is below the last thing the FCC is actually interested in.
First of all, the decision makers at the FCC profit from directly from spam, Christ.
Secondly, the indirect value of spam to the FCC is that it helps to justify initiatives to ruin the privacy of ordinary people via the constant push for KYC.
Just like "age verification", Flock cameras, license plate scanners, ubiquitous IoT with microphones and cameras, etc. Governments and corporations both profit from shredding every molecule of your privacy.
The FCC issued a report on this very subject[1]. TLDR, there have been four exceptions to the SHAKEN/STIR requirements:
- Providers that can't afford it implement it - Non-IP networks - Small voice service providers that originate calls via satellite using U.S. NANP - Providers that lack control over the network infrastructure necessary to implement
Nothing is going to change as long as those holes exist.
1: https://docs.fcc.gov/public/attachments/DOC-416732A1.pdf
The can't afford it exception is disappearing soon, as it isn't true for any business. Total setup costs for STIR/SHAKEN are under $2000 these days. Providers that lack control over the network infrastructure (i.e. they don't have the ability to control the stir/shaken headers so by definition they can't spoof numbers) will likely continue to be a thing as changing it would force pretty much every small business in the VOIP industry out of business and allow only large companies to be VOIP service providers.
> I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume?
It would certainly hurt a consumption-based economy, for starters.
Why would that hurt a consumption-based economy?
Telcos make money off of scammer activity.
Maybe in the same way that Office Depot makes money on the envelopes used in mail fraud
It's a vector for advertising.
But that's not a consumer initiative. Advertising can come from all sorts of places that the consumer doesn't like, and in economies where advanced levels of consumer choice are limited to the state bureaucrats.