>Is there a compelling reason to allow such spoofs?
A few use cases to spoof the number:
* Appointment reminder systems - if I see the caller ID is from my doctor's office, I'm going to pick it up and hear the reminder. When the calls come from some other number, people think it's spam. People still expect reminder calls even if you/HN crowd would prefer an email/text.
* Outbound call centers on behalf of others companies (same reason as above)
* People who work from home but want to make business calls from a personal phone
If no one could spoof, it probably result in a huge uptick of people claiming spam calls since they would be getting tons of calls from numbers they didn't know.
There really needs to be an SPF, DKIM, DMARC for VOIP. I don't think a no spoofing policy would go over well for businesses or consumers.
The question wasn't about why spoofing exists at all. It was about spoofing where they did not control the claimed number.
If you want to place a call with spoofed caller ID info, your provider should require you to prove that the spoofed information is legitimate, not fraudulent. Otherwise, the telco should be obligated to strip the suspect caller ID information from the call so that the recipient can properly identify the call as fishy.
There's no need for any complicated cryptographic solution. Telcos should just be required to know their customer, much like banks, before allowing them to do certain things.
Yeah. I'm perfectly fine with e.g. Twilio being able to tell Verizon "oh, we have authorization to send from $x", Verizon going "uh huh, go ahead" because they trust Twilio not to mess around. But then, if there does turn out to be an issue, Verizon is on the hook, and they'll turn around and charge that to Twilio. So, they'll be fine with letting large companies like Twilio spoof on their network, but they're not going to let RandomCo spoof.
So forcing the fine on the last step in the chain forces everyone to carefully consider who they trust, which is as it should be. Nothing wrong with trust between trusted parties, but clearly the current system has untrustworthy parties given too much power.
That's the thing though, a lot of times they don't control the spoofed number, but there's a legitimate use case for spoofing it. Authorization to spoof is not the same as having control of a number.
A cryptographic solution is absolutely necessary. Most reputable telcos already restrict spoofing or require tons of paperwork to prove you own the number before allowing you to use it as caller ID (like Twilio for example).
The issue is that the PSTN is essentially a huge, worldwide message queue to which pretty much any telco can connect around the world, including shady ones - even if US law actually does fight spoofing, how do you prevent telcos from other countries from continuing the abuse?
Cryptography is needed - when a carrier leases you a number, they give you a certificate with which you can sign other carrier’s certificates if you want to let them use that number as caller ID. Every carrier on the call chain should verify call’s signatures against that and discard any calls with missing or invalid signatures. That will stop malicious spoofing while allowing its legitimate use, just like email where you can use SPF and DKIM to nominate any email provider to be able to send on your domain’s behalf.
A certificate system could work, but really all that's needed is traceability.
If I complain about a call, that should be trackable to the origination carrier and account, and if either one gets too many complaints, it gets thrown off the network (and other penalties).
Actually there is some standardization activity trying to do this. It does not solve the main problem: if you let the originating carrier sign the caller id, you still have to trust that carrier to really check if the caller is authorized to use it. Number portability prevents you from using certificates older than 24h.
In all of those scenarios, one could prove they controlled or had authorization for the spoofed number, hence it would not be eligible for my proposed fine.
I'm not suggesting no spoofing, I'm suggesting a fine on the carrier for unauthorized spoofing, which will force them to actually verify that there is authorization.
You didn't make this clarification in your first post. In the first two examples, they don't control the claimed number, which is what I was responding to.
>I'm suggesting a fine on the carrier for unauthorized spoofing, which will force them to actually verify that there is authorization.
This makes sense. Legitimate companies will get authorization agreements signed etc.
A few use cases to spoof the number:
* Appointment reminder systems - if I see the caller ID is from my doctor's office, I'm going to pick it up and hear the reminder. When the calls come from some other number, people think it's spam. People still expect reminder calls even if you/HN crowd would prefer an email/text.
* Outbound call centers on behalf of others companies (same reason as above)
* People who work from home but want to make business calls from a personal phone
If no one could spoof, it probably result in a huge uptick of people claiming spam calls since they would be getting tons of calls from numbers they didn't know.
There really needs to be an SPF, DKIM, DMARC for VOIP. I don't think a no spoofing policy would go over well for businesses or consumers.