SoylentNews is people
SoylentNews
from the thought-they-were-really-cleaning-up dept.
Feds crack down on brothers behind 45 million illegal robocalls:
Three New Jersey brothers will pay $1.6 million to settle charges of instigating more than 45 million illegal robocalls nationwide, including to tens of millions of Americans on the Federal Trade Commission's Do Not Call Registry, the agency announced on Friday.
The siblings also agreed to a permanent ban on telemarketing and will hand over a residential property to resolve the agency's allegations, made in a complaint filed by Department of Justice on behalf of the FTC.
According to the FTC's suit, Joseph, Sean and Raymond Carney initiated more than 45 million illegal telemarketing calls to people across the U.S. between January 2018 and March 2019 to pitch a line of septic tank cleaning products. Most of the calls, or 31 million, were placed to numbers on the FTC's registry of people who don't want to receive marketing calls.
[...] Telemarketers working on behalf of the brothers falsely told consumers they were calling from an environmental company to offer free information on their septic tank cleaning products, the complaint charges.
(Score: 3, Insightful) by Anonymous Coward on Tuesday July 20 2021, @06:28PM
Correct, there is no technical reason why caller ID spoofing is so easy. The real reason is that caller ID was developed way back in the days when the phone network was an isolated network, run by one company (AT&T in the US). Caller ID was developed in that environment (isolated network, only really one player) and so there was no envisioned need for any authentication of the value, because what was sent came from the same company that transmitted it.
However, as time went along, more players came onto the field (all the various newer 'phone companies' that appeared). And rather than redesign caller ID to include some form of authentication, everyone just used the existing system (it already worked [caller ID protocol], and each company was, at the time, trustworthy).
Yet more time went along, and the internet arrived, and then, VOIP arrived on the internet, and suddenly, the phone network was no longer an isolated network, and there were no longer a small handful of companies providing phone service such that one could 'trust' that the other company was not lying about their caller ID value. With VOIP, and cross connection between the phone network and the internet, suddenly, anyone willing to buy the proper network link could be "a phone company".
And the problem now was, the existing base of telephone companies, and telephone switching equipment, had all grown up in this world where "the guy requesting we terminate his call can be trusted to not be lying" and it now had a problem. It relied on a protocol with no authentication of the sender, but now it had so many senders that some of them were going to be shady operators and would deliberately lie about their caller ID values. But fixing that problem would require a different protocol, and we (the various existing, mostly trustworthy companies) had billions invested in capital expenditures on equipment that was all designed and built to use the "unauthenticated caller ID" protocol. Suddenly changing to "authenticated caller ID" would entail a lot of expense to retrofit everything. So there was little incentive to make a fix, and of course, now a huge herd of cats had to be herded to use a single new system, which in and of itself was unlikely to go anywhere.
And that is why caller ID, today, in 2021, is trivial to fake/spoof. It was never designed to be fake/spoof proof in the first place, and it now finds itself firmly entrenched in every expensive piece of telephone hardware out there, but now playing in a world where many of the players are not trustworthy.
No, they don't, because if they fixed it, it would add millions to billions of additional capitol outlay to their expense line item on their quarterly reports, make them incompatible with everyone who has not fixed it, and potentially cut off part of their revenue stream at the same time (they are getting paid for carrying these calls afterall). This is much like the long slow slog to "no indoor smoking in bars/restaurants". Few individual bars/restaurants wanted to be the lone wolf changing things. But all were fully in support of the govt. mandating the change, because then they were "off the hook" as to why the made the change. Same reasoning here. Authenticated caller ID needs to be a regulatory mandate so that everyone bears the expense all at the same time, and so that no one looks to be a lone wolf/loose cannon on their quarterly stock market reports. Sadly govt. regulation moves too slowly for most of us.