I've yet to read a good explanation of why the telcos permit CLID faking and reinjection of apparently local CLID by overseas inputs.
I'm assuming there's a technical and/or willpower reason or some counterfactual like VOIP depends on it.
Even just flagging it would help. Or, rejecting numbers they can know lie inside their own routing architecture, or asserts within their own number plan where the CLID does not match.
Morally it's like BCP38 in the customer facing internet systems: reject customer input they don't pay you to assert.
I used to work at two (UK) telcos. There's a historic reason and a modern reason.
The historic reason was, just like the Internet, the international phone network was built on gentlemen agreements by engineers who largely trusted each other.
A big national telco is unlikely to attack its peers, so there was little need for safety measures. As smaller telcos came in to the mix via deregulation, that understanding changed - but it was hard to retroactively fit controls.
The more modern reason is outsourced call centres. You want outbound calls from your Philippines based staff to show as if they were calling from a local number. When large and reputable entities were doing this it was fine. Just like showing a different reply-to address on an email.
If you were designing a modern network, it wouldn't be like this. But international telephony is over a hundred years old and has a huge amount of legacy technology and legal agreements.
> You want outbound calls from your Philippines based staff to show as if they were calling from a local number.
The company that has offshored it's support to the Philippines might want that, but I doubt any consumers want that. That shouldn't have happened, but regulation comes (20+ years?) after harmful business profit decisions have been made and implemented.
But, thank you for the explanation. I have heard similar explanations before, and it has always sounded to me like a situation where the telcos are able to offer a service for a profit for the customers to hide the origin of their offshore call centres (that mostly nobody wants to speak to anyway).
The consumers 'want' it because if they get disconnected and try to recall, by spoofing a local number it costs them nothing/little since it's a local number (maybe toll-free?) instead of a lot for an international call. Of course, they might want a local call centre even more, but spoofing a local number for overseas call centres does have a purpose.
My electric company gave me a number (UID, not phone number) to resume a call if the issue wasn't fixed within 24 hours, and I'm pretty sure internet operators have the same protocol (at least used to).
Just looking at my incoming call list on my phone for yesterday: "Suspected Spam", "Suspected Spam", "Suspected Spam", "Potential Fraud", "Suspected Spam", "Suspected Spam", a real call, "Suspected Spam", "Suspected Spam"...
Phone is set to only notify me for numbers for known contacts - does mean that I occasionally miss calls from other people, but I can live with that.
Yes, was just relating my experience - it's just go the the point where I personally opt to play safe. Like everyone I do get calls from people who aren't in my contact list but it was getting silly so I've defaulted to ignoring them and it works for me. Anyone serious is going to be happy leaving a message - which suits me anyway as I spend a large part of my work day in Teams calls.
> You want outbound calls from your Philippines based staff to show as if they were calling from a local number.
This is a valid use case, but I’m a bit surprised that the mechanism isn’t better controlled. Surely a better design would be for an actual local entity to forward the call, possibly with an optimization to allow the voice data to bypass the local entity once the call is connected.
Just whitelist the caller ID and have the originating network guarantor
The second part is the hard part and requires coordination
It wouldn’t be expensive or especially hard to do but there is no payoff for the network. Remember they make money off scam calls too
Since as long as I can remember these organisations have been optimised for profit, not for GAF and that’s why they’re being savaged by regulation and OTT competitors now
There has been no market forces compelling them to do this and until recently when it got really bad, no political or regulatory forces
It's a solved problem. VoIP plus leased trunk lines by the a telco in the market you want to work at. You are limited to fixed set of numbers and you are "local" in the market you want to work at.
That's why in 2020 the FCC belatedly mandated SHAKEN/STIR to authenticate Caller ID in the US using public-key cryptography. Deployment is still work in progress, and it does not cover SMS/MMS, however.
A bigger problem is Russia or Saudi Arabia using the SS7 signalling network to track their dissidents in the US because those legacy telco protocols have basically no authentication whatsoever, and won't blink if a Saudi Telco sends Verizon a MAP message saying "what is the cell location of Jamal Khashoggi's phone?"
That's what's mandated by ARCEP (the French regulator) since the beginning of this year, and now all faked numbers are marked as “hidden caller”, and indeed it helps a lot.
Cost. Cost to spam and scam tends to 0 at industrial scale. Meanwhile amount of time and resources telco want to spend on fighting it is Bounded by how much regulators are going to allow them to pass on to customers.
As an Australian, I'm happy to hear this, but also annoyed that a lot of legitimate SMS from companies don't use branded sender ID. I'm not sure why, but my guess is that SMS gateways charge more for it and businesses don't want to pay the extra cent or two.
No it costs the same, the reason they do it is that it’s slightly more difficult to spoof a real number sender ID because most gateways will verify ownership by sending you a text on that number before letting you send outbound from it, where as they have no way of doing the same for an alphanumeric sender ID
As counter measure to text scams the Australian government (actually ACMA which I think is the Au version of the FCC) has introduced a national register of Sender Ids, which comes in to effect on the 1st of July. It requires providers to mark any unregistered Sender Id as 'Unverified'
I haven't yet been able to find the full register (if it's even public) but I thought this is an interesting approach.
There are good reasons to allow unregistered telecommunications. If you don't like it, you can always block it your end; given that we can all expect many other people to do the same (and it'll likely be a feature built into many phone operating systems), the social pressure you're after still exists.
Interesting change. If it helps cut down on spam and phishing texts while keeping branded messages trustworthy, it sounds like a step in the right direction.
It's not. Together with ongoing global tightening of regulations for permissible caller IDs on phone calls, it's all about fighting fraud. (I work in the telecom industry and am in the middle of all the waves this is causing for legitimate business cases.)
I welcome this move, enforcing that SMS messages come from who they say they'll come from is important.
Personally I think the whole system of replacing the point of origin with a name needs to be overhauled. Allowing a name as well is fine, but the practice of delivering messages that can't be replied to is pretty poor.
Rather than have to futz around with a different number or website to go to, I should be able to just reply "STOP" if (for example) Dominos keep spamming me with Pizza offers I don't want.
Governments always want to know everything. They are like the biggest data sniffers now, even more so than e. g. CIA-book (formerly known as Facebook).
I'm assuming there's a technical and/or willpower reason or some counterfactual like VOIP depends on it.
Even just flagging it would help. Or, rejecting numbers they can know lie inside their own routing architecture, or asserts within their own number plan where the CLID does not match.
Morally it's like BCP38 in the customer facing internet systems: reject customer input they don't pay you to assert.
The historic reason was, just like the Internet, the international phone network was built on gentlemen agreements by engineers who largely trusted each other.
A big national telco is unlikely to attack its peers, so there was little need for safety measures. As smaller telcos came in to the mix via deregulation, that understanding changed - but it was hard to retroactively fit controls.
The more modern reason is outsourced call centres. You want outbound calls from your Philippines based staff to show as if they were calling from a local number. When large and reputable entities were doing this it was fine. Just like showing a different reply-to address on an email.
If you were designing a modern network, it wouldn't be like this. But international telephony is over a hundred years old and has a huge amount of legacy technology and legal agreements.
The company that has offshored it's support to the Philippines might want that, but I doubt any consumers want that. That shouldn't have happened, but regulation comes (20+ years?) after harmful business profit decisions have been made and implemented.
But, thank you for the explanation. I have heard similar explanations before, and it has always sounded to me like a situation where the telcos are able to offer a service for a profit for the customers to hide the origin of their offshore call centres (that mostly nobody wants to speak to anyway).
I think I just ranted twice, sorry. Thank you!
Phone is set to only notify me for numbers for known contacts - does mean that I occasionally miss calls from other people, but I can live with that.
Spam calls happen but I'm not interested in social credit ratings for callers.
This is a valid use case, but I’m a bit surprised that the mechanism isn’t better controlled. Surely a better design would be for an actual local entity to forward the call, possibly with an optimization to allow the voice data to bypass the local entity once the call is connected.
But it is slow to roll out.
The second part is the hard part and requires coordination
It wouldn’t be expensive or especially hard to do but there is no payoff for the network. Remember they make money off scam calls too
Since as long as I can remember these organisations have been optimised for profit, not for GAF and that’s why they’re being savaged by regulation and OTT competitors now
There has been no market forces compelling them to do this and until recently when it got really bad, no political or regulatory forces
tl;dr na bro
I personally don't? Why would I want that.
The companies might want to hide that info but I don't think that's a legitimate use case.
Call centres were getting outsourced before e.g. Skype was a twinkle in the eyes of Priit Kasesalu and Jaan Tallinn.
A bigger problem is Russia or Saudi Arabia using the SS7 signalling network to track their dissidents in the US because those legacy telco protocols have basically no authentication whatsoever, and won't blink if a Saudi Telco sends Verizon a MAP message saying "what is the cell location of Jamal Khashoggi's phone?"
Traditionally they have a bias towards "working"/delivering traffic. It's easier to issue a refund than answer a urgent support request.
I can also imagine the biggest customers have all sorts of multi-vendor failover plans that may be affected.
That's what's mandated by ARCEP (the French regulator) since the beginning of this year, and now all faked numbers are marked as “hidden caller”, and indeed it helps a lot.
I haven't yet been able to find the full register (if it's even public) but I thought this is an interesting approach.
Personally, I'd prefer them to be blocked. If it's important and legitimate, they'll register.
https://www.trai.gov.in/advice-to-senders
https://www.donotcall.gov.au
Personally I think the whole system of replacing the point of origin with a name needs to be overhauled. Allowing a name as well is fine, but the practice of delivering messages that can't be replied to is pretty poor.
Rather than have to futz around with a different number or website to go to, I should be able to just reply "STOP" if (for example) Dominos keep spamming me with Pizza offers I don't want.