The article mentions VoIP being the issue, but comments here show issues with calling cards as well. It's not VoIP, it's trusting your service provider, the destination service provider and everything in-between.
If you dial via a calling card, everything goes through their proxy before being handed off.
I've run into problems with services like Telegram not accepting my Google Voice number (my own real US number) and the recent NIST recommendations also state not to use SMS as 2-factor verification (citing VoIP concerns).
We have TLS/LetsEncrypt/etc to verify we're talking to who we think we're talking to on the Internet, but phone networks come from a previous era.
I worked for a telcom once in one country where if they no longer held a phone number (it got ported to another network), we just send it to all the other providers. The network that currently held the number would relay it and the others dropped it. I actually wrote the job to actually compare the ported number list and only forward to the right destination. Telecom is janky as shit.
I'm not convinced that this is the case - I'd imagine there are a number of calling cards that terminate a POTS line to a voip device in the US and then VOIP out for vastly cheaper international calling.
I used to work for a company which wrote & sold telco switch management software. Mostly is was for automatically calculating the Least Cost Route, given a list of carrier price sheets and rates for prefix bands.
We had a few local clients with slightly complicated setups, so we got to implement some matching logic for Call Data Records. Their local end had three switches attached to external trunks (to other carriers) and trunked to each other, and a few digi-boxes which voiped to (say) Afghanistan (telcos always use Afghanistan for examples, since it's the first country in the price sheet).
They would list a cheap per-minute price to +93, accept incoming calls & terminate them at the digi-box (closing the CDR & generating a revenue event). The remote digi-box would then start a new outbound call (and CDR) from their partner's facility and (hopefully) get to a subscriber line without going through too many carriers.
The trick is (and we never asked or found out) is that most of the time the remote digi-box is actually a carousel of SIM cards with unlimited local calls. The carousel is used to automatically distribute the calls over the SIMs to impede fraud detection by the mobile carrier.
These setups are pretty common & are called grey routes.
"The trick is (and we never asked or found out) is that most of the time the remote digi-box is actually a carousel of SIM cards with unlimited local calls. The carousel is used to automatically distribute the calls over the SIMs to impede fraud detection by the mobile carrier."
I have seen this in action ... I was working late at night in our (rsync.net) Zurich datacenter and there was a man who had a very tall stack of SIM cards that he was punching out and inserting into these long PCI cards ... I couldn't not ask him what he was doing.
He was a little cagey about it, but I got the general idea (thanks, Swiss folks, for all speaking english!).
The thing I don't understand is, to whatever degree running all those cards through a single SIM is a fraud alert, then I would think running all of those calls through a single tower would be an even bigger fraud alert. And yet, that doesn't seem to be a problem.
Yeah, the thing is telecom and especially cellular fraud detection is often a manual process when you get to that cell or tower level. Carrier backends are not friendly toward it for the fraud detection employees, thus it rarely is done.
Specifically in Switzerland and Germany, call termination costs are a great deal higher, where I'm paying .0014min avg in North America, I am paying a few multiples of that minimum in either country.
If you dial via a calling card, everything goes through their proxy before being handed off.
I've run into problems with services like Telegram not accepting my Google Voice number (my own real US number) and the recent NIST recommendations also state not to use SMS as 2-factor verification (citing VoIP concerns).
We have TLS/LetsEncrypt/etc to verify we're talking to who we think we're talking to on the Internet, but phone networks come from a previous era.
I worked for a telcom once in one country where if they no longer held a phone number (it got ported to another network), we just send it to all the other providers. The network that currently held the number would relay it and the others dropped it. I actually wrote the job to actually compare the ported number list and only forward to the right destination. Telecom is janky as shit.