Not sure if it works the same way, but a lot of the robocalls that I get are from spoofed mobile numbers, if you call the number back its usually some random dude who is confused to why he's getting so many angry calls.

There's language in the directive about "shaken/stir" implemented "over TCP/IP."

"STIR is an acronym for Secure Telephone Identity Revisited, while SHAKEN stands for Signature (based) Handling of Asserted Information using tokENs."

They're possibly the most tortured backronyms I've ever seen.

All to sound like James Bond's "shaken, not stirred" quote. It's a bit lame, really.

Ah yes, the legendary 007 wit, or at least half of it.

At the carrier level, number spoofing doesn't mask where the call originated from. It's simply a mechanism for a caller to convey to the receiver who is calling.

It's allowed to be spoofed to enable legitimate things like all call center lines to report as the same 1800 number of a business. The problem is that it's been on the honor system.

With stir/shaken it's a matter of proving identity.

Carriers are required by law to connect calls, it's a monopoly thing to prevent an AT&T from refusing to connect competitor's calls to damage their business.

The FCC hasn't just given them permission to not connect calls, it has ordered them to cease connecting those calls.

Wait, it's possible to spoof phone numbers?! Does anyone know how this works?

It's absolutely trivial. https://en.wikipedia.org/wiki/Caller_ID_spoofing

> Providers which market "wholesale VoIP" are typically intended to allow any displayed number to be sent, as resellers will want their end user's numbers to appear.

I've gotten calls from banks' 1-800 numbers that were 100% definite scams this way.

..and there are plenty of non-nefarious reasons to want to spoof numbers. I used to have a VOIP setup at home that, when I dialed out, the call would appear to come from my cellphone[0]. Google Voice used to be able to do that too (no idea if it still does). Businesses often use this to have all their calls appear to come from the main office line or a 1-800 number. Or, when forwarding a call, you could make the 2nd leg outbound call appear to come from the original caller instead of the forwarder, things like that. Unfortunately as with so many things, bad actors are going to ruin it for everyone.

[0] I also found out that if I dialed my cell phone voicemail number from this VOIP phone, it bypassed my security code and went straight to my mailbox - since the outgoing number matched my cellphone number, it assumed it was me calling. A quick experiment showed I could then access anyone's voicemail (on that carrier at least) by simply setting my outbound number to appear as their cell number...

Such cases could be handled if there were a way to verify that a spoofed number is an authorized use. Your cellphone number belongs to you. Some bank's 800 number does not. What we need is a mechanism that prevents the scammers from lying while still permitting setups like yours.

I mean, that's what STIR/SHAKEN do.

> plenty of non-nefarious reasons?

aren't they all variations of "both numbers are provably yours"?

Define provably and yours.

When forwarding a call, the origin is not yours. When calling "in the name" of the company's switchboard, the number is not yours. When I use a number which is actually mine but comes from another country, it's not really provable.

Every provider should be responsible for verifying that their downstream customers are legitimate. If they deliver junk on behalf of their customers, they should get banned. That's how this problem gets solved. Your provider doesn't want to get black-holed, and now has an incentive to make sure your VOIP system is legitimate.

I fully support this behavior, however from what I read about Australias wiretap laws, they can't check the source number without a warrant :|

It is insanely easy to spoof "caller ID", it is slightly harder to spoof whatever the "real source" thing is that's just below it.

But both are not hard, and if you have the right VOIP provider you're off to the races.

Fairly long video [1] to show how to operate a VOIP app, but yea, pretty simple. Should be harder whenever STIR/SHAKEN [2] goes into effect.

1. https://odysee.com/@cybering:1/spoofing-call-id-using-voip:2

2. https://en.wikipedia.org/wiki/STIR/SHAKEN

STIR/SHAKEN is already in effect for 99% of people. That's what this order is about. These seven small VoIP companies are the only ones who haven't implemented it. (Presumably, their whole raison d'être is for spammers.) Those seven companies are currently providing service for all remaining spoofers, so they have two weeks to fix it or they're done.

Presumably if they are illegitimate, they will lose most of their customers if they do comply, or they lose network access by not acting. Sounds like this will put the illegitimate ones out of business.

When you make a phone call, your phone sends metadata containing your phone number to whomever you are calling. That's what the recipient sees as your caller ID.

Of course, since you control your own device, you can make that metadata contain anything you want.

Here is an excellent video of McAfee doing it to a fox news anchor: https://mobile.twitter.com/officialmcafee/status/13053832859...

one way is with ANI abuse.

the 2nd is abusing callID transmitters and protocol. i think the 2nd way may have been mitigated. it was kinda like butting into line before anyone notices.

if you've ever had a call when your at the phone, and you see a brief flash of a number, that instantly changes to another number, this 2nd method is likely in play

Yes there are ways to spoof caller id numbers but the network isn’t confused about where the call is coming from

All you need to do is follow the money. Someone is paying for that call, cheap as it may be. And there is no way the telcos would allow anyone to spoof that.