Fake Call

Darc19

FuzzyThinking wrote: »

They need to target them at EU or even ITU level.

The calls aren’t likely to be coming in through any of the traditional telcos. They’re likely coming in on small VoIP carriers.

You can buy numbers almost anywhere in the world on those services. It’ll have to be regulated a lot better at international level.

You are thinking of the way it was done years ago.

These days they simply insert software that tricks the system into displaying a totally random local phone number.

That number could be your number.

There is no VoIP company to look for. These are fraudsters that have huge funds to stay ahead of authorities.

KildareP

PintOfView wrote: »

From end of June 2021, just gone, both the US FCC and Canadian equivalent (CRTC) require telecom providers to implement STIR/SHAKEN on the IP portions of their networks.

This requires additional information to be added to the VOIP call, which can be used by upstream systems to decide whether or not to trust the Caller ID.
see the following
URL="https://en.wikipedia.org/wiki/STIR/SHAKEN"]https://en.wikipedia.org/wiki/STIR/SHAKEN[/URL and
URL="https://www.fcc.gov/call-authentication"]https://www.fcc.gov/call-authentication[/URL
URL="http://apps.cept.org/eccnews/may-2020/stir_shaken.html"]http://apps.cept.org/eccnews/may-2020/stir_shaken.html[/URL

"The STIR/SHAKEN framework, an industry-standard caller ID authentication technology, is a set of technical standards and protocols that allow for the authentication and verification of caller ID information for calls carried over Internet Protocol (IP) networks"

"FCC rules require providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021, so that Americans can benefit from this important technology and start to have faith in their phone calls again"

From the third link above it doesn't look like this, or an equivalent, is being implemented in the EU or Ireland just yet, but is being looked at!

I've seen a definite rise is these nuisance calls in the past couple of months (international number that ring once / Dept of Social Protection / calls from 087 & 086 numbers / etc.). It's possible some of this may be due to the US 'market' becoming more difficult to reach!

It's one thing that these calls are annoying, and a nuisance to people who don't fall for their spiel.
However if it's worth setting up call centres to do this on an industrial scale then it must mean that
a percentage of people (some probably elderly) are being scammed out of cash,
with the potential to affect not just their purse, but also their sense of security, and even their mental health.
(as someone mentioned already, check out 'Jim Browning' on youtube)

It doesn't seem like Comreg can do anything by themselves, as any solution needs to be implemented by the telecom operators.
However emailing Comreg might encourage them to put some pressure on those who can do something to help.
Emailing our local politicians to highlight the problem might also help to put some pressure where it's needed at an EU level!

The US were one of the culprits in allowing fake caller ID scams and calls to take hold.

I used to work for a company with offices here and in the US. I had the same phone systems put into both locations and we used SIP trunks at both ends to carry external calls to the local phone provider rather than traditional analogue or ISDN/T1.

A PBX lets you set whatever phone number you liked as the outbound caller ID for every extension - a +1, +353, or 999, 911, etc. and this was then sent to the local provider when you made a call. Of course, the intention was you would set caller IDs that were valid and that the provider would have traditionally verified the caller ID for your physical ISDN/T1 line.

With SIP, there is no physical line as such since it's entirely internet based, so caller ID matching is vital.

With SIP, in the Dublin office, unless the number I set was assigned to our SIP trunk, the call was instantly rejected by our provider. All good. Same as ISDN before it.

In the US office, an invalid caller ID set still let the call go straight through unhindered. It was ridiculous. And while I'll admit we had some great laughs within the office ringing colleagues with funny caller ID's set, we could have very easily used that for nefarious purposes.

Flinty997

Darc19 wrote: »

They are spam calls made by companies, the call people are getting are scam calls made by fraudsters.

There is currently no way to stop fraudsters as places like Russia where many originate will not cooperate

Yes but they can target the gateways that these come through. They can target legitimate business that use those gateways. They can pattern match these calls, and they aren't all in Russia. They are in India and such places and they aren't untouchable there.

Ultimately there will be some form of register set up for numbers or ips and people and companies will be able to opt in or out and you'll be able to block people from it.

Even on mobile you download a dialer app that has database of numbers and tell you what a number is that's not in your contacts. But these are opt in systems.

Because the traditional telecos are not trying to do anything about this, people will shift to other systems that do.

There can be no genuine company that's making calls in the volume that scammers do. Where they join the network where ever this is in the world, this pattern has to be identifiable.

ClosedAccountFuzzy

PintOfView wrote: »

From end of June 2021, just gone, both the US FCC and Canadian equivalent (CRTC) require telecom providers to implement STIR/SHAKEN on the IP portions of their networks.

This requires additional information to be added to the VOIP call, which can be used by upstream systems to decide whether or not to trust the Caller ID.
see the following
URL="https://en.wikipedia.org/wiki/STIR/SHAKEN"]https://en.wikipedia.org/wiki/STIR/SHAKEN[/URL and
URL="https://www.fcc.gov/call-authentication"]https://www.fcc.gov/call-authentication[/URL
URL="http://apps.cept.org/eccnews/may-2020/stir_shaken.html"]http://apps.cept.org/eccnews/may-2020/stir_shaken.html[/URL

"The STIR/SHAKEN framework, an industry-standard caller ID authentication technology, is a set of technical standards and protocols that allow for the authentication and verification of caller ID information for calls carried over Internet Protocol (IP) networks"

"FCC rules require providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021, so that Americans can benefit from this important technology and start to have faith in their phone calls again"

From the third link above it doesn't look like this, or an equivalent, is being implemented in the EU or Ireland just yet, but is being looked at!

I've seen a definite rise is these nuisance calls in the past couple of months (international number that ring once / Dept of Social Protection / calls from 087 & 086 numbers / etc.). It's possible some of this may be due to the US 'market' becoming more difficult to reach!

It's one thing that these calls are annoying, and a nuisance to people who don't fall for their spiel.
However if it's worth setting up call centres to do this on an industrial scale then it must mean that
a percentage of people (some probably elderly) are being scammed out of cash,
with the potential to affect not just their purse, but also their sense of security, and even their mental health.
(as someone mentioned already, check out 'Jim Browning' on youtube)

It doesn't seem like Comreg can do anything by themselves, as any solution needs to be implemented by the telecom operators.
However emailing Comreg might encourage them to put some pressure on those who can do something to help.
Emailing our local politicians to highlight the problem might also help to put some pressure where it's needed at an EU level!

One issue with this is that they are targeting mostly English speaking countries. Many EU countries do not have the problem as fraud calls aren’t being made in Danish, Swedish, Finnish, Dutch, Polish, Czech Etc in anything like the same volumes.

We’ve exactly the same problem as the US, Canada, U.K., Australia, NZ etc

France may be getting some, but I’m not aware of it being a big issue. I wouldn’t be surprised if Spain gets some due to the scale of the Spanish speaking market globally, and maybe Portugal due to Brazil being very large, but beyond that it’d not nearly as easy to commit this kind of fraud without very good language skills.

So if it’s only hitting Ireland, I’m not sure this is going to get taken seriously by the EU.

The US move to require authentication of IP traffic into the phone networks may prove the factor that drives change.

The copper landline network here will also be 100% IP based by the end of 2023. Much of the core of it already is. OpenEir are in the middle of a project to remove the local exchanges and replace them with Nokia MSANs and softswitch technology. They seem to be prioritising areas served by Alcatel E10 switches and then moving to decommissioning the hardware in areas served by Ericsson AXE.

If you’re using VoIP based landlines - plugged into a router on Virgin, Eir, Vodafone or Digiweb etc you already are on modern technology and the mobile networks all use modern IMS based voice.

So really there are no excuses for not being able to do this. The old tech won’t exist fairly soon.

Details:

https://www.g4s.com/en-ie/-/media/g4s/unitedkingdom/files/roi_pstn_switchover_presentation__final.ashx?la=en&hash=A93A712AFD337B849D761659636BD261

ClosedAccountFuzzy

Flinty997 wrote: »

Yes but they can target the gateways that these come through. They can target legitimate business that use those gateways. They can pattern match these calls, and they aren't all in Russia. They are in India and such places and they aren't untouchable there.
.

What they’re doing is using thousands and thousands of what look like legitimate VoIP accounts across large numbers of networks. These are often purchased using stolen credit/debit card details and fraudulent information that they’ve obtained in scams.

They then route their traffic randomly through many services, none of them get sufficient volumes or patterns of calls to raise alarms, or if they do the accounts are closed and new ones are created.

Ensuring all VoIP providers have more secure registration and payment would help enormously. So is the banks moving to secure cards will help, but this is an area where the EU is way ahead of the US with the PSD2 rules that have tightened up a card practices, with two factor authentication etc being compulsory for online transactions. US banks have always dragged their feet on this stuff.

There are a lot of pieces to this puzzle but if the industry just passively allows it to keep happening, the reality is they’ll lose huge amounts of business as people will start moving away from using traditional phone services on landlines or mobiles and onto WhatsApp, FaceTime etc.

The telcos have already managed to lose the entire SMS business. IPTV and cable TV seems to be going rapidly to big players like Netflix, Amazon, Apple & Disney.

It seems the telcos are going to follow that by a total loss of voice traffic and become just “dumb pipe” ISPs that don’t really provide any applications / services themselves.

Once you’ve ubiquitous 4G and 5G, voice calls don’t need the telco.

Flinty997

FuzzyThinking wrote: »

What they’re doing is using thousands and thousands of what look like legitimate VoIP accounts across large numbers of networks. These are often purchased using stolen credit/debit card details and fraudulent information that they’ve obtained in scams.

They then route their traffic randomly through many services, none of them get sufficient volumes or patterns of calls to raise alarms, or if they do the accounts are closed and new ones are created.

Ensuring all VoIP providers have more secure registration and payment would help enormously. So is the banks moving to secure cards will help, but this is an area where the EU is way ahead of the US with the PSD2 rules that have tightened up a card practices, with two factor authentication etc being compulsory for online transactions. US banks have always dragged their feet on this stuff.

There are a lot of pieces to this puzzle but if the industry just passively allows it to keep happening, the reality is they’ll lose huge amounts of business as people will start moving away from using traditional phone services on landlines or mobiles and onto WhatsApp, FaceTime etc.

The telcos have already managed to lose the entire SMS business. IPTV and cable TV seems to be going rapidly to big players like Netflix, Amazon, Apple & Disney.

It seems the telcos are going to follow that by a total loss of voice traffic and become just “dumb pipe” ISPs that don’t really provide any applications / services themselves.

Once you’ve ubiquitous 4G and 5G, voice calls don’t need the telco.

While I agree with most of that. I don't agree that you can't find them.

ClosedAccountFuzzy

Flinty997 wrote: »

While I agree with most of that. I don't agree that you can't find them.

Finding them isn’t the aim. Making their ability to operate much less feasible is the only way forward.

1. Secure the telecoms infrastructure.
2. Compel the banks to make credit card fraud much more difficult. It reduces the scale of the honeypot.

The US has gone further on 1. The EU has gone much further on 2.

Governments also need to move beyond relying on simple ID numbers like PPSN. This data will inevitably get stolen. It’s got to be made useless.

At the very least PPSN should be disposable in the event of ID theft. The idea that a single ID number is linked to you for life is ludicrous in 2021.

Use of DOB or other items like that should be entirely avoided too.

The tech is there to secure many things much better.

Flinty997

FuzzyThinking wrote: »

Finding them isn’t the aim. Making their ability to operate much less feasible is the only way forward.

1. Secure the telecoms infrastructure.
2. Compel the banks to make credit card fraud much more difficult. It reduces the scale of the honeypot.

The US has gone further on 1. The EU has gone much further on 2.

Governments also need to move beyond relying on simple ID numbers like PPSN. This data will inevitably get stolen. It’s got to be made useless.

At the very least PPSN should be disposable in the event of ID theft. The idea that a single ID number is linked to you for life is ludicrous in 2021.

Use of DOB or other items like that should be entirely avoided too.

The tech is there to secure many things much better.

Finding them is only about finding how they work so you can counter it.

Ppsn is simply an ID that coordinates related govt services. Not having it makes it much harder to coordinate services. Ppsn fraud is really only a problem for the state. I'm not sure how it could it be used against the individual.

It should be able to be changed. But how would you propagate that change across govt services if they all used a different number.

Johnboy1951

FuzzyThinking wrote: »

You should not be able to set your caller ID to a number you do not own (have rights to use).

Glad you agree.

VoIP companies rent blocs of numbers which are licensed though regulators like ComReg, or they lease number ranges from larger telcos who hold those licences.

If they are allowing users to just set their caller ID to anything at all, that should be a flat breech of terms of use and they should lose the ability to present any numbers at all. Just delete the caller ID field in the signalling.

Glad you agree with me on that also.

A telco who has no Irish number ranges or licence here has no business presenting +353 numbers and nobody other than an Irish mobile operator should be presenting Irish mobile numbers. They cannot possibly own them or have rights to use them.

I guess it depends on what you mean by telco.
I have referred to service providers in what I wrote ...... those providing the VOIP service to me, the customer.

Of course they can be located in any part of the world and any attempt to limit that is nonsensical.

You do not own any of your numbers. They assigned by a regulator to a telco that has a licence to use them.

Mmnnnn ..... see the first sentence I quoted above!

There’s no legitimate use case scenario where you should be able to display your outgoing caller ID as absolutely anything you like

No one posted that this should be allowed.

and inbound calls from telcos that have no licence here but are displaying +353 should not be allowed to send that caller ID.

As it stands you could display your phone number as absolutely anything from a random number, to a private landline or mobile belonging to someone else, to an emergency service or state service in a country you’ve nothing to do with.

I mean why do you think you should have the right to display my mobile number or the French Revenue Commissioners?

I do not think so and never implied or stated I do, so I have no idea what you are on about.

Presenting someone else’s phone number is identify theft. There’s no other way of explaining it.

It is a ludicrous mess that is facilitating widespread fraud and rendering caller ID totally untrustworthy.

I would also add that most VoIP services, at least responsibly operated ones, do not allow you to set your caller ID to numbers that you do not have rights to use. You typically can only pick from your list of numbers, not just enter any string of digits as your outbound ID.

There is massive fraud going on, worth millions of $/€ and it is being in large part facilitated by the ability to present entirely spoofed numbers. The system has to be made much more secure.

If the telcos and regulators don’t tackle it, more people will simply give up on PSTN and mobile services and migrate to “over the top” VoIP services linked to IM - WhatsApp, FaceTime, Telegram, Signal etc all already have a large % of the market. They offer far more security, verify that an inbound call is who it claims to brand can easily block spam.

Failure to tackle this will simply mean the voice telephone network will be as useless as spammy email services & that will just mean a whole load more abandoned services & lack of revenue for telcos.

As I already posted, and you seem to ignore ...... it is possible, and in my mind desireable, to block providers who allow such bad practices as setting any number as caller ID.
Providers should be forced to confirm ownership of any number they allow for caller ID.
My main provider does, and I have a list of numbers (landline & mobiles) from which I can set the caller ID. Each number has been verified by the VOIP provider. That provider is not within the state.

If you had your way apparently I would be confined to using providers within the state ....... and most of us know what a rip off can happen when companies have near monopolies ..... yes eir I am thinking of you and your call charges!

So simply ensuring that providers confirm the numbers for caller ID are in the control of their customers should be sufficient. This should be done regularly to ensure lapsed numbers are deleted and old caller ID number approval does not interfere with future users.

Those providers who do not comply should be blacklisted and prevented from accessing any Irish telecom system.

ClosedAccountFuzzy

You’d be confined to using operators who have rights to use numbers. If you don’t have rights to use the numbers, you shouldn’t be presenting them.

My point was that at present, Irish mobile operators are the only networks, or service providers, that are authorised to use +353 8X mobile numbers.

It should be extremely simple to just block caller ID being passed by anyone presenting those numbers, who isn’t one of the Irish MNOs or MVNOs

Landline numbers and non-geographic are a different issue.

Also the situation in the USA is different where there’s no distinction at all between landline and mobile numbers, which makes things very complex as you could have any given geographic number assigned to mobile, VoIP or traditional landline providers.

The Irish networks also already use an instantaneous database look up approach to number portability.

When you dial an Irish phone number, the switch or IN element of the network (mobile or fixed) consults a shared database to see on which network that number is located and who to send the call to.

There’s no reason why the networks couldn’t use something like an extension of that as an authentication filter.

1. Call comes in it has to enter at some point though an interconnection node, which is going to be a sophisticated soft switch in any of the modern networks.

2. Caller ID presented is looked up.

3. If the caller ID doesn’t match the expected origin network / service provider , flag it / remove it.

It doesn’t have to block the call, just delete the caller display.

ClosedAccountFuzzy

Flinty997 wrote: »

While I agree with most of that. I don't agree that you can't find them.

You can only find them if you’ve cooperation from the countries that are sheltering them and it seems nobody’s willing to do that.

A threat of trade sanctions from the US and EU would likely solve it.

It could be solved by tightening regulation and there’s no reason that would reduce competition.

The reality of this is more than just a minor annoyance. It often hits the most vulnerable people: older & less savvy.

It is likely at least tens of millions of fraud €$£ flowing into criminal organisations. It may even be financing terrorism and all sorts of stuff.

It’s also a direct cost to some people who don’t get refunds, and a significant indirect cost to consumers though premiums on insurance and bank charges etc that’s being used to do credit / debit card fraud costs.

There’s no free lunch or victimless crime. The money comes from somewhere.

Lewis_Benson

Jim Browning is very good at finding out who these scummers are.
Check out his channel on YouTube.