Ask HN: How can scam callers fake a mobile phone number?
source link: https://news.ycombinator.com/item?id=30673009
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Ask HN: How can scam callers fake a mobile phone number?
Ask HN: How can scam callers fake a mobile phone number? 99 points by fxtentacle 5 hours ago | hide | past | favorite | 118 comments I'm with T-Mobile and I just received a phone call on my mobile phone from another number where everything except for the last 3 digits was exactly matching my own number. I found that suspicious, but I was curious enough to pick up the call. The other person greeted me with "We are very important this is Interpol!" in seriously broken English, so I suspected a spam call and hung up to try to call them back. That didn't work because the phone number they were calling me from does not actually exist. Like I immediately get the T-Mobile announcement informing me that this is an invalid number.
Now I am wondering:
- How can a spam caller call me with a source phone number that does not exist?
- Shouldn't my mobile phone network verify that the caller - which was also inside their network - is a valid subscriber? Otherwise, how can they bill someone for this call?
- How does this kind of scam call work technically?
Signalling System No. 7 - ISDN User Part spec (found here: https://www.itu.int/rec/T-REC-Q.763-199912-I/en) allows you to specify both a calling party number (3.10) and generic number (3.26) (the UK spec adds an additional presentation number so you have 3). This will typically require the help of an operator which is 'connected' to the network on the PSTN. A real business case can be made; like a generic, non geo support numbers appearing on the persons phone instead of the geographical number of the office which called. Either a bit of social engineering or findings a less scrupulous operator is all you really need to do
SIP has FROM and P-Asserted-Identity headers which follow the same process
ref what the screening bits are: https://www.dialogic.com/webhelp/csp1010/8.4.1_ipn3/exsapi_q...
As for if the UK & spoofing, it's a very real thing with very real business cases and abuses.
In the end, the most surprising snippet of knowledge for me was that Erlang (that Amazon S3 is built in) was invented by Ericsson for live patching ISDN phone routing systems without dropping any ongoing call.
International Telephone Standards. VoIP VoIP Companies like https://www.sipgatebasic.co.uk/tour
And if you set up a VoIP number and a pbx like freeswitch or asterisk, they will send the ringing tones down to the caller so if you have the pbx set to record calls you can listen to what the caller is chatting about whilst they are ringing you, hearing the ringing tone at their end waiting for you to pick up. All a bit spooky but thats the technology for you!
> - How can a spam caller call me with a source phone number that does not exist?
Again they have the VoIP number but when you ring it they can play a dead line tone down to you instead or a ringing tone. With VoIP and Freeswitch/asterisk and probably other PBX's you control all of that.
> - Shouldn't my mobile phone network verify that the caller - which was also inside their network - is a valid subscriber? Otherwise, how can they bill someone for this call?
Depends on the telecoms standards in the country and/or the telecoms provider.
> - How does this kind of scam call work technically? Any member of the public can set up VoIP number and PBX's like freeswitch and asterisk and do this.
If its not a VoIP then telecoms companies and the security services in your country, or maybe you mobile phone is hacked and your mobile has logged onto a local fake cell instead which is slightly different to the VoIP setup above but I dont know how much this device can do. https://en.wikipedia.org/wiki/Stingray_phone_tracker#Active_...
and you can do things like this https://www.wired.com/2010/07/intercepting-cell-phone-calls/
STIR/SHAKEN actually has the potential to do things correctly, as a call Digital Attestation Certificate has to be supplied... but telcos make quite a bit of money off of scam callers so don't expect them to move quickly, and I'd expect them to implement it in the absolutely poorest way possible.
To address the other question about phone providers verifying stuff. SHAKEN/STIR [4] protocols are supposed to address this, but I think the telcos are still in ramp up time.
3. https://odysee.com/@cybering:1/spoofing-call-id-using-voip:2...
4. https://www.fcc.gov/call-authentication#:~:text=STIR%2FSHAKE....
We only have 3 major cell carriers here is Switzerland, it should be trivial for the 3 to verify each other's numbers to see if those customers even exist. Unlike the US each cell provider has his own number prefix. Numbers are portable but only between certain providers.
On the other hand, it should be possible to detect at least a percentage of spoofed caller IDs and block them (e.g. non-existing numbers).
Since the advent of number portability, the area code and prefix no longer signify anything about what carrier a particular number belongs to. You could very easily take your T-Mobile number to Verizon, for example.
If all my friend are on carrier that support it, I am not interested in receiving call from people that are not on a carrier that support it.
This would be useful in the interim as this system rolls out, and would also encourage adoption by mobile carriers
Spoofing still exists, though. Is the issue now that our phones are backwards-compatible with the insecure system?
I'll paint the targeting laser myself.
Sometimes the number only a few digits off from my number, but other times it has a name like TOLL FREE SERV. A common lure is claiming they are Service Canada or Canada Revenue Agency (or the nonexistent Revenue Canada), and the call will open with nonsensical threats like “A warrant has been placed in your social insurance number”. I have a hunch they often target wealthy international students, as sometimes the messages are entirely in Chinese.
Recently I received three calls in one day. It’s been happening for years, and the phone companies don’t appear to be able/willing/motivated to stop it. Most people I know have just resorted to not picking up calls from unknown numbers.
If I have a sick relative and explicitly expect an urgent call, I can easily and briefly turn off DND mode.
If the concept of a telephone never existed, and "Phone App" was invented today, it would be considered extremely intrusive and likely not (at least on iOS) pass App Store review. Think about it: Here's an app that allows any random person to cause your device to 1. interrupt whatever foreground app you have running with system-level UI (notification or full-screen takeover), and 2. ring and vibrate your device without your consent. If we weren't already familiar with telephones, we would never accept such an obnoxious app!
Now that the phone network looks more like the internet (many different companies all exchanging "calls" with each other) that decision, way back then, has the unintended side effect of allowing the robocall spammers to set whatever set of ten digits they like on their outgoing calls.
The short/simple answer is carriers don't care, because they make money when a call is placed on their network. There is also a difference between what is a valid number (digits are correct) vs a real number (someone owns a number). It is cheap for a carrier to check validity, but not "realness" - to check a real number, a carrier may have to do some sort of data request to any number of carriers to determine if the number is owned.
In Canada caller ID also includes the name along with the number from Nortel equipment, while in the USA it's just number. Nobody I know has a landline anymore except for businesses because if it's just the odd crazy person who still makes a super annoying life-interrupting phone call, more than half of calls are just fraud shit with spoofed caller ID and everything. It's so easy you could get started doing it yourself with freepbx installed on some 5$ VPS within minutes. Honestly we need better telephony systems, but everything is being completely superseded by chat apps anyways. Again only crazy people give me actual phone calls anymore and I have two lines between two countries.
Fun things to do to the fraudsters: Talk really quietly and when they are like 'sir i cannot hear you' put yourself on speakerphone and YELL into the phone as hard as you can, and you win the game when you can hear them rip their headset off in ear pain because they turned their volume up to hear you. Either that or ask them what they're wearing until they get mad at you and call you homophobic things.
I was going to say "Wait!", but then realised all my calls were from recruiters and HR departments.
So I guess you're right.
> which was also inside their network
A phone number isn't like an IP address, the call isn't coming from that number and almost certainly didn't originate on the t-mobile network
The FCC recently reduced the amount of time some companies have to implement STIR/SHAKEN to June 30, 2022.
https://docs.fcc.gov/public/attachments/DA-21-1593A1.pdf
>The Commission recently shortened the extension for a subset of small voice service providers likely to be the source of illegal robocalls.
There are legitimate use cases for this. Imagine if you are a company with 1000's of physical locations. You want them all calls to appear that they are coming from the corporate headquarters.
That's the bottom line.
Adding authentication is pretty obviously not trivial, not just because of protocol upgrade issues, but also because end-to-end authen. won't be easy to add at all, and hop-by-hop authen. w/ something like "egress filtering" won't work in the age of phone number portability.
What might work is a TCP-like return routability test. I.e., have the network ask the ostensible device "did you mean to make this call?", though that might have other issues (think of how SYN spoofing can be used for DDoS attacks).
I.e., preventing caller ID scams is really hard.
It's almost exactly the same with phone calls, that 'From' field is just set at a provider level instead of user level - and there are many providers over the world, including some that allow the user to set this field however they like.
In the end i told them my wifi was broken and the technician should come by soon to fix it. She turned very aggressive and told me to call my brother Internet provider right now, as this is urgent because the hackers are already in my system. I told her to call me again the next day.
I might have forgot to mention i am using a mac (and had to google the result of all commands & screens). I wanted to setup a VM and trace them or maybe even let them execute a manipulated cmd.exe to create a reverse shell. But after my attempts to buy some time so i could set everything up, they gave up and never called again.
So sad, i am still scared of all the „viruses of very dangerous hackers“…
They used to call be, but they said they were from 'The Windows'. I tried to get them to play Zork, but they weren't very interested, and it took me a little too long to get it started anyway.
Local area number but traceroute to a call center in India? Automatically reject.
That'll also solve the issue of unusable corporate phone support because they outsourced it to save a few bucks.
What is interesting is that I have started to receive more 727 (local area code) spam calls, maybe 2-3 per month. I suspect this must be from local friends and contacts leaking my number through sharing address books with various apps.
I am at the point now where incoming phone calls are near valueless, other than from a very small set of numbers. Most people text me, or contact me through other apps/methods. Even for business purposes, incoming calls are almost always scheduled and the very very few that are not, and from an unrecognized number, can leave a voicemail.
It is somewhat amazing how the telco's have let their core product, voice calls, become nearly worthless by not handling these spam call problems. Now I'm using contact methods and apps that are not provided by telcos and not strictly reliant on their networks.
I should not have to put this much effort into not being contacted, but otoh, it saves me quite a bit since dropping the US cell line.
The same way they make a call with any source number. The two source numbers in a call (ANI and CallerID which don't need to be the same) have historically been not required and not validated. See stir/shaken for a modern effort to change this. Coming soon to a carrier near you; maybe.
Being able to set the source number enables many useful things as well as some spam/harassment/fraud uses. It requires a lot or coordination to allow the former and restrict the latter.
TLDR: don't trust caller id. Don't call people back unless you know the number/it's an expected call.
> - Shouldn't my mobile phone network verify that the caller - which was also inside their network - is a valid subscriber? Otherwise, how can they bill someone for this call?
Call billing records don't use caller id in the way you're thinking. If you pay for incoming calls, they're charged regardless of the source number, but it's recorded for informational purposes.
For outgoing calls, the call record is made closer to the source and is tied to the line that made the call, not the source number.
For intercarrier calls (which almost certainly the case here), the source carrier bills its customer and the interconnecting carriers count minutes on calls and settle up for net difference in flows (calling carrier pays, but interchange fees are going to zero among US carriers)
> - How does this kind of scam call work technically?
Get a phone account where you can set the caller id and calls are cheap; call a lot of people; successfully scam one or two; take the money and run.
Some voip accounts let you set caller id. Traditional primary rate interfaces (T1) usually do too.
And lots of "back end" things depend on this silliness - for example, some MVNO actually have TWO phone numbers associated with the phone: a VOIP "real number" and a secret "actual cell number" - Republic Wireless had this for sure. The VOIP number is what you'd give everyone, and they'd do routing weirdness to use Wifi whenever possible. The "real" cell number would go direct to the phone but not normally appear anywhere.
https://www.infoworld.com/article/2658949/paris-hilton-accus...
It's like letting someone in your house because they're holding up a paper cutout of someone else's face that you know in front of their actual face and that's good enough.
even 'legit' businesses that call you from random numbers are basically a spam channel / are training you to get phished -- for example health insurance and credit card. every time I call back on their official # to ask what they want, it's 10-20 minutes to figure out what they wanted (if they even know!)
we somehow aren't a society that can legislate to prevent spammers from using the phones. at this point let's pivot and punish legit businesses who use the phones to waste my time
The real answer to the problem is to deprecate the legacy telephone system. It will never be as secure or user-configurable as just about any modern implementation of voice/video over IP.
The legacy telephone system is being deprecated. All three US mobile operators now have VoLTE (ENUM) interconnection with each other. STIR/SHAKEN call verification is happening between the mobile operators and large consumer VoIP operators like Comcast and Charter. VoIP is far cheaper to operate than POTS and most all operators are using it now and shuttering their legacy networks.
The issue has to do with regulations around the phone system. Rural call completion to small operators is a requirement - as it should be - but has loopholes that encourage abuse. This rural call completion regulation also comes with the ability for small operators to charge certain prices for call completion so they can afford to keep their high-cost rural customers serviced. The larger carriers pay these fees to connect their subscribers to those of the rural carrier.
However, some smaller operators have also been using these higher rates as a means of profiteering by allowing massive amounts of spam traffic through their networks towards the larger carriers.
They buy and install equipment and sell out the voice/data.
They actively oppose, thwart any kind of thoughtful innovation, competition etc. on anything relating to their networks, because they believe they 'own' the network and therefore 'own' everything going on on top of it.
Remember the 10-cent 'WAP' pages? Tiny, crappy, useless little mobile web pages? And they wanted 10-cents each?
Carriers would originally not sell BlackBerry service. They thought it was stupid to have 'email' on their networks. BlackBerry had to buy data and then sell to the C-suite.
Then, BlackBerry literally became the reason that people wanted to buy data. The carriers then said - you can't buy network and resell it, you must sell your products through us.
Imagine if some private companies controlled all of the roads. Any and business wanting to put a car on the road had to pay a toll, and the owners could decide which kinds of cars, when, and for what reason and intervene. They tried to provide the ambulance and transport for everyone and keep messing it up.
It's also an artefact of human organization, even a fairly enlightened community/government body would have difficulty setting clear and appropriate guidance.
The issue becomes problematic when there is a control of a scarce resource.
In truth, it's absurd that people should be able to easily fake 'from' numbers, we should have fixed that a decade ago.
My immediate guess is that they must make money off of scam calls somehow. A scam call is still a call.
This would be a legitimate use case for Caller ID spoofing.
This is why you should NEVER provide personal information over the phone if you didn't initiate the call. It doesn't matter if your caller ID says it's your doctor's office or your bank or whatever.
Hang up and call them back at the number you normally use to reach them, from their website or the back of your credit/debit card for example. Make sure you're talking to the people you think you are.
Otherwise they can phish all kinds of info out of you.
I'm not sure if it's always the case, but I believe that a call to a landline only terminates when the caller hangs up. This certainly used to be the case.
This allows scammers to ask you to hang up and call them back on the number on your card (for example), but they just mimic the dial-tone and ring, then they have another scammer answer the phone.
This is not an issue on a mobile.
Or of course as you said, always call back from mobile.
A while ago, my wife got a call from a collections agency on my phone. They asked for her name, I asked "which one?"
She said "I can only talk to ____."
I said, "I understand but which one would are you looking for the older or younger?"
"I can't share that information."
"Then I can't put you in touch with who you're looking for if you can't tell me who you're looking for."
"I can only speak with ____."
I said "Ok, tell me the last 4 of her social and I'll know which one you're looking for."
"That's private information, sir."
"No, that's the public portion of a social security number. Tell you what, since you're learning how this works, I'll make it easy on you: I'll give you the first digit and you tell me the last. That way we both know we have the same 'protected information'. If I give you the wrong starting number or you give me the wrong ending number, we both know we have the wrong person."
"I need to speak with _____."
I gave her the starting number but she didn't budge.
I finally said "okay, since you can't verify who you're looking for, I'm going to just tell you you have the wrong number. This is my cell phone, not ____'s. You may send a letter, but this is not the correct phone number for who you're looking for. Please, do not call me again."
While all this was going on she gave me the name of the collection company which I was able to Google and determine it was a legit operation and located not too far away. A medical provider never got our correct address, but it just showed me how overly trusting some companies expect people to be. Nah, this is a two-way verification. If you're gonna call me, you need to give a little to prove to me you're legit.
I occasionally get calls on my number from a caller asking for my brother.
My standard response has always, from the first time one came in, been: "there is no one at this number by that name".
> You may send a letter, ...
If one /ever/ gets a call from anyone purporting to be a "collections agency" then this ("send a letter") is the /only/ correct response that should ever be given. You may want/need that legal record later.
It really isn't.
If people think these digits are like some secret password, they will be treated as such and used to gatekeep access to even more restricted info and accounts. Which would be a disaster because many people have had these last four digits exposed over time. Knowing them does not prove identity.
They are public.
Yes, I'm pretty sure everyone has my SSN and other details, but collections agents should absolutely follow the rules. The ones that don't tend to be abusive.
That someone who called you on the phone happens to know your SSN last four or even the entire number should not confer any trust on your part.
The tongue-rolled accent & peculiar pronunciations / choice of words is a giveaway. A large number of these IRS & collections call originate from call centers in India.
This is not foolproof either. In some older landlines even hanging up doesn't necessarily disconnect you.
This means an attack works like:
1. Attacker dials their victim, alleging to be "Interpol", "VISA Card Services" or some other similar thing.
2. Victim takes this advice, "hangs up" and picks up and dials back.
3. After victim hangs up, attacker plays dialtone noise down the line, which they have not disconnected.
4. Victim picks up and "dials" the actual thing they want to be sure of, but is really just listening to a fake call the attackers play to them.
5. Attacker answers "Thanks for calling X".
This isn't to my knowledge true of mobile calls but it's important to know it's not foolproof either.
There's some discussion of that here: https://security.stackexchange.com/questions/100268/does-han...
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Search:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK