HACKER Q&A
📣 nephanth

Why is phone number spoofing still a thing?


Today, I got a call from an unknown number and —since I'm maybe too curious— I picked it up. "Hello, you tried to call me?". I had not called them. I had not called anyone for around a month. It's also happened to me while I was in the US… you get a call from an unknown number, you call them back, only to find someone telling you that no they never tried to call you.

Searching for why that happened yielded something I had more or less guessed. Basically phone calls work a bit like e-mail: In the transmission protocol, you send your phone number in a "caller id" field, which is like a "From:" field in SMTP an header.

With old, unsecured e-mail servers, you could actually fill whatever you wanted in the "From:" address and your e-mail, including someone else's address. Your e-mail server would just transmit that to your recipient's e-mail server. And to your recipient, it would look just like the email was sent from that address you are spoofing.

From what I understand , in the same way, you can basically set the "caller id" field to anything you want, and your recipient sees that value and only that — and thus a scammer, or maybe a robocaller, simply called that person setting my number in the "caller id".

Except for e-mail, it doesn't work that way anymore. When you are connecting to your e-mail provider over SMTP, the provider actually checks that you own the address you are sending as. And when your recipient's provider gets your e-mail, they check that it was transmitted by your provider, who owns the tld to that e-mail address. It's probably not perfect, but you can't spoof an email address that easily anymore.

So, searching a bit more, I found out that by law in my current jurisdiction (France), phones should work the same as e-mails currently do: if you are using a French number in France, your carrier legally has to check that you are using the number they attributed you or that you have authorization from the owner of that number. The call should then be authentified by the emitter's carrier to the receiver's carrier. Any unauthentified call should not go through (article L44 code de la poste, alinea IV).

In the same way, in the US where I had gotten all those spoofed robocalls, there is supposedly a protocol called STIR/SHAKEN (STIR on VoIP, SHAKEN on SIP) that does pretty much what I described above.

With all that, I would expect caller id spoofing to be "fixed" most of the time, so how come we still get spoofed calls?

  👤 DamonHD Accepted Answer ✓
Laundering calls through non-compliant and/or overseas carriers, SS7 and friends not actually having any way to verify/enforce, etc, etc?
👤 sleepybrett
Also probably useful if you want some kind of 'reply to' number.