July 14, 2021 • 49 mins
How do scam artists disguise their phone numbers when setting up robocalls? We look at Caller ID and spoofing and learn how companies and government agencies are trying to fight back.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to Tech Stuff, a production from I Heart Radio.
Hey there, and welcome to tech Stuff. I'm your host,
Jonathan Strickland. I'm an executive producer with I Heart Radio
and a love of all things tech. I say that
a lot, but then I always have to qualify it,
and this is gonna be another one of those episodes.
(00:25):
So today I thought I would talk a bit about
color I D, spoofing and robo calls. Mostly color I
D and spoofing robot calls, I think I'm gonna have
to say for another episode. But here in the United States,
the major telecommunications companies, those being Verizon, T Mobile, and
A T and T now have to work together to
(00:45):
fight spam calls due to a mandate from the Federal
Communications Commission or f c C. Now, the too long
Didn't Listen message behind this, as opposed to too long
Didn't Read is the goal is to eliminate spam robocalls
going to your phone, so that you don't act like
your phone is a bomb about to go off every
(01:07):
time it rings. But to understand why this is necessary
and how it all works, we have to go much deeper.
So if you, dear listener, are of a certain age,
you might remember a time when we didn't all carry
smartphones around with us all the time. You might even
remember a time before we even carried simple cell phones
(01:27):
with us. In fact, some of you might remember being
on a telephone handset that was tethered to a phone
that was mounted to the wall, or sitting on top
of an end table or something. And back in those days,
dear friends, if someone called you, you really had no
way of knowing who that someone was. I know, it's terrifying,
(01:49):
right the phone rings, and there's no way to know
who or what is on the other side. Could it
be Grandpa Joe and he's found a golden ticket. Could
it be the local food bank calling to see if
you'll volunteer this year. Could it be a wrong number?
The only way to find out was to answer the phone,
(02:11):
or if you were a fancy person, you might let
the call go to an answering machine. Side note. The
answering machine traces its history all the way back to
the nineteen thirties, but when I was growing up in
the seventies and eighties, they were still relatively uncommon from
most of the people I knew. But by the mid
eighties that that had totally changed, and we started seeing
(02:31):
commercials for like novelty answering machine outgoing messages I used
to be a thing. There was this incredible pressure to
create the perfect outgoing message to convey to those calling
that you had a personality. But I digress, let's get
back on track. Many answering machines would play incoming messages
(02:53):
out loud on a loudspeaker as someone was making the message,
which meant that you could use an answering machine to
screen your calls, and a lot of people did so.
If you had anxiety about answering the phone, you could
just wait for the answering machine to activate and then
see if the other person on the other end of
the call was going to wait around long enough to
actually leave a message after hearing You're hilarious and yet
(03:16):
incredibly effective outgoing message. Then, upon recognizing the voice, you
could choose to either interrupt the machine by picking up
the phone and having the call initiate, or just letting
it go. Simpler times really not that color I D
wasn't a thing back then. The foundation of color i
D technology has a history that dates back to the
(03:37):
late nineteen sixties and to really understand all this, we
should take get another step back and just talk about
phone calls in general, and we'll build from there. So
when Alexander Graham Bell made his first call, arguably not
the first call, but that's a story for another time,
it was a direct line from his station to that
(03:58):
of his assistant, Thomas Watts, and there was no need
to route that call anywhere. It was a straight road,
if you will, from one point to another. Now, let's
say we've got a group of four people and we
want to connect these four people with phone lines so
they can talk to each other on the phone. We
could do this directly as well. Right, A simple way
(04:20):
to draw this out would be just draw four points
as corners of a square. Uh. Those corners represent our
four phone friends, and we draw straight lines from each
point to each other point. So what you end up
with is a square with a couple of diagonal lines
crossing through the center, and boom, you've got your four
(04:42):
person network. Each person has a direct line to each
other person in the network. But as we try to
add more people to a system like this, we quickly
see the limitations that we face. Each new connection means
we have to establish cables between that person and every
other person on the network. This gets expensive and complicated
(05:03):
and messy and unsustainable. A phone network in which every
single person with a phone has a direct line with
every single other person with the phone is just impossible.
You wouldn't even be able to move around because of
all the cables everywhere, and so an important development in
the history of the telephone system was the creation of
the local exchange. The local exchange is a centralized point
(05:27):
that you dial into, and then the exchange could switch
on a connection between your line and the line of
whomever it was who wanted to call. So in the
early days of telephones, this was done with actual human
beings sitting at a switchboard and manually plugging cables into
complete calls from one person to another. So now rather
(05:47):
than having direct connections with every other phone in existence,
you really just needed a direct connection from your phone
to an exchange. This cuts way back on the amount
of cables that you needed in order to create a network. Now,
this works fine for local calls, like you know, within
a city, everyone can connect to that one local exchange,
(06:09):
But the word local gives us a hint that there
isn't one single exchange for every phone line out there. Now,
local exchanges will cover a specific region, but beyond that
you have other local exchanges. And to connect these exchanges together,
phone companies laid out what we're called trunk lines. These
(06:30):
are cables capable of carrying multiple phone signals simultaneously, which
is a good thing too. Otherwise a single long distance
call would prevent anyone else from making a similar sort
of call between you know, those two specific exchanges. The
networks grew organically, connecting to one another and forming what
we call the public switched Telephone network or p st N.
(06:52):
You could look at it as a sort of hierarchy
as more of the world built out phone systems. At
the very body him of this hierarchy, you had your
individual landline phones the stuff, and homes and offices and
phone booths and stuff like that. We used to have
these things called phone booths, Superman, which change in them
doesn't matter. One level up from this level, and you
(07:16):
have your local exchanges, right, These are the ones that
connect local calls to each other. And as I said,
in the old days, this was done with human operators
moving physical plugs into physical outlets to complete circuits and
switch on a phone call, but didn't take long before
the complexity of phone systems necessitated innovation to create automated
ways of handling this. One level up from local exchanges
(07:39):
are your trunk exchanges. The trunk exchange is to local exchanges,
as local exchanges are two individual land lines. The trunk
exchanges allow the various local exchanges within a country to
connect to one another. A level above the trunk exchanges,
you have international gateways, which interconnect the phone system of
one kind tree with other countries. Often you end up
(08:02):
having super long cables connecting these, including cables that run
under the ocean. You know, there's cables under the Atlantic
that connect Europe to North America, for example. All right,
so now let's get a bit more complicated by throwing
cellular phones into the mix. Cell phones communicate to sell towers,
(08:23):
which you can think of as being kind of similar
to the local exchange I was talking about earlier. So
cell towers are essentially antenna, and the cell phones communicate
with cell towers through electromagnetic radiation, specifically radiation that falls
into the microwave frequency range. But they're not the same
microwaves that we use to zap our popcorn and microwave ovens.
(08:45):
It's not that level of frequency. It's also a very
low wattage that we use for cell phones now. The
microwave acts as a carrier wave, and I've talked a
bit about carrier waves in the past with stuff like
radio signals. Each phone is using a slightly different frequency,
otherwise you would run into issues with phones interfering with
(09:05):
one another. All right, So cell phone towers are at
the heart of the cells that make up a service area.
One really clever thing about this approach is the handshake
that happens as you move across a region. So you
can be on a phone call and you can be
let's say, in a car, and you pass out of
the range of one cell phone or cell tower rather
(09:28):
and you enter into the range of another, and your
call continues on as if you had a solid connection
on a single cell tower the entire time. I'm gonna
leave it at that, because getting into the tech of
all that would really get us off course. This episode
would end up being like three hours long. But maybe
I'll do a full episode about how cell towers work.
It is really fascinating because they have to be very
(09:49):
careful with the frequencies they use in order to both
service everyone who's within range of a specific cell tower
and not interfere with anyone who's at a neighboring cell tower. Anyway,
Connecting the towers is the Mobile Telephone Switching Office or
mt s O. Each service provider has its own mpt
(10:09):
s O in regions, So if the person you're talking
with is in the same region, such as like in
the same city as you, and they happen to be
on the same carrier, one mt s O pretty much
handles everything. The call signals go through the cell towers
to one another through the m t s O, but
the calls are not made directly phone to phone. It's
(10:30):
not like your phone is acting like a radio directly
with the other phone. Now, if you're calling someone who's
on the other side of the country, it's a little
bit different. Typically, your call would go from your phone
to a cell tower, and from the cell tower to
the local mt s O of your carrier, then from
there to the p s t N that big public
(10:52):
switching telephone network, and that would then route your call
to the mt s O relevant to whomever it was
your calling on the other end. So even cell calls
can rely upon the old phone system. Getting back to
color I D. Back in the nineteen sixties, there was
an engineer named Theodore Paris Cavacos it still is, I mean,
(11:13):
he's still alive today. He developed a way to send
electronic data over telephone lines. In v he filed and
received a patent for a quote decoding and display apparatus
for groups of pulse trains end quote. This would become
the basis of color I D, in which the telephone
of the person making the call will send data relating
(11:36):
to the phone number of that originating call along with
the call itself, and a device on the other end
on the receiving end could get this information, decode it
and display the incoming phone number and thus identify the
incoming call. Other engineers around the same time period began
(11:57):
to develop similar technologies and approaches, and so the early
days of color I D are a bit muddled, as
there are numerous patents assigned to different inventors, some of
which acknowledged the existence of other inventions as prior art.
One of those inventors was Katsuo Hashimoto for a quote
Telephone Information displaying device end quote. The abstract of that
(12:20):
patent essentially lays out what we think of as color
I D. So I'm going to read to you the
abstract of this patent. Here he goes a calling parties
telephone number displaying device, in which, while the telephone set
of a subscriber is ringing in response to calling signals
from a telephone exchange office, the telephone number of a
(12:41):
calling party and information are displayed on digital display units
at high speed before lifting the handset. Accordingly, the subscriber
can determine whether or not he should answer the call
before picking up the handset. Thus his privacy can be
protected from a variety of telephone troubles such as wrong
number and nuisance calls. The display is maintained as it
(13:03):
is even if the handset is put back after the talk,
but it will be cleared automatically upon reception of the
next call to display the telephone number of the next
calling party. When the subscriber picks up the handset to
make a call, the internal circuit is automatically changed to
display a telephone number dialed by him. That's it. So
that patent pretty much explains that the invention would allow
(13:26):
telephones to send and receive signals between successive ringing signals.
So in other words, when the phone company isn't sending
the signal to make the receiving phone ring, it could
send the signal containing information about the origin of that call.
And that's why if you're using a landline and you
get a phone call with a system that had caller
(13:48):
I D, you would only see the I D stuff
pop up after the first ring happened. The method for
sending the information was a type of frequency modulation that's
changing the frequency of a signal in order to encode
information on it, called frequency shift keying or f s K.
Applying f s K to a carrier signal alters that
(14:10):
carrier signal in a way that can be interpreted on
the other side in some manner. So in the case
of color I D, that some manner is that the
transmitting side can encode the phone number in that carrier wave,
and the receiving side can decode that carrier wave and
get back at that number. FSK is used in lots
of applications, not just Color I D. But for our purposes,
(14:33):
it's just important that we know that this is the
methodology that the phone company is used to transmit the
info of Hey, this is the phone number that just
dialed you. But this wasn't going to be a service
that phone companies were going to throw in for free. No,
this would be something that companies would charge for on
top of the normal phone bill. Now, the story goes
(14:53):
that the phone companies at first planned to offer this
service as an audio one. So, in other words, you
could opt into this service and you would get a
verbal alert when you picked up the phone telling you
the phone number that the call originated from. UH. And
the phone companies were hoping to charge on a per
use basis, so every time you did this you get
(15:15):
charged a little amount. That's not how things eventually turned out.
We'll get into color I D a little bit more
after the break, and then we'll talk about the systems
that enable spoofing. But first let's take that quick break. So,
(15:35):
phone companies were licensing technologies to enable color I D
in the nineteen seventies, but it wasn't until the mid
nineteen eighties that we saw the first pilot program of
color I D here in the United States. That took
place in Orlando, Florida, where you know, the characters from
Book of Mormon really wanted to go, and that happened.
(15:56):
Back in four Bell South offered a service call touch Star,
and Color i D was one of the features that
you could opt into with Touch Star. It was called
Custom Local Area Signaling Service, but it would become known
as Color i D. Now, if you weren't around in
the nineteen eighties, you might be surprised to hear that
(16:16):
the emergence of color i D was viewed with suspicion
from multiple fronts. In the US. Politicians were asking if
perhaps Color i D would violate wire tapping laws, and
others were likening it to tracing a phone call, kind
of like what you see in movies, where you know,
the police are trying to track a specific criminal as
(16:36):
they talk on the phone. But in fact, it was
such a controversial subject that it took more than a
decade for all fifty states in the US to actually
adopt the technology. California held out the longest. California only
incorporated color i D in nineteen nine, six twelve years
after Orlando, Florida got in on it. And by the
(16:57):
mid nineties, there was another big con learned to think about,
and that was privacy. We weren't quite at the same
level that we are now, not by a long shot,
where the average medicine has generated tons of information about
themselves that can link back to them. But we were
entering into an era in which certain companies were building
(17:18):
out comprehensive databases about consumers, and so you started to
see companies building out profiles or even dossiers on people. Now,
if you want to be charitable, you could argue this
helped those companies serve their customers more effectively. But if
you want to be cynical, you could say that this
gave companies more information to leverage while trying to sell
(17:41):
goods or services to a potential customer. The truth is
probably somewhere in the middle. But what concerned privacy advocates
is that a business could theoretically rely on caller I D.
So if someone were to call in, let's say that
someone needs to talk to a customer service rep, then
that rep could do a reverse phone number, look up
(18:03):
on that call, and pull up a full profile of
the person calling. And there were a lot of privacy
implications that were concerning actually kind of seems quaint in
comparison to what we deal with today. At least if
you look into how private information gets handled these days.
For that reason, Telephone Company is introduced an option to
(18:23):
allow customers to opt into color I D blocking. Now,
if you did this, it meant that your number would
not be displayed when you called someone else. You were
effectively blacklisted for color I D. And so you know,
if I opted into this and I called you, you
would probably see some sort of message like color unknown
or something similar to that, which probably means you wouldn't
(18:48):
likely pick up my call. To be fair, you probably
wouldn't anyway, I'm kind of a drag to speak to
on the phone. It took time for attitudes around color
I D to change, but we did on viously see
that happen today For many people, including myself, we don't
pick up the phone if we don't recognize the number
(19:08):
that's displayed on our phone screen, and that means that
if the call comes up is unknown or something along
those lines, we're not likely to answer it. We'll probably
let it go to voicemail. In fact, these days, I
feel a sense of anxiety even if I do recognize
the number, which is weird because I was one of
those folks who back in the eighties and nineties. I
(19:29):
love to talk on the phone. Now it seems kind
of odd. I have a small group of friends and
family with whom I'll chat with on the phone, but
they are truly the exception and not the rule. Anyway,
Color I D made the transition from being viewed as
being invasive or creepy as to being necessary in order
(19:49):
to function as a human being in the modern technical age.
And there's a related thing I should talk about quickly
for folks in the United States, and that's the calling
name President Haitian. That's c NAP or Color Name Delivery,
that's c NAM systems. These are systems that can provide
a name to go with a phone number. So with
(20:11):
these systems, you don't just get a telephone number. You
get a person or business name that is associated with
that phone number. So here's how it works. In the
United States. I'd say we've got two people. We've got
Max and Chris. And Max is in New York and
Chris is in California. What's more, Max is a T
(20:32):
mobile customer and Chriss carrier is a T and T.
And both Max and Chris are using smartphones, so they're
on cellular networks. So Max calls Chris. Max's smartphone is
connected to a nearby cell tower, nearby T Mobile cell tower,
and that routes the call through T Mobiles MT s
(20:53):
O in that particular region, and the empty s O
then routes the call through the psd N, the Public
swim Ching Telephone network, and that then routes the call
to the A T and T M T s O
all the way out in California. That connects to a
cell tower that's in Chris's area, and it sends the
(21:14):
call to Chris's smartphone. Now it's at this stage, the
A T and T stage, where we see the system
call up the name. So, in other words, the name
look up is on the receiver's end. It doesn't originate
from the phone that's making the call. It's all down
to whichever carrier is in operation on the receiving end,
(21:37):
and A T and T sees that Max's phone number
is coming in, so it recognizes the number. But to
associate that number with Max as a person that requires
a database look up. And because Max is a T
Mobile customer not an a T and T customer, a
T and T technically has to pay a very small
fee called a dip fee to look up the information
(22:00):
and then to send that on to Chris. Then Chris
sees that Max is calling and picks up, or Chris
ghosts Max. I don't know what their friendship looks like,
to be honest, my point being that the name associated
with a phone number isn't magically connected to that number. Rather,
there are these massive databases of phone customers out there,
(22:21):
typically at the local level, and these databases match numbers
two names. There's no universal database out there that has
every name and every number, So phone companies have these
ongoing agreements to charge these small dip fees to dip
into the databases and retrieve relevant information. All right, So
that's Color I D and I think it's pretty easy
(22:43):
to understand from a high level how it works. But
then what about spoofing. Well, spoofing is a practice in
which the number that pops up on a color I
D system is not the same as the actual number
making the call, And there are legitimate reasons to do
this that have nothing to do with scams or crimes.
So spoofing as it stands is not illegal on its own.
(23:07):
It's only illegal if you're using spoofing to purposefully mislead
or scam people, then you can face a pretty big
fine in the United States. But spoofing is just a thing,
not illegal. So let me give you a scenario where
it's it's allowed. Let's say that you work at an
accounting firm and you're in charge of making some follow
(23:28):
up calls relating to a specific account. Now, you have
your own phone at your desk. But and your own
phone actually has its own extension, You can make calls
within your department, you know two, directly to your coworkers,
no problem. But chances are you would rather have your
outgoing calls, the ones you make outside of your company,
(23:50):
map not to your desks phone number, but to the
number for the accounting firm as a whole. That way,
anyone on the receiving end would see that it's a
call coming from this big accounting company, not some unknown
desk phone. You would need a way to replace your
desk phone's number with the overall company's phone number. This
(24:11):
happens all the time with big companies and doctor's offices
and stuff like that, So you can probably think of
lots of legitimate uses where the call going out seems
to be coming from a very large known entity rather
than an individual phone located within that entity. But to
make this happen, you have to have some sort of
(24:33):
technology that does the old switcherou with the phone numbers. Now,
as I mentioned earlier, color I D in the old
phone system involves using f s K or frequency shift keying,
to alter a carrier signal in a specific way to
transmit information about a phone number in between the signals
that cause the receiving phone to ring. And it turned
(24:55):
out that if you could figure out the f s
K process and build the right technology, you could build
out a system that would use FSK to transmit false information,
allowing you to mask the true originating number of a
call and substitute in something else will let you spoof
a phone number in other words, And this again was
(25:15):
was made on purpose eventually, like when once we got
to the point where we had big companies with these
kind of phone systems, it was sort of a necessity.
So it's not like this was an oversight or or
rather it wasn't a vulnerability. It ended up being an opportunity.
But if you wanted to take advantage of it, it
(25:36):
wasn't really easy to do. Back in the early two thousands,
for example, it was actually pretty challenging. With the right
hardware and software, and with a digital phone line, you
could manage it, but it was beyond most people. Some
big businesses used it for the purposes I mentioned earlier,
but that was kind of the extent of it. Now,
part of what makes this possible is a system called
(25:58):
a private branch exchange or p b X, So this
doesn't fit neatly into that hierarchy I mentioned earlier. A
p b X is a telephone system that's typically within
a really big organization, like a big business, And essentially
what it does is it allows for an internal telephone system,
that is, one that connects all the internal phones with
(26:21):
each other, but it keeps a limited number of external
phone lines that connect outward to the general you know,
public switching telephone network or PSTN. So let's say we're
looking at a corporation with like five thousand employees. Rather
than making sure every single employee has a direct phone
line to the outside world, the business chooses to set
(26:44):
up a p b X while there's a phone at
every employee's desk, and these phones can make direct calls
to one another within the businesses local network. To make
a call to the outside world, first, you might have
to do something like dial A nine and that actually
opens up one of the business is limited external phone lines.
So let's say that this particular business has one hundred
(27:06):
dedicated external phone lines, which sounds like a lot, but
it's way fewer than the five thousand you would need
for every single employee to have their own personal external line.
As long as fewer than one hundred employees are making
calls to the outside world at any given time, there's
not really a problem here. There are different flavors of
(27:27):
p b X, and they date back even to when
the phone system was purely running on analog signals and
there were no digital signal phone lines. Today, p b
X has include technologies like voice over Internet Protocol or
void an I p p b X or Internet Protocol.
Private branch exchange can sometimes include the ability to spoof
(27:49):
a phone number. It can be built into the system.
Sometimes it's got a very easy way to access and
make these changes. You'll just have like a little online
form and you can go in and you can select
what you want the outgoing call number to look like.
But you know, it's really handy if you want everything
(28:11):
to look like it's coming from a major office phone number.
But it's also opened up the opportunity to start a
new kind of fraudulent business. One early company that tried
to create a business out of spoofing was founded by
a dude named Jason Jepson, who launched a service called
Star thirty eight dot com. With Star thirty eight customers,
(28:34):
who from the beginning, we're supposed to be limited to
people like licensed private investigators, law enforcement and debt collectors,
would be allowed to pay a fee, and that would
let them make phone calls while disguising the phone number
that they were using as you know, something else. Now
(28:55):
that the thinking was that the average person isn't keen
to pick up the phone own if they happen to
know that there's a private investigator on the line or
a debt collection agency, you know, they would rather ghost
that call. So the thinking was, it sure would be
useful to be able to hide that information and convince
(29:15):
the person on the other end of that that line
to actually pick up the phone. So the best way
to do that is to hide who you are. Start
three eight dot Com didn't have a long and illustrious
history in its original form. Three days after he launched
the service, Jepson announced he was looking to sell the business.
(29:36):
He had received numerous threats and harassing calls and felt
it was just, you know, not the right line of
work for him. Other services like one called Camo Phone.
You know, like camouflage, but Camo Phone, those kind of surfaced,
and Star thirty eight actually did come back as a
service marketed as being exclusive to law enforcement agencies, and
(29:59):
that was really the beginning of spoofing. But when we
come back, we'll talk about how spoofing really proliferated as
VOIPE systems grew in popularity, and how the FCC is
responding to the issue today. But first let's take another
quick break. The emergence of voice over Internet protocol was
(30:25):
one of those truly disruptive technologies. In this case, it
was disrupting the telecommunications business that got you know, totally
turned on its head. Because of this, voice would allow
people to make phone calls using the Internet as the
transmission system, essentially bypassing the phone companies in the process
(30:45):
at least and on one end of the call, possibly
both voice phones can connect to one another. Over the
Internet and not even touch the phone system, at least
not the way that normal telephone calls do. But what
if someone were to use a voice of them to
call someone in a with a phone that's connected to
the old public Switching Telephone network or ps t N. Well,
(31:07):
any void call connecting to the ps t N has
to go through what's called a void gateway, which serves
as a bridge between the two systems. See voice traffic
over the Internet protocol. Uh. That that's using packet switching protocols.
That's what the Internet at large uses in order to
(31:27):
send data. It divides up files into packets of information
and then sends them across the network to be essentially
reassembled on the other side. But this is incompatible with
how phone calls are transmitted across the ps t N.
It's two totally different systems. So the gateway has to
decompress the digital packets from the voice call and turn
(31:50):
it into a digital signal that then can be converted
into an analog signal to cross the ps t N,
which is pretty wild, right. Eight ways also come in
different flavors. There are standalone gateways, uh, then there are
gateway functions that can be built into specific types of routers. Uh.
There's also the I p p b X that I
(32:11):
mentioned earlier. Those can act as gateways. The important part
for our discussion is that many of these voice services
allow users to take advantage of p b X features
that traditionally only big companies could use, including spoofing the
phone number. So as voice technology proliferated and as more
(32:33):
providers began to offer up spoofing services, including ones that
just they allow you to start up an account and
you pay a certain amount and then from that point
forward you get just have your account deducted whenever you're
making calls using spoofing. This kind of of technology really
allowed bad actors to see potential for spoofing numbers for
(32:56):
malicious purposes. The goal is always to convinced someone to
pick up the ding dang phone, and one of the
popular approaches centered around spoofing is to create a number
that is similar to the target number you're calling, so
in other words, trying to get something within the same
area code, maybe even the same phone prefix. I get
(33:17):
this all the time with with spoofed numbers. So the
idea is that if you see a number pop up
on caller I D. And it appears to be a
local number, You're more likely to pick up the phone
because you're more likely to feel that the person on
the other end of that call is someone you know,
or at least it's something relevant to you. Ask how
(33:39):
they get you, Well, it's one way. Another way is
to use databases of personal information to create spear phishing attempts,
though not every scammer goes to that kind of trouble,
but they could attempt to spoof specific numbers that you
might know, so you might think, oh, it's my auntie calling.
I wonder what's up, and you answer and you find
(34:00):
out it's not your auntie, it's a scammer. Uh. A
lot of these hackers and scammers just sort of cast
a very wide net to see if they catch anything.
If you pick up a phone that is a catch.
At that point, you might be prompted to say press
a number in response to a specific direction, you know,
like press two to speak with a representative. Don't do it,
(34:23):
it's a bad idea. A lot of these are actually
worked into systems where if you do a button press,
it gets interpreted as an authorization for a charge, and
the scammers are making money off of this, and you're
getting charged through your phone company and you get these,
you know, fraudulent charges on your account, So don't fall
(34:44):
for that. Um Uh, this is essentially illegal. I mean,
it is illegal, but it doesn't stop people from doing
it because it's kind of hard to catch them. Uh.
You might also get someone who's on the other end
of the call and they're looking to get valuable information
from you, like a bank account number or something. Obviously,
is a bad idea to engage in this sort of stuff.
(35:06):
In fact, it's bad enough that some phone companies and
the f c C have argued that if you don't
recognize a number, don't answer it. Think about that for
a moment. This you have companies like phone companies, their
business is charging customers for this inner connectivity, this ability
to have communication channels open. And then they're saying, by
(35:29):
the way, if you don't recognize the number, don't use
our services, which we are charging you for. It's kind
of wild, right, because you would think, if this is
that big of a problem, surely there has to be
some measure you can take to kind of curtail this problem.
Because what you're telling me, right, now is that your
service isn't good enough for me to rely upon all
(35:51):
the time because there are people who are leveraging it
to try and take advantage of me. That's not a
great marketing message right now. The use of numbers that
are similar to your own typically gets called neighbor spoofing
or neighborhood spoofing, and it's a pretty irritating tactic. Uh.
It's also possible that someone could spoof your phone number
(36:14):
while they are calling someone else. So for them, it's
going to come up on color I D that you're
the person making the call. Right, it's gonna be your
phone number, even though you're not the one doing it.
It's because it's been spoofed. So the question is what
do you do if that happens to you. You are
not going to like the answer, because there's not much
(36:35):
you can do other than try to explain to anyone
who's calling you up angry that you're making these calls
that you're not the one making the calls that are
upsetting them. That's kind of difficult to get across because
people are looking at their color I D and saying, no,
I see on my I D that you are the
one calling me. I'm telling you to stop and your
(36:56):
might Meanwhile you're trying to say no, no, I promise
it's not me. Someone is spoofing my phone number. Depending
upon the person on the other end of the line,
they might not have any idea of what that means
or even know that that's possible. Now, I've had this
happened to me in the past, however, not on my
personal phone. So many years ago, I was working at
(37:18):
a consulting firm and I was getting calls from a
woman who was angry that I was calling her and
I was making these crazy machine noises into her phone.
Now I figured out that what was happening was that
some fax machine was calling her landline as if it
were another fax machine, and since her phone is not
(37:41):
a fax machine, she was just getting that garbled electronic
mass of sounds whenever she picked up the receiver. And
she said that the number that was associated on color
I D belonged to the company I worked for. So
I had her read me the number, and sure enough,
it was our offices main phone number, but it wasn't
(38:02):
our facts number. It wasn't the number for the fax
machine we had. And I even went over to our
fax machine, and I used a report to generate a
report that told me about all the outgoing calls that
had been made, every single facts that had been sent.
And this was in a day where we still facts
occasionally anyway, And I checked it against this woman's number,
(38:25):
and I saw there was no call from our fax
machine going out to her number. There was nothing coming
out from our office that was going to her. But
it appeared as though someone had been spoofing our offices
phone number for facts no less, and was sending out
stuff to people like this woman. And there wasn't anything
(38:47):
I could do about it, because we had nothing to
do with the situation in the first place. We were
victims just as she was. Someone else had picked our
number to use a mask for some reason, and because
the voice system they were using allowed for this kind
of thing, there was really no way for us to
even know who was doing it, much less stop them.
(39:07):
It was frustrating for the woman, and it was not
super great for me either, because I genuinely wanted to
help her. I don't want anyone to be, you know,
aggravated and harassed in this way, and that really stinks, right,
I mean, if someone makes use of your number and
then harasses another person. You could be left holding the
bag and your defenses it wasn't me. Someone spoofed my
(39:29):
phone number. That is pretty hard to prove to someone
unless you can actually show them that your phone did
not make those outgoing calls by just showing them a
record of every call you've made over you know, whatever
length of time. But more frequently we find ourselves on
the receiving end of these calls, which I guess we
should be thankful for because it's irritating, but not as
(39:51):
irritating as being blamed for them. And the frequency of
these calls have picked up the pace over the years.
Now twenty twenty was actually a bit of an outlier.
We saw a dip and spoofed robo calls in but
in June there were more than four billion robo calls.
So it's not like that's a problem that's gonna go away.
I mean, that's nearly a hundred fifty million robo calls
(40:14):
per day. That being said, the FCC and major phone
carriers are trying to fight back a bit. The f
c C passed a mandate, actually Congress passed the law
that requires all the major carriers in the US, those
being A, T and T, Verizon Anti Mobile, to comply
with the rule that requires them to incorporate a technology
(40:35):
called stir slash shaken, which is very James Bondish, you know. Now.
The idea behind this is that stir slash shaken is
supposed to verify that a number that pops up on
Color I D is in fact the number that belongs
to the line that's making that phone call in the
first place. In other words, it's supposed to help detect spoofing.
(40:58):
It would mean that phone company as could filter calls
and potentially block some of them, or at least label
them as spam before they get to your your phone. Now,
those three carriers have said that they have all enabled
this technology on their own networks, which is good because
the deadline for doing so was this past June. To
(41:19):
be precise, Smaller regional carriers in the United States currently
have a deadline of June three to implement this technology,
though that could change. The FCC might step up that deadline.
So what's going on with this technology? Well, first let's
talk about what these names stand for. Though I suspect
(41:39):
there's some backronym shenanigans going on here. That is that
you know, they came up with the names and then
tried to figure out what they stood for, as opposed
to the other way around. Anyway, STIR stands for Secure
Telephony Identity revisited and SHAKEN stands for secure handling of
a sorted information using tokens. So the Ken part of
(42:04):
SHAKEN comes from tokens. And you cannot convince me that
this wasn't some crazy backronym thing. Anyway, these two technologies
work in tandem. SHAKEN is honestly just sort of a
broader thing. We'll get to it. So STIR comes out
of a working group of the organization i e. T
(42:24):
F that stands for Internet Engineering Task Force. The group
figured out a way to append digital signatures on a
call as a means of authenticating that a call comes
from a specific phone number for real zes. SHAKEN refers
to the standards that service providers are supposed to follow
while they're deploying STIR in their networks. So SHAKEN really is,
(42:47):
here's how you use this technology that is STIR. The
protocols give three levels of attestation that carriers can assign
to a call or serve providers, I think is how
they were. The service providers can assign to a call,
so full attestation means that the service provider has a
(43:08):
call originating out of their service and they say that
that call is in fact coming from a number that
this particular customer is authorized to use, so in other words,
it's legit. Then you have partial atestation, and that means
that the carrier has authenticated the customer making the call.
They're saying, we know who is making the call. However,
(43:30):
we cannot verify that this customer is actually authorized to
use the number in question. Then there's gateway at a
station means that the service provider can authenticate where it
received a call, but can't authenticate the source, can't say
who for certain sent it. The information is meant to
be shared between carriers, so that one carrier can essentially
(43:52):
say to another, hey, here's this call that needs to
go over your network to get to your customer, But
I totes can't verify that the call is legit, so
it maybe suss just a heads up, and then your
carrier might block the call or appenda label, alerting you
the d customer that the call could be spam. The
way this works in practice is you've got someone making
(44:14):
a call. Let's say it's Scuzzy scumbag who's posing as
a member of the Internal Revenue Service, but Scuzzy really
just wants to phish personal information out of you. Scuzzy
picks up the phone or more likely uses an automated
robo dialer and calls your number and spoofs their own
number in the process to make it seem as if
it's the I r S calling you. The call goes
(44:37):
out over scuzzies service provider, whomever that may be. The
service provider takes a look at the originating number and
the source of the call to determine what level of
attestation to assign to that call. Then it makes use
of an authentication service to create a digital certificate that
holds onto this information, then passes both the call and
(45:00):
the certificate on so that it ultimately ends at the
terminating service provider. This would be whatever service provider you use.
So let's say it's like a T and T, So
now it gets sent to a T and T. So
a T and T. Your service provider, upon receiving this
signal and digital certificate, sends the certificate to a verification
(45:21):
service which attempts to verify if the originating source of
the call is authorized to make calls from that number
it claims to be calling from. Then it returns this
information to a T and T and then a T
and T can either block the call or label it
or pass it on to you. So this approach is
(45:41):
not like a catch all for all robo calls and
spam or even for spoofing. It's not going to put
an end to it, but it is meant to help
cut back on those practices. There are other companies trying
to address this issue in other ways. There are companies
that have blocking services that you can use, there's the
Do Not Call registry that you can be part of,
(46:04):
and then companies like Verizon are trying something different. Like
Verizon has introduced an updated call filter app that will
send suspected spam calls that appear to have phone numbers
from your area straight to voicemail. So, in other words,
those neighborhoods spoofing calls would never even make your phone ring,
it would go straight to your voicemail. Of course, this
(46:25):
means that if there is someone from your region who
is actually trying to call you, for real z s,
they might end up going straight to voicemail too. Now
you can go into the apps filter settings and turn
those off for specific numbers, so it's not like, you know,
it's an all or nothing, but it does mean that
at least in some cases, there might be more hands
(46:47):
on work for the consumer to get everything to work
out properly. Now, I think we will continue to see
companies and governments really try to crack down on this
practice because it's so irritating. Like the people in charge
don't like it either, right, Politicians do not like robo
(47:08):
calls and spam because it affects them too, and so
we're likely to see more strides taken to try and
combat it. At the same time, we'll see the people
who are making use of it try and find ways
around the system. So it's going to be a c
saw kind of approach, and it's certainly an irritating one.
So if like me, you treat your phone like it's
(47:32):
a way to send email and text and that's it,
or maybe occasionally, you know, look at pictures of cats,
then you're in good company. Because this approach of robo
calls and spoofing has really created a an environment of
distrust with our communication devices, so much so that the
companies in charge of providing those services are saying, yeah,
(47:56):
kind of stinks, dotting it and saying like, yeah, you
should probably not pick up the phone. And again, they're
the ones providing the service to allow you to get
calls in the first place. It's not great, but that's
kind of you know how technology can be, right, It's
we can create these amazing tools that open up incredible
(48:17):
potential possibilities. But it also means that people who are
looking at the system from a different perspective may find
ways to twist it to benefit themselves at the expense
of the rest of us, which again kind of stinks.
So yeah, this is one of those topics where while
I say I love all things tech, I don't love spoofing.
(48:38):
I think it's uh. At best, it's misleading, and at
worst it is it is a predating upon vulnerable populations,
which I don't think is cool at all. But that
wraps up this episode. If you have suggestions for topics
I should cover in future episodes of tech Stuff, reach
(48:59):
out to me. The best way to do that is
over on Twitter. The handle for the show is text Stuff,
H s W and I'll talk to you again really soon.
Y tex Stuff is an I Heart Radio production. For
more podcasts from my Heart Radio, visit the i heart
(49:19):
Radio app, Apple Podcasts, or wherever you listen to your
favorite shows.
Welcome to Tech Stuff, a production from I Heart Radio.
Hey there, and welcome to tech Stuff. I'm your host,
Jonathan Strickland. I'm an executive producer with I Heart Radio
and a love of all things tech. I say that
a lot, but then I always have to qualify it,
and this is gonna be another one of those episodes.
(00:25):
So today I thought I would talk a bit about
color I D, spoofing and robo calls. Mostly color I
D and spoofing robot calls, I think I'm gonna have
to say for another episode. But here in the United States,
the major telecommunications companies, those being Verizon, T Mobile, and
A T and T now have to work together to
(00:45):
fight spam calls due to a mandate from the Federal
Communications Commission or f c C. Now, the too long
Didn't Listen message behind this, as opposed to too long
Didn't Read is the goal is to eliminate spam robocalls
going to your phone, so that you don't act like
your phone is a bomb about to go off every
(01:07):
time it rings. But to understand why this is necessary
and how it all works, we have to go much deeper.
So if you, dear listener, are of a certain age,
you might remember a time when we didn't all carry
smartphones around with us all the time. You might even
remember a time before we even carried simple cell phones
(01:27):
with us. In fact, some of you might remember being
on a telephone handset that was tethered to a phone
that was mounted to the wall, or sitting on top
of an end table or something. And back in those days,
dear friends, if someone called you, you really had no
way of knowing who that someone was. I know, it's terrifying,
(01:49):
right the phone rings, and there's no way to know
who or what is on the other side. Could it
be Grandpa Joe and he's found a golden ticket. Could
it be the local food bank calling to see if
you'll volunteer this year. Could it be a wrong number?
The only way to find out was to answer the phone,
(02:11):
or if you were a fancy person, you might let
the call go to an answering machine. Side note. The
answering machine traces its history all the way back to
the nineteen thirties, but when I was growing up in
the seventies and eighties, they were still relatively uncommon from
most of the people I knew. But by the mid
eighties that that had totally changed, and we started seeing
(02:31):
commercials for like novelty answering machine outgoing messages I used
to be a thing. There was this incredible pressure to
create the perfect outgoing message to convey to those calling
that you had a personality. But I digress, let's get
back on track. Many answering machines would play incoming messages
(02:53):
out loud on a loudspeaker as someone was making the message,
which meant that you could use an answering machine to
screen your calls, and a lot of people did so.
If you had anxiety about answering the phone, you could
just wait for the answering machine to activate and then
see if the other person on the other end of
the call was going to wait around long enough to
actually leave a message after hearing You're hilarious and yet
(03:16):
incredibly effective outgoing message. Then, upon recognizing the voice, you
could choose to either interrupt the machine by picking up
the phone and having the call initiate, or just letting
it go. Simpler times really not that color I D
wasn't a thing back then. The foundation of color i
D technology has a history that dates back to the
(03:37):
late nineteen sixties and to really understand all this, we
should take get another step back and just talk about
phone calls in general, and we'll build from there. So
when Alexander Graham Bell made his first call, arguably not
the first call, but that's a story for another time,
it was a direct line from his station to that
(03:58):
of his assistant, Thomas Watts, and there was no need
to route that call anywhere. It was a straight road,
if you will, from one point to another. Now, let's
say we've got a group of four people and we
want to connect these four people with phone lines so
they can talk to each other on the phone. We
could do this directly as well. Right, A simple way
(04:20):
to draw this out would be just draw four points
as corners of a square. Uh. Those corners represent our
four phone friends, and we draw straight lines from each
point to each other point. So what you end up
with is a square with a couple of diagonal lines
crossing through the center, and boom, you've got your four
(04:42):
person network. Each person has a direct line to each
other person in the network. But as we try to
add more people to a system like this, we quickly
see the limitations that we face. Each new connection means
we have to establish cables between that person and every
other person on the network. This gets expensive and complicated
(05:03):
and messy and unsustainable. A phone network in which every
single person with a phone has a direct line with
every single other person with the phone is just impossible.
You wouldn't even be able to move around because of
all the cables everywhere, and so an important development in
the history of the telephone system was the creation of
the local exchange. The local exchange is a centralized point
(05:27):
that you dial into, and then the exchange could switch
on a connection between your line and the line of
whomever it was who wanted to call. So in the
early days of telephones, this was done with actual human
beings sitting at a switchboard and manually plugging cables into
complete calls from one person to another. So now rather
(05:47):
than having direct connections with every other phone in existence,
you really just needed a direct connection from your phone
to an exchange. This cuts way back on the amount
of cables that you needed in order to create a network. Now,
this works fine for local calls, like you know, within
a city, everyone can connect to that one local exchange,
(06:09):
But the word local gives us a hint that there
isn't one single exchange for every phone line out there. Now,
local exchanges will cover a specific region, but beyond that
you have other local exchanges. And to connect these exchanges together,
phone companies laid out what we're called trunk lines. These
(06:30):
are cables capable of carrying multiple phone signals simultaneously, which
is a good thing too. Otherwise a single long distance
call would prevent anyone else from making a similar sort
of call between you know, those two specific exchanges. The
networks grew organically, connecting to one another and forming what
we call the public switched Telephone network or p st N.
(06:52):
You could look at it as a sort of hierarchy
as more of the world built out phone systems. At
the very body him of this hierarchy, you had your
individual landline phones the stuff, and homes and offices and
phone booths and stuff like that. We used to have
these things called phone booths, Superman, which change in them
doesn't matter. One level up from this level, and you
(07:16):
have your local exchanges, right, These are the ones that
connect local calls to each other. And as I said,
in the old days, this was done with human operators
moving physical plugs into physical outlets to complete circuits and
switch on a phone call, but didn't take long before
the complexity of phone systems necessitated innovation to create automated
ways of handling this. One level up from local exchanges
(07:39):
are your trunk exchanges. The trunk exchange is to local exchanges,
as local exchanges are two individual land lines. The trunk
exchanges allow the various local exchanges within a country to
connect to one another. A level above the trunk exchanges,
you have international gateways, which interconnect the phone system of
one kind tree with other countries. Often you end up
(08:02):
having super long cables connecting these, including cables that run
under the ocean. You know, there's cables under the Atlantic
that connect Europe to North America, for example. All right,
so now let's get a bit more complicated by throwing
cellular phones into the mix. Cell phones communicate to sell towers,
(08:23):
which you can think of as being kind of similar
to the local exchange I was talking about earlier. So
cell towers are essentially antenna, and the cell phones communicate
with cell towers through electromagnetic radiation, specifically radiation that falls
into the microwave frequency range. But they're not the same
microwaves that we use to zap our popcorn and microwave ovens.
(08:45):
It's not that level of frequency. It's also a very
low wattage that we use for cell phones now. The
microwave acts as a carrier wave, and I've talked a
bit about carrier waves in the past with stuff like
radio signals. Each phone is using a slightly different frequency,
otherwise you would run into issues with phones interfering with
(09:05):
one another. All right, So cell phone towers are at
the heart of the cells that make up a service area.
One really clever thing about this approach is the handshake
that happens as you move across a region. So you
can be on a phone call and you can be
let's say, in a car, and you pass out of
the range of one cell phone or cell tower rather
(09:28):
and you enter into the range of another, and your
call continues on as if you had a solid connection
on a single cell tower the entire time. I'm gonna
leave it at that, because getting into the tech of
all that would really get us off course. This episode
would end up being like three hours long. But maybe
I'll do a full episode about how cell towers work.
It is really fascinating because they have to be very
(09:49):
careful with the frequencies they use in order to both
service everyone who's within range of a specific cell tower
and not interfere with anyone who's at a neighboring cell tower. Anyway,
Connecting the towers is the Mobile Telephone Switching Office or
mt s O. Each service provider has its own mpt
(10:09):
s O in regions, So if the person you're talking
with is in the same region, such as like in
the same city as you, and they happen to be
on the same carrier, one mt s O pretty much
handles everything. The call signals go through the cell towers
to one another through the m t s O, but
the calls are not made directly phone to phone. It's
(10:30):
not like your phone is acting like a radio directly
with the other phone. Now, if you're calling someone who's
on the other side of the country, it's a little
bit different. Typically, your call would go from your phone
to a cell tower, and from the cell tower to
the local mt s O of your carrier, then from
there to the p s t N that big public
(10:52):
switching telephone network, and that would then route your call
to the mt s O relevant to whomever it was
your calling on the other end. So even cell calls
can rely upon the old phone system. Getting back to
color I D. Back in the nineteen sixties, there was
an engineer named Theodore Paris Cavacos it still is, I mean,
(11:13):
he's still alive today. He developed a way to send
electronic data over telephone lines. In v he filed and
received a patent for a quote decoding and display apparatus
for groups of pulse trains end quote. This would become
the basis of color I D, in which the telephone
of the person making the call will send data relating
(11:36):
to the phone number of that originating call along with
the call itself, and a device on the other end
on the receiving end could get this information, decode it
and display the incoming phone number and thus identify the
incoming call. Other engineers around the same time period began
(11:57):
to develop similar technologies and approaches, and so the early
days of color I D are a bit muddled, as
there are numerous patents assigned to different inventors, some of
which acknowledged the existence of other inventions as prior art.
One of those inventors was Katsuo Hashimoto for a quote
Telephone Information displaying device end quote. The abstract of that
(12:20):
patent essentially lays out what we think of as color
I D. So I'm going to read to you the
abstract of this patent. Here he goes a calling parties
telephone number displaying device, in which, while the telephone set
of a subscriber is ringing in response to calling signals
from a telephone exchange office, the telephone number of a
(12:41):
calling party and information are displayed on digital display units
at high speed before lifting the handset. Accordingly, the subscriber
can determine whether or not he should answer the call
before picking up the handset. Thus his privacy can be
protected from a variety of telephone troubles such as wrong
number and nuisance calls. The display is maintained as it
(13:03):
is even if the handset is put back after the talk,
but it will be cleared automatically upon reception of the
next call to display the telephone number of the next
calling party. When the subscriber picks up the handset to
make a call, the internal circuit is automatically changed to
display a telephone number dialed by him. That's it. So
that patent pretty much explains that the invention would allow
(13:26):
telephones to send and receive signals between successive ringing signals.
So in other words, when the phone company isn't sending
the signal to make the receiving phone ring, it could
send the signal containing information about the origin of that call.
And that's why if you're using a landline and you
get a phone call with a system that had caller
(13:48):
I D, you would only see the I D stuff
pop up after the first ring happened. The method for
sending the information was a type of frequency modulation that's
changing the frequency of a signal in order to encode
information on it, called frequency shift keying or f s K.
Applying f s K to a carrier signal alters that
(14:10):
carrier signal in a way that can be interpreted on
the other side in some manner. So in the case
of color I D, that some manner is that the
transmitting side can encode the phone number in that carrier wave,
and the receiving side can decode that carrier wave and
get back at that number. FSK is used in lots
of applications, not just Color I D. But for our purposes,
(14:33):
it's just important that we know that this is the
methodology that the phone company is used to transmit the
info of Hey, this is the phone number that just
dialed you. But this wasn't going to be a service
that phone companies were going to throw in for free. No,
this would be something that companies would charge for on
top of the normal phone bill. Now, the story goes
(14:53):
that the phone companies at first planned to offer this
service as an audio one. So, in other words, you
could opt into this service and you would get a
verbal alert when you picked up the phone telling you
the phone number that the call originated from. UH. And
the phone companies were hoping to charge on a per
use basis, so every time you did this you get
(15:15):
charged a little amount. That's not how things eventually turned out.
We'll get into color I D a little bit more
after the break, and then we'll talk about the systems
that enable spoofing. But first let's take that quick break. So,
(15:35):
phone companies were licensing technologies to enable color I D
in the nineteen seventies, but it wasn't until the mid
nineteen eighties that we saw the first pilot program of
color I D here in the United States. That took
place in Orlando, Florida, where you know, the characters from
Book of Mormon really wanted to go, and that happened.
(15:56):
Back in four Bell South offered a service call touch Star,
and Color i D was one of the features that
you could opt into with Touch Star. It was called
Custom Local Area Signaling Service, but it would become known
as Color i D. Now, if you weren't around in
the nineteen eighties, you might be surprised to hear that
(16:16):
the emergence of color i D was viewed with suspicion
from multiple fronts. In the US. Politicians were asking if
perhaps Color i D would violate wire tapping laws, and
others were likening it to tracing a phone call, kind
of like what you see in movies, where you know,
the police are trying to track a specific criminal as
(16:36):
they talk on the phone. But in fact, it was
such a controversial subject that it took more than a
decade for all fifty states in the US to actually
adopt the technology. California held out the longest. California only
incorporated color i D in nineteen nine, six twelve years
after Orlando, Florida got in on it. And by the
(16:57):
mid nineties, there was another big con learned to think about,
and that was privacy. We weren't quite at the same
level that we are now, not by a long shot,
where the average medicine has generated tons of information about
themselves that can link back to them. But we were
entering into an era in which certain companies were building
(17:18):
out comprehensive databases about consumers, and so you started to
see companies building out profiles or even dossiers on people. Now,
if you want to be charitable, you could argue this
helped those companies serve their customers more effectively. But if
you want to be cynical, you could say that this
gave companies more information to leverage while trying to sell
(17:41):
goods or services to a potential customer. The truth is
probably somewhere in the middle. But what concerned privacy advocates
is that a business could theoretically rely on caller I D.
So if someone were to call in, let's say that
someone needs to talk to a customer service rep, then
that rep could do a reverse phone number, look up
(18:03):
on that call, and pull up a full profile of
the person calling. And there were a lot of privacy
implications that were concerning actually kind of seems quaint in
comparison to what we deal with today. At least if
you look into how private information gets handled these days.
For that reason, Telephone Company is introduced an option to
(18:23):
allow customers to opt into color I D blocking. Now,
if you did this, it meant that your number would
not be displayed when you called someone else. You were
effectively blacklisted for color I D. And so you know,
if I opted into this and I called you, you
would probably see some sort of message like color unknown
or something similar to that, which probably means you wouldn't
(18:48):
likely pick up my call. To be fair, you probably
wouldn't anyway, I'm kind of a drag to speak to
on the phone. It took time for attitudes around color
I D to change, but we did on viously see
that happen today For many people, including myself, we don't
pick up the phone if we don't recognize the number
(19:08):
that's displayed on our phone screen, and that means that
if the call comes up is unknown or something along
those lines, we're not likely to answer it. We'll probably
let it go to voicemail. In fact, these days, I
feel a sense of anxiety even if I do recognize
the number, which is weird because I was one of
those folks who back in the eighties and nineties. I
(19:29):
love to talk on the phone. Now it seems kind
of odd. I have a small group of friends and
family with whom I'll chat with on the phone, but
they are truly the exception and not the rule. Anyway,
Color I D made the transition from being viewed as
being invasive or creepy as to being necessary in order
(19:49):
to function as a human being in the modern technical age.
And there's a related thing I should talk about quickly
for folks in the United States, and that's the calling
name President Haitian. That's c NAP or Color Name Delivery,
that's c NAM systems. These are systems that can provide
a name to go with a phone number. So with
(20:11):
these systems, you don't just get a telephone number. You
get a person or business name that is associated with
that phone number. So here's how it works. In the
United States. I'd say we've got two people. We've got
Max and Chris. And Max is in New York and
Chris is in California. What's more, Max is a T
(20:32):
mobile customer and Chriss carrier is a T and T.
And both Max and Chris are using smartphones, so they're
on cellular networks. So Max calls Chris. Max's smartphone is
connected to a nearby cell tower, nearby T Mobile cell tower,
and that routes the call through T Mobiles MT s
(20:53):
O in that particular region, and the empty s O
then routes the call through the psd N, the Public
swim Ching Telephone network, and that then routes the call
to the A T and T M T s O
all the way out in California. That connects to a
cell tower that's in Chris's area, and it sends the
(21:14):
call to Chris's smartphone. Now it's at this stage, the
A T and T stage, where we see the system
call up the name. So, in other words, the name
look up is on the receiver's end. It doesn't originate
from the phone that's making the call. It's all down
to whichever carrier is in operation on the receiving end,
(21:37):
and A T and T sees that Max's phone number
is coming in, so it recognizes the number. But to
associate that number with Max as a person that requires
a database look up. And because Max is a T
Mobile customer not an a T and T customer, a
T and T technically has to pay a very small
fee called a dip fee to look up the information
(22:00):
and then to send that on to Chris. Then Chris
sees that Max is calling and picks up, or Chris
ghosts Max. I don't know what their friendship looks like,
to be honest, my point being that the name associated
with a phone number isn't magically connected to that number. Rather,
there are these massive databases of phone customers out there,
(22:21):
typically at the local level, and these databases match numbers
two names. There's no universal database out there that has
every name and every number, So phone companies have these
ongoing agreements to charge these small dip fees to dip
into the databases and retrieve relevant information. All right, So
that's Color I D and I think it's pretty easy
(22:43):
to understand from a high level how it works. But
then what about spoofing. Well, spoofing is a practice in
which the number that pops up on a color I
D system is not the same as the actual number
making the call, And there are legitimate reasons to do
this that have nothing to do with scams or crimes.
So spoofing as it stands is not illegal on its own.
(23:07):
It's only illegal if you're using spoofing to purposefully mislead
or scam people, then you can face a pretty big
fine in the United States. But spoofing is just a thing,
not illegal. So let me give you a scenario where
it's it's allowed. Let's say that you work at an
accounting firm and you're in charge of making some follow
(23:28):
up calls relating to a specific account. Now, you have
your own phone at your desk. But and your own
phone actually has its own extension, You can make calls
within your department, you know two, directly to your coworkers,
no problem. But chances are you would rather have your
outgoing calls, the ones you make outside of your company,
(23:50):
map not to your desks phone number, but to the
number for the accounting firm as a whole. That way,
anyone on the receiving end would see that it's a
call coming from this big accounting company, not some unknown
desk phone. You would need a way to replace your
desk phone's number with the overall company's phone number. This
(24:11):
happens all the time with big companies and doctor's offices
and stuff like that, So you can probably think of
lots of legitimate uses where the call going out seems
to be coming from a very large known entity rather
than an individual phone located within that entity. But to
make this happen, you have to have some sort of
(24:33):
technology that does the old switcherou with the phone numbers. Now,
as I mentioned earlier, color I D in the old
phone system involves using f s K or frequency shift keying,
to alter a carrier signal in a specific way to
transmit information about a phone number in between the signals
that cause the receiving phone to ring. And it turned
(24:55):
out that if you could figure out the f s
K process and build the right technology, you could build
out a system that would use FSK to transmit false information,
allowing you to mask the true originating number of a
call and substitute in something else will let you spoof
a phone number in other words, And this again was
(25:15):
was made on purpose eventually, like when once we got
to the point where we had big companies with these
kind of phone systems, it was sort of a necessity.
So it's not like this was an oversight or or
rather it wasn't a vulnerability. It ended up being an opportunity.
But if you wanted to take advantage of it, it
(25:36):
wasn't really easy to do. Back in the early two thousands,
for example, it was actually pretty challenging. With the right
hardware and software, and with a digital phone line, you
could manage it, but it was beyond most people. Some
big businesses used it for the purposes I mentioned earlier,
but that was kind of the extent of it. Now,
part of what makes this possible is a system called
(25:58):
a private branch exchange or p b X, So this
doesn't fit neatly into that hierarchy I mentioned earlier. A
p b X is a telephone system that's typically within
a really big organization, like a big business, And essentially
what it does is it allows for an internal telephone system,
that is, one that connects all the internal phones with
(26:21):
each other, but it keeps a limited number of external
phone lines that connect outward to the general you know,
public switching telephone network or PSTN. So let's say we're
looking at a corporation with like five thousand employees. Rather
than making sure every single employee has a direct phone
line to the outside world, the business chooses to set
(26:44):
up a p b X while there's a phone at
every employee's desk, and these phones can make direct calls
to one another within the businesses local network. To make
a call to the outside world, first, you might have
to do something like dial A nine and that actually
opens up one of the business is limited external phone lines.
So let's say that this particular business has one hundred
(27:06):
dedicated external phone lines, which sounds like a lot, but
it's way fewer than the five thousand you would need
for every single employee to have their own personal external line.
As long as fewer than one hundred employees are making
calls to the outside world at any given time, there's
not really a problem here. There are different flavors of
(27:27):
p b X, and they date back even to when
the phone system was purely running on analog signals and
there were no digital signal phone lines. Today, p b
X has include technologies like voice over Internet Protocol or
void an I p p b X or Internet Protocol.
Private branch exchange can sometimes include the ability to spoof
(27:49):
a phone number. It can be built into the system.
Sometimes it's got a very easy way to access and
make these changes. You'll just have like a little online
form and you can go in and you can select
what you want the outgoing call number to look like.
But you know, it's really handy if you want everything
(28:11):
to look like it's coming from a major office phone number.
But it's also opened up the opportunity to start a
new kind of fraudulent business. One early company that tried
to create a business out of spoofing was founded by
a dude named Jason Jepson, who launched a service called
Star thirty eight dot com. With Star thirty eight customers,
(28:34):
who from the beginning, we're supposed to be limited to
people like licensed private investigators, law enforcement and debt collectors,
would be allowed to pay a fee, and that would
let them make phone calls while disguising the phone number
that they were using as you know, something else. Now
(28:55):
that the thinking was that the average person isn't keen
to pick up the phone own if they happen to
know that there's a private investigator on the line or
a debt collection agency, you know, they would rather ghost
that call. So the thinking was, it sure would be
useful to be able to hide that information and convince
(29:15):
the person on the other end of that that line
to actually pick up the phone. So the best way
to do that is to hide who you are. Start
three eight dot Com didn't have a long and illustrious
history in its original form. Three days after he launched
the service, Jepson announced he was looking to sell the business.
(29:36):
He had received numerous threats and harassing calls and felt
it was just, you know, not the right line of
work for him. Other services like one called Camo Phone.
You know, like camouflage, but Camo Phone, those kind of surfaced,
and Star thirty eight actually did come back as a
service marketed as being exclusive to law enforcement agencies, and
(29:59):
that was really the beginning of spoofing. But when we
come back, we'll talk about how spoofing really proliferated as
VOIPE systems grew in popularity, and how the FCC is
responding to the issue today. But first let's take another
quick break. The emergence of voice over Internet protocol was
(30:25):
one of those truly disruptive technologies. In this case, it
was disrupting the telecommunications business that got you know, totally
turned on its head. Because of this, voice would allow
people to make phone calls using the Internet as the
transmission system, essentially bypassing the phone companies in the process
(30:45):
at least and on one end of the call, possibly
both voice phones can connect to one another. Over the
Internet and not even touch the phone system, at least
not the way that normal telephone calls do. But what
if someone were to use a voice of them to
call someone in a with a phone that's connected to
the old public Switching Telephone network or ps t N. Well,
(31:07):
any void call connecting to the ps t N has
to go through what's called a void gateway, which serves
as a bridge between the two systems. See voice traffic
over the Internet protocol. Uh. That that's using packet switching protocols.
That's what the Internet at large uses in order to
(31:27):
send data. It divides up files into packets of information
and then sends them across the network to be essentially
reassembled on the other side. But this is incompatible with
how phone calls are transmitted across the ps t N.
It's two totally different systems. So the gateway has to
decompress the digital packets from the voice call and turn
(31:50):
it into a digital signal that then can be converted
into an analog signal to cross the ps t N,
which is pretty wild, right. Eight ways also come in
different flavors. There are standalone gateways, uh, then there are
gateway functions that can be built into specific types of routers. Uh.
There's also the I p p b X that I
(32:11):
mentioned earlier. Those can act as gateways. The important part
for our discussion is that many of these voice services
allow users to take advantage of p b X features
that traditionally only big companies could use, including spoofing the
phone number. So as voice technology proliferated and as more
(32:33):
providers began to offer up spoofing services, including ones that
just they allow you to start up an account and
you pay a certain amount and then from that point
forward you get just have your account deducted whenever you're
making calls using spoofing. This kind of of technology really
allowed bad actors to see potential for spoofing numbers for
(32:56):
malicious purposes. The goal is always to convinced someone to
pick up the ding dang phone, and one of the
popular approaches centered around spoofing is to create a number
that is similar to the target number you're calling, so
in other words, trying to get something within the same
area code, maybe even the same phone prefix. I get
(33:17):
this all the time with with spoofed numbers. So the
idea is that if you see a number pop up
on caller I D. And it appears to be a
local number, You're more likely to pick up the phone
because you're more likely to feel that the person on
the other end of that call is someone you know,
or at least it's something relevant to you. Ask how
(33:39):
they get you, Well, it's one way. Another way is
to use databases of personal information to create spear phishing attempts,
though not every scammer goes to that kind of trouble,
but they could attempt to spoof specific numbers that you
might know, so you might think, oh, it's my auntie calling.
I wonder what's up, and you answer and you find
(34:00):
out it's not your auntie, it's a scammer. Uh. A
lot of these hackers and scammers just sort of cast
a very wide net to see if they catch anything.
If you pick up a phone that is a catch.
At that point, you might be prompted to say press
a number in response to a specific direction, you know,
like press two to speak with a representative. Don't do it,
(34:23):
it's a bad idea. A lot of these are actually
worked into systems where if you do a button press,
it gets interpreted as an authorization for a charge, and
the scammers are making money off of this, and you're
getting charged through your phone company and you get these,
you know, fraudulent charges on your account, So don't fall
(34:44):
for that. Um Uh, this is essentially illegal. I mean,
it is illegal, but it doesn't stop people from doing
it because it's kind of hard to catch them. Uh.
You might also get someone who's on the other end
of the call and they're looking to get valuable information
from you, like a bank account number or something. Obviously,
is a bad idea to engage in this sort of stuff.
(35:06):
In fact, it's bad enough that some phone companies and
the f c C have argued that if you don't
recognize a number, don't answer it. Think about that for
a moment. This you have companies like phone companies, their
business is charging customers for this inner connectivity, this ability
to have communication channels open. And then they're saying, by
(35:29):
the way, if you don't recognize the number, don't use
our services, which we are charging you for. It's kind
of wild, right, because you would think, if this is
that big of a problem, surely there has to be
some measure you can take to kind of curtail this problem.
Because what you're telling me, right, now is that your
service isn't good enough for me to rely upon all
(35:51):
the time because there are people who are leveraging it
to try and take advantage of me. That's not a
great marketing message right now. The use of numbers that
are similar to your own typically gets called neighbor spoofing
or neighborhood spoofing, and it's a pretty irritating tactic. Uh.
It's also possible that someone could spoof your phone number
(36:14):
while they are calling someone else. So for them, it's
going to come up on color I D that you're
the person making the call. Right, it's gonna be your
phone number, even though you're not the one doing it.
It's because it's been spoofed. So the question is what
do you do if that happens to you. You are
not going to like the answer, because there's not much
(36:35):
you can do other than try to explain to anyone
who's calling you up angry that you're making these calls
that you're not the one making the calls that are
upsetting them. That's kind of difficult to get across because
people are looking at their color I D and saying, no,
I see on my I D that you are the
one calling me. I'm telling you to stop and your
(36:56):
might Meanwhile you're trying to say no, no, I promise
it's not me. Someone is spoofing my phone number. Depending
upon the person on the other end of the line,
they might not have any idea of what that means
or even know that that's possible. Now, I've had this
happened to me in the past, however, not on my
personal phone. So many years ago, I was working at
(37:18):
a consulting firm and I was getting calls from a
woman who was angry that I was calling her and
I was making these crazy machine noises into her phone.
Now I figured out that what was happening was that
some fax machine was calling her landline as if it
were another fax machine, and since her phone is not
(37:41):
a fax machine, she was just getting that garbled electronic
mass of sounds whenever she picked up the receiver. And
she said that the number that was associated on color
I D belonged to the company I worked for. So
I had her read me the number, and sure enough,
it was our offices main phone number, but it wasn't
(38:02):
our facts number. It wasn't the number for the fax
machine we had. And I even went over to our
fax machine, and I used a report to generate a
report that told me about all the outgoing calls that
had been made, every single facts that had been sent.
And this was in a day where we still facts
occasionally anyway, And I checked it against this woman's number,
(38:25):
and I saw there was no call from our fax
machine going out to her number. There was nothing coming
out from our office that was going to her. But
it appeared as though someone had been spoofing our offices
phone number for facts no less, and was sending out
stuff to people like this woman. And there wasn't anything
(38:47):
I could do about it, because we had nothing to
do with the situation in the first place. We were
victims just as she was. Someone else had picked our
number to use a mask for some reason, and because
the voice system they were using allowed for this kind
of thing, there was really no way for us to
even know who was doing it, much less stop them.
(39:07):
It was frustrating for the woman, and it was not
super great for me either, because I genuinely wanted to
help her. I don't want anyone to be, you know,
aggravated and harassed in this way, and that really stinks, right,
I mean, if someone makes use of your number and
then harasses another person. You could be left holding the
bag and your defenses it wasn't me. Someone spoofed my
(39:29):
phone number. That is pretty hard to prove to someone
unless you can actually show them that your phone did
not make those outgoing calls by just showing them a
record of every call you've made over you know, whatever
length of time. But more frequently we find ourselves on
the receiving end of these calls, which I guess we
should be thankful for because it's irritating, but not as
(39:51):
irritating as being blamed for them. And the frequency of
these calls have picked up the pace over the years.
Now twenty twenty was actually a bit of an outlier.
We saw a dip and spoofed robo calls in but
in June there were more than four billion robo calls.
So it's not like that's a problem that's gonna go away.
I mean, that's nearly a hundred fifty million robo calls
(40:14):
per day. That being said, the FCC and major phone
carriers are trying to fight back a bit. The f
c C passed a mandate, actually Congress passed the law
that requires all the major carriers in the US, those
being A, T and T, Verizon Anti Mobile, to comply
with the rule that requires them to incorporate a technology
(40:35):
called stir slash shaken, which is very James Bondish, you know. Now.
The idea behind this is that stir slash shaken is
supposed to verify that a number that pops up on
Color I D is in fact the number that belongs
to the line that's making that phone call in the
first place. In other words, it's supposed to help detect spoofing.
(40:58):
It would mean that phone company as could filter calls
and potentially block some of them, or at least label
them as spam before they get to your your phone. Now,
those three carriers have said that they have all enabled
this technology on their own networks, which is good because
the deadline for doing so was this past June. To
(41:19):
be precise, Smaller regional carriers in the United States currently
have a deadline of June three to implement this technology,
though that could change. The FCC might step up that deadline.
So what's going on with this technology? Well, first let's
talk about what these names stand for. Though I suspect
(41:39):
there's some backronym shenanigans going on here. That is that
you know, they came up with the names and then
tried to figure out what they stood for, as opposed
to the other way around. Anyway, STIR stands for Secure
Telephony Identity revisited and SHAKEN stands for secure handling of
a sorted information using tokens. So the Ken part of
(42:04):
SHAKEN comes from tokens. And you cannot convince me that
this wasn't some crazy backronym thing. Anyway, these two technologies
work in tandem. SHAKEN is honestly just sort of a
broader thing. We'll get to it. So STIR comes out
of a working group of the organization i e. T
(42:24):
F that stands for Internet Engineering Task Force. The group
figured out a way to append digital signatures on a
call as a means of authenticating that a call comes
from a specific phone number for real zes. SHAKEN refers
to the standards that service providers are supposed to follow
while they're deploying STIR in their networks. So SHAKEN really is,
(42:47):
here's how you use this technology that is STIR. The
protocols give three levels of attestation that carriers can assign
to a call or serve providers, I think is how
they were. The service providers can assign to a call,
so full attestation means that the service provider has a
(43:08):
call originating out of their service and they say that
that call is in fact coming from a number that
this particular customer is authorized to use, so in other words,
it's legit. Then you have partial atestation, and that means
that the carrier has authenticated the customer making the call.
They're saying, we know who is making the call. However,
(43:30):
we cannot verify that this customer is actually authorized to
use the number in question. Then there's gateway at a
station means that the service provider can authenticate where it
received a call, but can't authenticate the source, can't say
who for certain sent it. The information is meant to
be shared between carriers, so that one carrier can essentially
(43:52):
say to another, hey, here's this call that needs to
go over your network to get to your customer, But
I totes can't verify that the call is legit, so
it maybe suss just a heads up, and then your
carrier might block the call or appenda label, alerting you
the d customer that the call could be spam. The
way this works in practice is you've got someone making
(44:14):
a call. Let's say it's Scuzzy scumbag who's posing as
a member of the Internal Revenue Service, but Scuzzy really
just wants to phish personal information out of you. Scuzzy
picks up the phone or more likely uses an automated
robo dialer and calls your number and spoofs their own
number in the process to make it seem as if
it's the I r S calling you. The call goes
(44:37):
out over scuzzies service provider, whomever that may be. The
service provider takes a look at the originating number and
the source of the call to determine what level of
attestation to assign to that call. Then it makes use
of an authentication service to create a digital certificate that
holds onto this information, then passes both the call and
(45:00):
the certificate on so that it ultimately ends at the
terminating service provider. This would be whatever service provider you use.
So let's say it's like a T and T, So
now it gets sent to a T and T. So
a T and T. Your service provider, upon receiving this
signal and digital certificate, sends the certificate to a verification
(45:21):
service which attempts to verify if the originating source of
the call is authorized to make calls from that number
it claims to be calling from. Then it returns this
information to a T and T and then a T
and T can either block the call or label it
or pass it on to you. So this approach is
(45:41):
not like a catch all for all robo calls and
spam or even for spoofing. It's not going to put
an end to it, but it is meant to help
cut back on those practices. There are other companies trying
to address this issue in other ways. There are companies
that have blocking services that you can use, there's the
Do Not Call registry that you can be part of,
(46:04):
and then companies like Verizon are trying something different. Like
Verizon has introduced an updated call filter app that will
send suspected spam calls that appear to have phone numbers
from your area straight to voicemail. So, in other words,
those neighborhoods spoofing calls would never even make your phone ring,
it would go straight to your voicemail. Of course, this
(46:25):
means that if there is someone from your region who
is actually trying to call you, for real z s,
they might end up going straight to voicemail too. Now
you can go into the apps filter settings and turn
those off for specific numbers, so it's not like, you know,
it's an all or nothing, but it does mean that
at least in some cases, there might be more hands
(46:47):
on work for the consumer to get everything to work
out properly. Now, I think we will continue to see
companies and governments really try to crack down on this
practice because it's so irritating. Like the people in charge
don't like it either, right, Politicians do not like robo
(47:08):
calls and spam because it affects them too, and so
we're likely to see more strides taken to try and
combat it. At the same time, we'll see the people
who are making use of it try and find ways
around the system. So it's going to be a c
saw kind of approach, and it's certainly an irritating one.
So if like me, you treat your phone like it's
(47:32):
a way to send email and text and that's it,
or maybe occasionally, you know, look at pictures of cats,
then you're in good company. Because this approach of robo
calls and spoofing has really created a an environment of
distrust with our communication devices, so much so that the
companies in charge of providing those services are saying, yeah,
(47:56):
kind of stinks, dotting it and saying like, yeah, you
should probably not pick up the phone. And again, they're
the ones providing the service to allow you to get
calls in the first place. It's not great, but that's
kind of you know how technology can be, right, It's
we can create these amazing tools that open up incredible
(48:17):
potential possibilities. But it also means that people who are
looking at the system from a different perspective may find
ways to twist it to benefit themselves at the expense
of the rest of us, which again kind of stinks.
So yeah, this is one of those topics where while
I say I love all things tech, I don't love spoofing.
(48:38):
I think it's uh. At best, it's misleading, and at
worst it is it is a predating upon vulnerable populations,
which I don't think is cool at all. But that
wraps up this episode. If you have suggestions for topics
I should cover in future episodes of tech Stuff, reach
(48:59):
out to me. The best way to do that is
over on Twitter. The handle for the show is text Stuff,
H s W and I'll talk to you again really soon.
Y tex Stuff is an I Heart Radio production. For
more podcasts from my Heart Radio, visit the i heart
(49:19):
Radio app, Apple Podcasts, or wherever you listen to your
favorite shows.
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.