back to article UK crimebusters shut down global call-spoofing outfit that claimed 170K-plus victims

The UK's National Crime Agency (NCA) has shut down an outfit called Russian Coms – a call-spoofing service believed to have swindled hundreds of thousands of victims. The agency also arrested at least four suspects thought to be involved in the fraudulent operation, which spanned more than 100 countries. Despite the moniker, …

  1. Lee D Silver badge

    1) Why is spoofing still possible?

    2) How dumb are criminals: "according to ads for the fraud service on Snapchat, Instagram, and Telegram"

    It's really not hard. Override any requested originating number information and reveal the originating phone number unless and until they prove ownership of an alternative they wish to use (e.g. a shortcode name like NHS, or a main switchboard number).

    We can do that for landlines and mobiles overnight.

    Hell, make it a subscription service. Want to use another number than the one you're calling from? £5 a month on your bill, and subject to checks that you own that number.

    1. Missing Semicolon Silver badge
      Mushroom

      1) Why is spoofing still possible?

      Because non of the telephone operators (mostly BT here) want to spend any money, or forego any revenue. Establishing the bona-fides of call sources, and maintaining allow-lists for each CLID source, cost money. And then they would have to not get paid for carrying the call.

      If BT were liable for scams enabled by spoofed CLID, you betcha it would be fixed in days.

      1. G40

        Re: 1) Why is spoofing still possible?

        Calling OFCOM? WTF are you when not asleep at the wheel?

        1. john.jones.name
          Mushroom

          Re: 1) Why is spoofing still possible? - who do you trust

          so yes you can have a system that verifies (SHAKEN/STIR attestation)

          BUT you have to trust some root authority

          BT etc dont want to trust and pay the american certificate providers

          they could use DNS and self signed certs...

    2. Like a badger

      "How dumb are criminals"

      Being brazen works and the game is definitely worth the candle. Most fraudsters are not caught, the few that are get meagre sentences in the UK and are rarely subject to "proceeds of crime" seizures. Best thing for these scumbags would be to deport them for trial in the US.

    3. Anonymous Coward
      Anonymous Coward

      1) Why is spoofing still possible?

      @Lee D: “1) Why is spoofing still possible?

      Presumably because the SS7 protocol allows such. Else how can the spooks be able to monitor us.

    4. DS999 Silver badge

      How dumb are criminals

      Apparently dumb enough that they named it "Russian Coms" which is practically putting up a sign in neon lights that says "criminal enterprise"

  2. Flak
    Flame

    Regulation please

    I am normally a 'less is more' person when it comes to regulations, but in this case it is needed.

    This is what is needed:

    Originating caller carriers must only accept display caller IDs where the originating caller 'owns' the number. This may be a main office number or even a non-geographic one.

    At least that way there would be traceability and accountability.

    1. Richard 12 Silver badge
      Mushroom

      Re: Regulation please

      It's very simple:

      Make all carriers in the chain jointly and severally liable for consumer losses involving a spoofed telephone number, with the only defence being proof of due diligence that the number was in fact owned by the caller.

      1. Alan Brown Silver badge

        Re: Regulation please

        This may be easier than people think

        The terminating telco is paid to handle the call. Make them liable because of that payment and things would quickly be fixed

  3. Anonymous Coward
    Anonymous Coward

    New approach to telephony

    Wouldn't it be just cheaper for governments to regularly run ads on TV and online with warnings that phone calls in general are only secure when a person calls a known bank number, not vice versa. So every time a "bank" calls, you must call the bank's official contact number.

    There should be a law requiring all organizations to be reachable by their official phone numbers, then routing to a specific person if necessary: for example by passing a *code word* to route the call. In such scenario a bank may call you to only tell there is a pending issue, a code word, then recommending visiting the official web site for the contact phone number. So the person will call the official number and tell the code word.

    This would be the easiest way to fix otherwise un-fixable flaw of the telephony. Let people get used to the method. After some time it will become a habit and common practice.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like