back to article Ofcom issues stern warning over fake caller number ID scam

Telecoms regulator Ofcom is warning customers of the dangers of CLI spoofing – the process which allows incoming calls to display fake originating numbers on recipients' phones. The organisation has pointed out that there are valid reasons for spoofing – “for example, a caller who wishes to leave an 0800 number for you to call …

  1. Anonymous Blowhard

    "Never give out your personal information in response to an incoming call, or rely upon the Caller ID as the sole means of identification, particularly if the caller asks you to carry out an action which might have financial consequences."

    Sound advice; are you sure this came from Ofcom?

    1. Vic

      Sound advice; are you sure this came from Ofcom?

      Sure. It was their phone number, anyway...

      Vic.

  2. AndrueC Silver badge
    Meh

    "Never give out your personal information in response to an incoming call"

    And what's the first thing Barclays says to you when they call? "Can you confirm your date of birth, please?"

    To be fair when you object they will then suggest you call them with a reference number or using the free built in messaging facility of their phone app but it still seems unfortunate that their default position is to ask for personal information on what is essentially a cold call.

    1. Doctor Syntax Silver badge

      I never was a Barclays customer but when I was an HSBC business customer I used to get calls purporting to be from them wanting identification information. I always asked them to prove who they were. They never offered any proof. If a cold caller can't prove who they are before asking for any information always assume they're faking it.

      1. Anonymous Coward
        Anonymous Coward

        "Hello can I speak to Mr A Coward, please?"

        "Who's calling please?"

        "XYZ Bank. It's a personal call."

        "Ah, OK. Mr Coward speaking."

        "Can we go through some security?"

        "Sure, what's the pence balance of my account?"

        "I'm sorry Sir, we have to go through your security. What's your date of birth?"

        "Now, hold on a cotton-picking minute ... you called me! How are you going to prove you are XYZ Bank?"

        "Err ... we don't have a way of doing that."

        "OK fine. So never call me again *click*"

        1. Badvok

          Re: "Hello can I speak to Mr A Coward, please?"

          I had that exact conversation with a certain three-letter bank several years ago, needless to say that I don't bank with them anymore.

        2. SImon Hobson Bronze badge

          Re: "Hello can I speak to Mr A Coward, please?"

          HSBC used to do that with me. I made "something of a nuisance" over it and they agreed it was "rather a silly thing to be doing".

          It didn't stop them doing it though - all they did was flag my account for "no sales calls". AFAIK they still use the same "forget all about good security practice" technique with others.

          The one exception to that is when there was some suspicious activity with my card. The lady that called had no problem with me not answering any security questions, now calling back at the number she started to rattle off. The only problem was that she wasn't allowed to give me any information whatsoever, so when I did call back on the bank's published number, it took a while to get through to the right department.

          And of course, you get that certain "looks like a bank but isn't so you don't get those protections" PayPal that keeps sending out their spam about checking your account and stuff. Doing exactly what all good advice says not to do - providing a link in the email for you to click to access your account.

          No PayPal, just including my real name does NOT prove that you sent the message, nor does it prove that the link you included is to your official site.

          I've come to the conclusion that the marketing cretins have more clout than the security people at pretty well all the financial institutions I've dealt with over the years.

          1. tfewster

            Re: HSBC

            A couple of times when HSBC called me, they had an authentication method for both sides, e.g. they would tell me my month of birth and ask me to confirm the date; Or tell me a standing order payee and ask me to confirm the amount.

            I seem to recall I'd made a nuisance of myself before that by refusing to give info to a caller (allegedly) from my bank, so it was a big improvement (if still not perfect).

          2. Anonymous Coward
            Anonymous Coward

            Re: "Hello can I speak to Mr A Coward, please?"

            Don't get me started. I've had the whole "can we just ask you for some security" bollocks. Of course I said no. They suggested I phone them back. Let me just check, said I, this isn't a sales call is it? Oh no, certainly not, says the bank. So I phoned them back. It was a sales call (can we just review your accounts). OK, I said, review away, but first, please transfer me to your complaints department.

            Banks need a score way to communicate with customers. This isn't it. Why popular messaging apps don't take the opportunity to solve this with a user-friendly approach to PKI is a mystery to me.

          3. Terry 6 Silver badge

            Re: "Hello can I speak to Mr A Coward, please?"

            I've come to the conclusion that the marketing cretins have more clout than the security people at pretty well all the financial institutions I've dealt with over the years.

            Sigh!

            Pretty much all organisations if my experience is anything to go by

    2. Lee D Silver badge

      You think that's bad? I ordered two beds from Bensons for Beds (now on my permanent blacklist). One was missing over 50 individual parts.

      I called to complain, they wanted all the details known to man. In the end, they refused to send me a kit of the replacement parts (for free) because my girlfriend paid with a card and works in a hospital job where she can't use a phone during the day. They refused to send our replacement parts - to the DELIVERY address that the beds had already been sent to - because of "Data Protection".

      Needless to say, I spoke to MANY people at their customer services department that day. When one then eventually phoned me back, they asked if I was Mr D. My response? Sorry, I can't tell you that - Data Protection, you know. (Fortunately THAT guy had a sense of humour and just said "Ah, yes, I'm definitely talking to the right person then!").

      Banks do it all the time. I phone them back on the bank number (if it's 0800 of course) and let them chase who it was that needed to speak to me. But even companies are doing this same kind of junk for the simplest of things.

      Unfortunately, they ALL have absolutely zero concept of Data Protection anyway, not to mention they really don't care about your security. Why? Well, that side of it is your liability anyway. If someone nicks the banks database, they care about that. If someone finds out your date of birth or they talk to the wrong person, they couldn't care less.

      1. Doctor Syntax Silver badge

        "Needless to say, I spoke to MANY people at their customer services department that day"

        Why didn't you mention the words "small claims court"?

    3. georgied
      Happy

      Give them their own password

      I hated the quandary of disclosing information to them as well. So I wrote to them and gave them their very own password, which I'd challenge them for. They stopped calling. Probably because they had no provision to store a password. It's probably buried deep in my notes somewhere..

      1. Anonymous Coward
        Anonymous Coward

        Re: Give them their own password

        The HBOS online validation of credit card transactions had a phrase you created when you initially registered. That phrase was displayed with the request for your private code. It gave some confidence it wasn't being spoofed.

        1. Lee D Silver badge

          Re: Give them their own password

          "The HBOS online validation of credit card transactions had a phrase you created when you initially registered."

          That's a VISA / Mastercard thing - SecureCode or whatever. The banks have no access to those details, as far as I know.

          This is precisely the kind of thing they SHOULD have, and don't. But that's not the bank that you're seeing there. It might even have the bank logo, etc. And if the bank doesn't want it (e.g. Halifax), those screens just zip through and say "authorised" immediately anyway. But it's not the bank that is storing or showing that phrase to you.

          "arcot" in the URL?

    4. Julian 8 Silver badge

      Ask them a question back

      I then ask them a question which they should know from my records

      If they don't know I cut them off.

    5. Anonymous Coward
      Anonymous Coward

      It was quite useful when I had debt collectors chasing me (on a false accusation) - they'd cold call me and ask for personal details to confirm I was who I said I was. I would ask them to prove who they are first and that they have the right to know my info. They didn't have a mechanism to do that, so I then said "OK, I can't talk to you then. Don't call me again unless you can prove who you are."

      That put them off for a couple of weeks.

      Rinse, repeat with the added threat of legal action for harassment.

      They eventually gave up when I said "OK, let me know which court you want to use and I'll see you there" (I was feeling generous at the time!)

  3. A Non e-mouse Silver badge

    Block sources from abroad.

    One way to reduce the abuse of this is to prevent UK CLIs being sent from phone systems outside the UK. Sure, it'll affect all those overseas call centers that we all love using, but isn't it a small price to pay?

    I know this won't be 100% effective, but surely it'll cut down a lot of fake CLI calls?

    1. Your alien overlord - fear me

      Re: Block sources from abroad.

      Trouble is, all those junk callers use UK SIP service providers so they are 'technically' calling from the UK.

      The solution is to only allow CLI from numbers you own, so if someone wants to use an 0800 CLI number, they must 'own' that number else the actually physical one gets shown.

      1. Anonymous Coward
        Anonymous Coward

        Re: Block sources from abroad.

        "so if someone wants to use an 0800 CLI number, they must 'own' that number else the actually physical one gets shown."

        Unfortunately this is not how it works in the real world.

        Say you are an outsourcer for a company (could just as easily be a UK call centre instead of an offshore one) and a customer requests you send their number, be it a Non-Geo or not, you send this.

        In the UK your normally sign a consent form for your carrier to allow it.

        So the answer would be to say unless you are using a carrier using an approved code of conduct, we won't present the the ID.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do it!

      You'd stop mobile roaming from working if you did that.

      I don't know how you'd police it either. Ofcom can't make laws for other countries.

  4. Pen-y-gors

    Tracing?

    "Ofcom...was stopping nuisance calls at source through an agreed call-tracing process"

    Curious...for years BT have been saying they can't trace incoming overseas 'nuisance' calls. What's changed now?

    1. Graham Marsden
      Meh

      Re: Tracing?

      I think when then said "can't", what they meant was "can't be bothered to".

    2. Anonymous Coward
      Anonymous Coward

      Re: Tracing?

      Most incoming international calls don't hit BT's network, so I'd imagine that's why BT couldn't do it.

    3. PatientOne

      Re: Tracing?

      It's to do with call routing: BT charge the previous sender for handling the call (pass it on to another network or connecting it to your phone line). The previous sender charge whoever was before them and so on until you get to the source carrier/provider who bill their customer.

      Even though modern switches can pass on the CLI, not all sources have modern switches, and not all providers from outside the UK will pass on CLI data, so you'll see more 'international call' notices than actual foreign CLI data.

      Now, what BT an other carriers *could* do is give you the option to block ALL 'international' and/or withheld numbers. They *can* do this - their equipment has that capability, but they *don't* because doing so costs them money (they don't connect the call so they can't charge for handling the call), unless you can provide evidence you are a 'vulnerable' person (court order or get the police to hassle BT for this) or... you know someone working for BT and so know who to talk to about it. If you do push them then they generally reply by saying that blocking all such calls may block a call you *may* want.

      Oh, and it's coincidental that BT also produce phones with 'Call guardian' that can 'block' withheld and international calls. Well, not block, but hide - the line is still in use, you just don't hear the phone ring.

      1. Graham Marsden

        @PatientOne - Re: Tracing?

        > what BT an other carriers *could* do is give you the option to block ALL 'international' and/or withheld numbers. They *can* do this - their equipment has that capability, but they *don't* because doing so costs them money

        Interesting, I didn't know that, which is why I've always resisted implementing Anonymous Call Blocking on my phone because I would have to pay for it.

        I may rethink this now.

  5. Warm Braw

    "Telecoms regulator Ofcom is warning customers of the dangers of CLI spoofing"

    Well, perhaps "Telecoms regulator Ofcom" should instruct network operators to suppress the reported CLI in the case that the originating network can't/won't verify it - at least as a default option for consumers. We're basically talking international and VoIP calls, the majority of which outside the rarified corporate world seem to be scams anyway.

  6. Anonymous Coward
    Anonymous Coward

    RBS simply use Unknown number

    Somebody should tell Royal Bank of Scotland.

    Somebody phoned me on Saturday claiming to be from them with an 'Unknown' number. I wouldn't talk to them and then looked up their help pages.

    Surprise, surprise. "If we phone you the number may register as Unknown".

    Very secure.

    Considering they have my mobile number and send me regular texts surely it is not beyond their wit to do some form of 'we are texting you to let you know we will be calling you today and person will know x about your account and identify themselves as probably legit with y.

    1. Steve Davies 3 Silver badge

      Re: RBS simply use Unknown number

      Coming soon, the SMS invitation scam

      None of the methods are safe.

      The only way is for you to call them. Let them SMS/phone you. Then you call them. Let them prove that they have the right information on YOU Not the other way round. Oh wait that won't work.

      Then the only solution is to go into a branch. Yeah right. Now where's the nearest branch of my Bank?

      What if there isn't one. eg First Direct.

      1. Doctor Syntax Silver badge

        Re: RBS simply use Unknown number

        "Let them prove that they have the right information on YOU Not the other way round. Oh wait that won't work."

        Of course it will work but only if they're obliged to do it which at the moment they're not.

        One test, of course, is to offer them incorrect information. If the call is genuine they'll know it's wrong.

        1. dajames

          Re: RBS simply use Unknown number

          "Let them prove that they have the right information on YOU Not the other way round. Oh wait that won't work."

          Of course it will work but only if they're obliged to do it which at the moment they're not.

          It won't work because the bank have a duty of care to ensure that they keep your personal data confidential, so they aren't allowed to answer any questions that might reveal that information.

      2. Anonymous Coward
        Anonymous Coward

        Re: What if there isn't one. eg First Direct.

        Anytime I've needed a branch service from First Direct, HSBC (the parent of First Direct) have obliged.

        Anytime I've had an unexpected important/urgent call from First Direct to me (a handful of occasions over a number of years, usually relating to unexpected but actually genuine card activity, including one occasion in the last few months) they've been entirely understanding if I've said "no I won't take your call, I want to call you on a number you publish".

        Occasionally I get a routine call from them and I'm unable to take it, in which case they leave an automated message "routine call no need to call back" and they use a presentation CLI which is a published First Direct number.

        Happy customer for several decades (no other connection).

        [Exception: Their phone app setup could do with some improvement]

        YMMV.

      3. Anonymous Coward
        Anonymous Coward

        Re: RBS simply use Unknown number

        "Let them SMS/phone you. Then you call them."

        A proven security hole. They even suggest you call the bank. They then hold the line open and simulate a dialtone and ringing sound for your "call". You are then talking to the conmen who "confirm" the caller was from the bank - and they proceed to tell you you have to transfer all your funds immediately - or alternatively a courier will collect your "compromised" card shortly.

        1. Ken Moorhouse Silver badge

          They then hold the line open and simulate a dialtone

          So what you do is make a call to your Aunt Mabel before ringing the bank. If the conman can mimic her then I would be very surprised.

          1. Vic

            Re: They then hold the line open and simulate a dialtone

            So what you do is make a call to your Aunt Mabel before ringing the bank

            That's a definite improvement, but isn't absolutely secure.

            It would be a comparatively simple task to intercept any DTMF tones on the (still-open) line, and pass through the dialling info to another line - i.e. act as a proxy. In the event that the target bank number is dialled, you don't pass through...

            Vic.

        2. dcluley

          Re: RBS simply use Unknown number

          I get round that one. Most calls of that sort I receive are on my land line so I phone them back on my mobile.

        3. Alan Brown Silver badge

          Re: RBS simply use Unknown number

          > A proven security hole. They even suggest you call the bank. They then hold the line open and simulate a dialtone and ringing sound for your "call".

          1: That doesn't work on mobiles. Or if you make the call on your mobile when the original was on your landline or vice versa.

          2: Dialling a number other than the bank's should expose this one PDQ.

          The "hold the line open" thing only works for about 30 seconds anyway. Just be sure to hang up and leave it longer than a couple of minutes.

          1. Anonymous Coward
            Anonymous Coward

            Re: RBS simply use Unknown number

            "The "hold the line open" thing only works for about 30 seconds anyway. "

            That may be the case now for most (all?) UK telcos, but back when this thread was started (1955 or something) the "hold the line open" thing allowed people plenty of time to move between phones without dropping the call. More than 30 seconds, by a long way.

    2. Ken Moorhouse Silver badge

      'we are texting you .. we will be calling .. person will know x about your account

      Yes, but what if someone other than you answers the phone? It has to be information that is not in the public domain otherwise you're still none the wiser as to who is calling. Do you want that person to know what "x" is?

    3. Anonymous Coward
      Anonymous Coward

      Re: RBS simply use Unknown number

      "Somebody phoned me on Saturday claiming to be from them with an 'Unknown' number."

      Both my doctors' health centre and the local council offices use "withheld". They tell me they "cannot" put their known public number as a CLI.

  7. alain williams Silver badge

    It should be illegal ...

    for any company or other organisation to withhold their number. Indeed the number given must, when used to call back, result in a connection to the company. It it is found not to: then it will result in an immediate statutory fine of 5% of turnover.

    This would reduce the number of crap calls - eg PPI or 'you have had a recent accident' scammers.

    Exceptions for a worthy few like childline, samaritans, ...

    1. Irongut

      Re: It should be illegal ...

      Because making something illegal ensures it never happens.

      1. Paul Crawford Silver badge

        Re: It should be illegal ...

        Where as allowing it to remain legal makes it stop quicker?

      2. James 100

        Re: It should be illegal ...

        When you make a regulation for phone companies to stop third parties using a particular trick, it should be fairly effective.

        Mind you, they're all required to allow us to block anonymous calls, but BT and Virgin charge an unreasonable price for the option, while the mobile networks ignore the obligation completely (claiming the facility to reject each call individually using CLI was sufficient). On the other hand, they were all too compliant about providing 141 free of charge in the first place; perhaps prohibiting its provision on business lines would actually be obeyed.

  8. Phil O'Sophical Silver badge
    Thumb Down

    Toothless watchdog whimpers again

    also outlined the need for a long-term – as in five-year – plan to build rules for CLI spoofing into the regulations.

    And no doubt when these are complete, anyone who dares to infringe them will be given a severe smack on both wrists, and made to stand on the naughty step for at least 30 minutes before they can make any more phone calls.

    1. Anonymous Coward
      WTF?

      Re: Toothless watchdog whimeprs again

      Toothless? It's one of the few that actually has powers.

      Ofcom fines EE £1m over handling of complaints

      TALKTALK was hit with a £3MILLION fine from Ofcom yesterday.

      Silent call company fined £150,000

      Ofcom Fine ISP Unicom GBP200K for “mis-leading” Sales and Marketing

      Ofcom fines Ageas £10,000

      Ofcom has fined two companies a total of £40,000 for making abandoned calls.

      1. Vince

        Re: Toothless watchdog whimeprs again

        You say they give out all those fines.

        Let's put it in perspective.

        Ofcom gives EE a £1m fine.

        OK, well from the 6 month interim results from the end of July, EE turned over £3,116m

        Or in other words, a couple pence down the back of the sofa.

        Quite a small fraction of 1% of the turnover.

        I doubt they noticed.

        1. John Brown (no body) Silver badge

          Re: Toothless watchdog whimeprs again

          OK, well from the 6 month interim results from the end of July, EE turned over £3,116m

          Or in other words, a couple pence down the back of the sofa.

          Quite a small fraction of 1% of the turnover.

          Turnover != profit.

          On the other hand, their profits are not small either so I agree with you in principle.

      2. Anonymous Coward
        Anonymous Coward

        Re: Toothless watchdog whimeprs again

        Which of those companies isn't based in the UK?

        Not based in the UK = get away with CLI spoofing.

  9. Roland6 Silver badge

    Calls with CLI's beginning 04

    I find it interesting seeing just how many calls I'm getting from numbers beginning with 04 and other number ranges (specifically within the 03 range) that Ofcom haven't released.

    Ofcom coould quite easily require all operators to block any call that uses a UK CLI for a number that hasn't been officially released by and registered with Ofcom.

    Likewise they could make the operators do similar for other holes in the international number ranges.

  10. MisterD

    It's not clear if spoofing is illegal? It seems as clear as crystal to me.

    My telephone is a computer, as are most phones these days. One of its jobs is to make a record of the number of all callers so that I can return calls. Spoofing deliberately causes a false number to be recorded. I have never authorised anyone to record false data in my computer's record of callers.

    S3 of the Computer Misuse Act 1990. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

    (1)A person is guilty of an offence if—

    (a)he does any unauthorised act in relation to a computer;

    (b)at the time when he does the act he knows that it is unauthorised; and

    (c)either subsection (2) or subsection (3) below applies.

    (2)This subsection applies if the person intends by doing the act—

    (c)to impair the operation of any such program or the reliability of any such data

    It could not be any clearer, spoofing is an offence under the Computer Misuse Act 1990.

    1. Alistair Kelman

      Why it is unclear ...

      The definition of forgery is to create a false instrument which tells a lie about itself. It could be argued that a false CLI is an instrument which tells a lie about the originator - i.e. it is a forgery. This is intellectually far more in keeping with the underlying harm which the crime is trying to address that to use the Computer Misuse Act.

      A false instrument is a document which the individual in control of it knows it to be false the intention of inducing another person into thinking that it is in fact a genuine instrument.

      Now so long as a document today can include an electronic document - that is to say one which exists is a defined format in cyberspace - then notwithstanding R v Gold and Schifreen - I think there could be a successful prosecution here.

      Interestingly just before R v Gold and Schifreen I was suggesting to the police when I was training police officers at the Peel Centre in Hendon that they could use the Forgery Act 1981 for cases of banking card fraud. The important distinction to make between the Prestel case and the CLI issue is that it is a human being who is being deceived rather than a machine. By creating a false CLI you are telling a lie about the source of the telephone call and this lie is being told to a human being and not just to a machine. That is the reason why R v Gold and Schifreen does not undermine the use of the Forgery Act in this situation. I would see no difficulty in a jury convicting the false CLI scrotes after being properly directly by a trial judge.

      1. Pursebearer

        Re: Why it is unclear ...

        What annoys me is that calls from a known fake CLI are put through, I get calls from a different 023 0xxx xxxx number every day (different every time), but no subscriber number can begin with zero or one, so definitely spam/scam/illegal. I've tried to report this but nobody claims to be responsible. Such calls should be put through to a recording that never hangs up and charges ar 09xx rates.

    2. Anonymous Coward
      Anonymous Coward

      My SIP line is set to show my landline number because few people I call are able to directly call into SIP and I don't pay for a DID to give them. Am I breaking the law... That would be a strange result, I own the number, its just not the one I make outgoing calls on. It will call the same device.

      I very much doubt computer misuse is a relevant argument, were talking fraud and there has to be an intent of malice. My spoofed number is there to help callees, not trick them. It's not as simple a problem to define as you think.

  11. Simon Rockman

    I've had three junk calls to my mobile today. Two from 01 and one from an 08 number.

    I have a cunning plan.

    Simon

  12. Anonymous Coward
    Anonymous Coward

    Ofcom warning, why not try doing something?

    This has been an issue for years and years and its really simple to solve, why has it not been fixed = lost termination revenue for the operators. They are quite happy to take termination fees from anyone dumping junk calls on their network.

    Block all calls without CLI as per ETSI standards (where CLI should be provided!)

    Operators block all invalid CLI's and CLI's not belonging to the incoming route (they know where they are coming from and what CLI should come from there!).

    1. Rol

      Re Ofcom warning, why not try doing something?

      Even better, why not give the telco's the ability to charge other telco's who pass on shady connections, and thus get revenue for weeding out the nuisance calls, even though they are not connected.

      Or, and this sounds perfectly feasible, when the incoming call lacks a credible identity, the receiving telco forwards it on to OFCOM's naughty line, where they get a pre-recorded message. The telco still gets its connection fee and OFCOM finally gets an handle on just how huge this scam is.

  13. GreggS

    Virgin Media ask multiple times for characters from your password.

    They get you to input three characters from your password using the keypad on your phone before you've even got through to anybody, then the person on the end of the phone asks you to confirm three letters of your password. My response? No, sorry, i've already given you that information. They never argue about it, but it is a little annoying.

  14. Rol

    It appears the technology has overreached itself. Which isn't unusual, as most developments tend to race tirelessly towards the finishing line without any concern for security.

    In circumstances like we have now with spoofing telephone calls and such like, surely the defacto stance of any nation should be to stop it dead in its tracks.

    If nobody using the technology can connect to a British phone, then several billion nuisance calls will be avoided and several million genuine calls will be stopped too. At that point the lime jelly heads that spunked all this nonsense will nave to have a rethink and settle on a system that has the prevention of abuse built in from the start.

    What is really galling is that companies can hide their number if they want to, for free, yet many telecom companies demand payment if you wish to block incoming hidden numbers. Surely it should be the other way around or again throw the technology out until it can prove itself to be of limited value to nuisance callers.

    It always appears to be the unruly element that feasts devilishly on new technology but is it any surprise when consumers security reservations are poorly represented during development

  15. Terry 6 Silver badge

    There's no point in contacting Trading Standards where I live.

    Trading standards have been outsourced to Citizen's Advice Bureau.

    And they don't seem to be there to report dodgy dealings to.

    They seem to be there to give advice. Which is absolutely no use to anyone who avoided getting caught but wants Something To Be Done About It.

  16. John Miles

    Perhaps an automated reporting

    Get a spam phone call, then dial 1471 (or similar) and be asked was this call suspicious and require phone company to deal with it - once they identify it is genuine issue number they can even set up an automatic call forwarding to a group of spam baiters who will no doubt keep the spammers on line for much longer and phone company can charge originating network accordingly

    1. James 100

      Re: Perhaps an automated reporting

      I've wanted a similar facility for a while now: a code like 1671 which you dial after any spam call, which triggers a trace and reporting mechanism. "Number withheld" or not, the telco still knows what route the call came from (since they bill the originating telco for it) - it would be trivial for them to aggregate these reports and feed back to Ofcom for enforcement, while blocking the worst overseas offenders - exactly as we do now for spammers.

  17. Winkypop Silver badge
    Facepalm

    If YOU ring me

    I'm not the one who needs to ID myself.

    /End

  18. Alan Brown Silver badge

    Tip of the iceberg

    Seriously.

    CLI spoofing is the least of how dain-bramaged telco security practices are.

    Once past the gates the assumption is that everyone in the telco kingdoms can be utterly trusted. There's no security in place for anything.

    The scandals about a decade ago regarding hijacking of unassigned numbering ranges belonging to various countries for use as porn lines underscored that - and the fundamental non-security of telephone number routing has never been fixed from those days (the hijacking stopped because it was no longer profitable, not because it was locked out by improved security)

    Yes, all this shit can be defended against - but doing so costs money and that means reduced profits.

    Spoofed CLI would stop in a heartbeat if Ofcom started targetting telcos with punitive action for failing to detect and prevent it.

  19. Stanames

    New type of Fake ID

    The latest fake caller ID scam involves using a fake ID in your local area code. I only realised it was fake when the caller suffered from heavy break up, had a thick foreign accent and a typical call centre background noise. This is a worrying development, most of us would answer a local number.

    I wish OFCOM would stop calling them SPOOF caller IDs, it makes them sound like a good natured joke rather than a sinister fraud.

  20. JohnMayton02

    Really

    I think it's a bed. It may be due to several reasons. Like fraud calls or something else.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like