The FCC wants to legally force telecoms to collect new and renewing customers’ government issued identity number and physical address, impacting everyone from the privacy-conscious to domestic abuse survivors. “We never thought that would happen here.”
Spam was never done with “burner phones” in the first place, it’s mostly done via VoIP through shady telecoms companies that can’t be bothered to validate their customers. Due to the age of the phone system it’s incredibly easy to spoof phone numbers because it’s essentially a trust system. Phone exchange A talks to exchange B and says phone number 123 is calling number 456. How does exchange B know that it’s actually 123 calling? They don’t at all, they just trust that exchange A is telling the truth. It’s really hard to get into the system, but once you’re there you essentially have unlimited power with virtually no safeguards in place.
Basically from a security perspective the phone system looks a lot like the 1980s internet, there is technically some security in place, but significantly less than there actually should be.
In the US at least they’ve been implementing STIR/SHAKEN since about 2020. You can typically see the result of this on your cell phone. Incoming calls should have a little checkmark next to them meaning they’re a verified caller. It’s similar to SSL certs for domain names but for callers instead. (Shady crap for the root CAs but that’s a different issue…cause America).
This isn’t a perfect system as parts of the world that call into the US don’t have VoIP equipment but the FCC has other guidelines on top of STIR/SHAKEN. They are actively trying to mitigate spam but it takes awhile to revamp something as old as the worlds phone system.
It really isn’t difficult to get into telcom systems as there are many countries with almost no requirements to sign up as a telco.
One of the things that surprised me the most when I started working on vishings for a Cybersecurity Red Team was how extremely easy it is to spoof any phone number.
It’s the nunber one tip I give to anyone who asks about security, a lot of people don’t know that, and spear-vishings are extremely effective.
People have learned to mostly not trust Microsoft Support numbers asking for your CC, but when an internal company number that your phone matches to your bosses boss calls you, a lot of people fall for that.