←back to thread

USPS text scammers duped his wife, so he hacked their operation

(blog.smithsecurity.biz)
460 points wglb | 4 comments | 08 Aug 24 23:00 UTC | HN request time: 0.644s | source
1. VikingCoder ◴[09 Aug 24 14:38 UTC] No.41202292[source]
Remember *69? You'd get the phone number of the person who just called you? (Theoretically - it didn't always work.)

How in the hell do we not have a trivial "report a scam" option on phone calls and text messages? Which reports it to the FTC or FBI or something?

replies(2): >>41203277 #>>41206598 #
2. shkkmo ◴[09 Aug 24 16:25 UTC] No.41203277[source]
The easier reporting becomes, the more the average quality of reports decreases.

So making reporting easier is good only if you already have atleast sufficient resources to process and follow up on the current report volume. My understanding is that we don't currently have enough resources dedicated to handling the reports we do get of people who got scammed. If that is the case, then making it easier to report potential scams doesn't help until we increase the resources for tracking down and stopping scammers.

replies(1): >>41231063 #
3. LinuxBender ◴[10 Aug 24 00:57 UTC] No.41206598[source]
The numbers are spoofed via private SS7 links connected to messaging platforms, VoIP systems, etc... SS7 was designed to be an entirely closed trusted telco controlled network so there is no security.

The only solution I can think of would be to get rid of all the SS7 to mapi gateways and force all cell phones to use internet based secure routing over RCS or preferably something better and also ensure that phones are not allowed to do spell check over the wireless carrier VPN. That would be a world wide project and requires cooperation from every nation. Either that or make specific countries walled gardens blocking all SS7 messaging and just accepting some things will break. I fully support breaking things that are already fundamentally broken. I would personally prefer direct phone to phone true E2EE taking the carriers, Apple and Google out of the picture even if there is some friction. It should be a physical phone-to-phone sync of sorts so you smack each others cell phones together, high five, do the hokey pokey and now you are E2EE with no layer 7 servers in the middle instead talking to a L4 VPN router that only knows how to connect one VPN to another over UDP. Everything else performed entirely by the phones using a different encryption cipher, hash, key, etc... Maybe using QUIC. For people that can't tap phones together maybe a fallback option for QR codes over video chat so you know you are syncing with someone you know, AI fakes excluded.

4. VikingCoder ◴[13 Aug 24 00:52 UTC] No.41231063[source]
You really think the quality of bug reports go down the easier it is to report bugs?

I find when I can send feedback in a way that captures enough context that the resulting bugs are very high quality.

If I could report a call from a scammer in such a way that the investigator heard the entire conversation...? I think that would be incredibly damning.