Caller ID spoofing is a global industry problem and often acts as a critical enabler for telephone fraud. To address this problem, the Federal Communications Commission (FCC) has mandated telecom providers in the US to implement STIR/SHAKEN, an industry-driven solution based on digital signatures. STIR/SHAKEN relies on a public key infrastructure (PKI) to manage digital certificates, but scaling up this PKI for the global telecom industry is extremely difficult, if not impossible. Furthermore, it only works with the SIP (VoIP) system, leaving the traditional SS7 (landline and cellular) systems unprotected. So far the alternatives to the STIR/SHAKEN have not been sufficiently studied. In this paper, we propose a PKI-free solution, Caller ID Verification (CIV), to combat caller ID spoofing. CIV authenticates the caller ID based on a challenge-response process instead of digital signatures. It supports both SIP and SS7 systems. Perhaps counter-intuitively, we show that number spoofing can be leveraged, in conjunction with Dual-Tone Multi-Frequency (DTMF), to efficiently implement the challenge-response process, i.e., using spoofing to fight against spoofing. We implement CIV for VoIP, cellular, and landline phones across heterogeneous networks (SS7/SIP) by only updating the software on the user's phone. This is the first caller ID authentication solution with working prototypes for all three types of telephone systems in the current telecom architecture. Finally, we show how the implementation of CIV can be optimized by integrating it into telecom clouds as a service, which users may subscribe to.

翻译：主叫号码欺骗是一个全球性的行业问题，并且往往是电话欺诈的关键推动因素。为了解决这个问题，美国联邦通信委员会（FCC）已强制要求美国电信运营商实施STIR/SHAKEN，这是一种基于数字签名的行业驱动解决方案。STIR/SHAKEN依赖于公钥基础设施（PKI）来管理数字证书，但为全球电信行业扩展该PKI即使并非不可能，也极其困难。此外，它仅适用于SIP（VoIP）系统，使传统的SS7（固话和移动）系统得不到保护。迄今为止，对STIR/SHAKEN替代方案的研究尚不充分。本文提出了一种无需PKI的解决方案——主叫号码验证（CIV），以对抗主叫号码欺骗。CIV基于挑战-响应过程而非数字签名来验证主叫号码，支持SIP和SS7两种系统。或许反直觉的是，我们展示了号码欺骗可以与双音多频（DTMF）相结合，高效地实现挑战-响应过程，即利用欺骗对抗欺骗。我们通过仅更新用户手机上的软件，在异构网络（SS7/SIP）上为VoIP、移动和固话电话实现了CIV。这是首个在当前电信架构中为所有三类电话系统提供工作原型的来话号码认证解决方案。最后，我们展示了如何通过将CIV作为一项服务集成到电信云中（用户可订阅该服务）来优化其实现。