Remix.run Logo
saltcured 3 hours ago

Sad times are coming for a lot of families and individuals. It isn't just that technology is upending our naive ideas of trust and authenticity. This is, essentially, the broad class of "confused deputy" attacks. And the robust mitigation is to disempower the easily confused deputy, rather than to think you can block confusing signals.

A looming problem with shifts in demographics and family structure is that many people will be slipping into cognitive decline without a formal transition to address their incompetence. Sadly, there is a point where the older person really needs to permanently delegate important decision-making to a trusted third party. They should no longer be legally empowered to authorize funds transfers, sign contracts, or even make medical decisions.

We're not really setup to handle this well. Not at the systemic level of protecting people from themselves, and not at the personal level of relinquishing control over our own lives. So we often have to let the sufferer fumble along and cause a lot of damage before the protections eventually kick in.

And, ironically, these protection mechanisms can also be corrupted into another scam and form of abuse. To totally de-risk would require some kind of time travel or perfect foresight. But in the real world, the damage is often not fully reversible when it is detected after the fact.

Perseids 2 hours ago | parent | next [-]

I'm usually not one to focus on technological solutions given sociological problems, but this one seems to be a good exception. If we "just wanted to" [1] all this fake calls could be stopped by requiring strong authentication/authorization. We are very much used to just anybody being able to call my number, but that doesn't need to be the case. At the very least, cold calls should be treated as skeptical in the UI as instant messengers like Signal treat first messages. Probably this isn't enough, though, as it wouldn't have prevented the cases described in the article. Cold calling someone should probably require the caller to be traceable to a real, government-ID-verified person [2]. Even if that person is being defrauded themselves ("get a thousand bucks by installing this app and clicking a few screens") is would destroy the economics of the attack, as it would make each call expensive again.

[1] Structural inertia is the killer here. It will certainly not happen until the problem is huge enough.

[2] Exceptions can of course apply to numbers that are meant to primarily be cold called, like doctors offices. The callee possibly have to be specially trained to withstand this kind of attacks.

smallmancontrov 34 minutes ago | parent | next [-]

Speaking of which, what happened to SHAKEN/STIR? I thought the strong authentication requirements came down the pipe years ago and they were going to start turning off (or hiding by default) routes of low reputation. That was years ago, it was supposed to take years, but here we are years later and I still get loads of spam calls. What happened?

indymike 23 minutes ago | parent [-]

It is hard to get vendors to give up revenue no matter how illegal the source of revenue is.

smallmancontrov 19 minutes ago | parent [-]

So lots of judicially-unreachable call centers under judicially-unreachable telecoms need to lose reputation score and get spam-binned by default, just like email. I thought that was going to happen by now. Did the US telecoms just chicken out?

sdellis 31 minutes ago | parent | prev [-]

I never answer my phone if I don't know who is calling me.

pavel_lishin 2 hours ago | parent | prev | next [-]

I think the hardest thing to come to terms with is not that this is the new reality, or even that this is soon going to be the new reality for our older relatives, but that this is coming for almost all of us.

atleastoptimal 32 minutes ago | parent | prev [-]

I wonder what percentage of the US GDP is "Fooling old people"