> due to peculiarities of the NANP phone number scheme
I suspect more like due to peculiarities of the United States of America. Such as a disinclination to regulate anything, trusting that somehow this time the most profitable course for corporations will also work out OK for its citizens even if it didn't on previous occasions.
This report lists a long chain of buck-passing companies that have exploited an obvious defect and then escaped any responsibility for the consequences. Notice how the only work they made the hacker do was legal paperwork to cover their backsides, no actual technical countermeasures. Because nobody at these companies cared if it was used this way, they only wanted to make sure if they got sued they would be able to blame somebody else and get away with it.
The regulation seeks to promote competition and consumer choice. An onerous verification process would undermine that goal. Security is not a consideration.
This is sort of the point with regulation. The regulator makes the rules it thinks are best according to the considerations it thinks are important at the time. If someone later shows up with different considerations, they can go to hell.
Pretty sure a hacker would be perpetrating an actual, punishable-by-trial crime in forging those legal documents. That's generally the first regulation that the US imposes.
A disinclination to regulate anything is a good idea in a society that generally punishes bad behavior after the behavior has been perpetrated. I would have doubts for instance about government regulating the process for sending and receiving SMS - would you want every new software or protocol to have to go through some kind of bureaucratic review before it can be used?
> would you want every new software or protocol to have to go through some kind of bureaucratic review before it can be used?
Absolutely yes if said protocol is to be used by an entire population as a basic means of communication. Either by the government or a non-profit not tied to the industry. Protocols should also not be allowed to be secret if used at scale.
I see no reason to make a distinction between computer protocols and in-person safety protocols. The threat level is different, but it covers just as many (if not more) people.
A key part of regulation is placing the onus of solving problems on those best equipped to solve them.
You don’t need the government to mandate what the protocols should be, you just fine carriers for allowing this sort of bad outcome and let them sort things out.
I suspect more like due to peculiarities of the United States of America. Such as a disinclination to regulate anything, trusting that somehow this time the most profitable course for corporations will also work out OK for its citizens even if it didn't on previous occasions.
This report lists a long chain of buck-passing companies that have exploited an obvious defect and then escaped any responsibility for the consequences. Notice how the only work they made the hacker do was legal paperwork to cover their backsides, no actual technical countermeasures. Because nobody at these companies cared if it was used this way, they only wanted to make sure if they got sued they would be able to blame somebody else and get away with it.