I used to work at two (UK) telcos. There's a historic reason and a modern reason.

The historic reason was, just like the Internet, the international phone network was built on gentlemen agreements by engineers who largely trusted each other.

A big national telco is unlikely to attack its peers, so there was little need for safety measures. As smaller telcos came in to the mix via deregulation, that understanding changed - but it was hard to retroactively fit controls.

The more modern reason is outsourced call centres. You want outbound calls from your Philippines based staff to show as if they were calling from a local number. When large and reputable entities were doing this it was fine. Just like showing a different reply-to address on an email.

If you were designing a modern network, it wouldn't be like this. But international telephony is over a hundred years old and has a huge amount of legacy technology and legal agreements.

> I've yet to read a good explanation of why the telcos permit CLID faking and reinjection of apparently local CLID by overseas inputs.

Actually, there are several legitimate use cases:

• Call divert: Local number calls a number abroad and that one is diverted back a another local number. It's probably rare, but it's a totally legit use case.

• 2G/3G roaming: I'm not an expert on this one, but as far as I understood it, roaming calls placed on 2G/3G networks are initiated in the visiting country, and use the local number of the caller.

• Getting better rates using VoIP. Whether this is legit or not might be subject to discussion, however I was using a foreign VoIP provider (because they had better rates for local calls than any local providers, for my low call volume) sending out my own local number (had to be validated by them by callback, although that's their own security measure, not the network's one). Now in several EU countries and Switzerland this doesn't work any more, as calls bearing national IDs coming from abroad must be displayed as anonymous. And it's quite annoying that there isn't a way to "authentify" those numbers so the owner can use them as they wish.

That's why in 2020 the FCC belatedly mandated SHAKEN/STIR to authenticate Caller ID in the US using public-key cryptography. Deployment is still work in progress, and it does not cover SMS/MMS, however.

A bigger problem is Russia or Saudi Arabia using the SS7 signalling network to track their dissidents in the US because those legacy telco protocols have basically no authentication whatsoever, and won't blink if a Saudi Telco sends Verizon a MAP message saying "what is the cell location of Jamal Khashoggi's phone?"

Telco networks are sprawling and accurately defining the boundary might be harder than it sounds.

Traditionally they have a bias towards "working"/delivering traffic. It's easier to issue a refund than answer a urgent support request.

I can also imagine the biggest customers have all sorts of multi-vendor failover plans that may be affected.

> Even just flagging it would help.

That's what's mandated by ARCEP (the French regulator) since the beginning of this year, and now all faked numbers are marked as “hidden caller”, and indeed it helps a lot.

Cost. Cost to spam and scam tends to 0 at industrial scale. Meanwhile amount of time and resources telco want to spend on fighting it is Bounded by how much regulators are going to allow them to pass on to customers.

I rely on the ability to set the outbound caller ID but I would happily register it if required.