Europe Should Act on Call ID Spoofing Now

There were many good presentations at RAG Bonn 2019 but the speaker and topic that most urgently demanded attention was Andy Rawnsley (pictured) of Gamma Telecom and NICC, who described the preventative measures taken by UK telcos to reduce what Brits refer to as ‘nuisance’ calls – the plague of unwanted voice calls, usually made by machines, and often motivated by crime. Andy was rightly proud to boast that Gamma and their peers had reduced nuisance calls by 20 percent. However, they are swimming against a tide which is driven by cheap robots and international calls. When asked if they endured repeated nuisance calls, everybody in the room raised their hands. The screening of unknown, suspicious and blacklisted numbers is the obvious way that phone users can spare themselves the attentions of marketeers and con artists, but is less effective when criminals manipulate the caller ID to disguise the true origin of a call. My own experience confirms plenty of Indian scammers have called me and pretended to be based in Manchester, although the CLI was for a London number!

A mixture of regulatory demands and persuasion are leading US and Canadian telcos to adopt STIR/SHAKEN, protocols which allow telcos to verify the caller ID using digital signatures. RAG sponsor iconectiv have won the contract to effectively manage the supply of signatures in the USA, and they spoke in Bonn about their hope that European telcos will voluntarily seek to implement STIR/SHAKEN in order to protect their reputations and keep customers happy. However, Andy Rawnsley rightly pointed out that STIR/SHAKEN verification only works if the voice call is carried on IP networks from end to end. If a TDM network is involved, then the caller ID cannot be verified. This leaves a massive loophole that international criminals will seek to ruthlessly exploit.

Based on the information presented in Bonn, it is obvious that North American telcos and regulators are in the lead when it comes to digital signatures for voice calls, whilst the UK will likely be the first European country to experiment with digital signatures. Other European countries will follow at a pace that depends on the results achieved elsewhere. The lack of European urgency is frustrating. The dangers are obvious; there has been a rapid increase in robocalling in the USA, and 5 billion robocalls are now received by US subscribers each month. Meanwhile, the Federal Communications Commission (FCC), the US regulator, has imposed increasingly severe fines on businesses found to have spoofed the caller ID of millions of calls. Do Europeans need to wait until spoofing has reached epidemic levels before they act?

English-speaking countries are more prone to nuisance calls because of their language; it must be harder to recruit Indian scammers who are fluent in German or Flemish. Nevertheless, criminals take the path of least resistance whilst updating their scams to keep them alive. If the scammers are defeated in North America then they will turn their attention to the UK, Australia and other English-speaking countries. And when they are defeated in those countries they will reprogram machines and recruit staff who can speak other languages.

The European Union makes much of an economic strategy centered on a digital single market (DSM), but trust is vital when dealing with people remotely. The DSM will suffer if fraudsters use a combination of voice to gain a person’s trust, and the internet to drain their money. The EU’s lack of interest in telecoms fraud is already disquieting, with changes to tariffs leading to an enormous rise in what Xavier Lesage of Araxxe called ‘CLI Europeanization’ – the changing of the caller ID to make it seem like the call originated inside the EU. Widespread robocalling and caller ID spoofing has the potential to do far more damage to the way business is done in Europe.

Europe should take steps to protect its digital single market before trust is undermined. The continent can do this by aggressively pursuing the switch to all-IP networks, by pushing telcos to adopt STIR/SHAKEN, and by educating consumers about the rising risks they face. Or they can fall further behind in a race which has already seen Chinese equipment manufacturers overtake their European rivals, and where North American regulators are more proactive in defending phone users from crime. Over the years we have heard many fine speeches from European politicians who attend events like the Mobile World Congress to pontificate about the benefits of the digital single market. Their words will ring hollow if they do not urgently take collective action on caller ID spoofing.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.