Is Flash Calling a Fraud?

The topic of flash calling is generating a lot of discussion in industry circles as telcos worry about its impact on revenues. Some have taken to describing flash calling as a way to ‘bypass’ charges for A2P SMS. These conversations about flash calls are not just academic; recently I was asked if my association, the Risk & Assurance Group (RAG) would automate the exchange of intelligence about flash calls between telcos. What was known as the RAG Wangiri Blockchain will soon be superseded by a new general-purpose fraud blockchain that telcos will use to share information about IRSF, stolen handsets and fraudulent IP addresses in addition to wangiri. This intelligence exchange will then be further expanded to address other frauds that blight telcos. Should flash calling be added to the roadmap for the RAG fraud blockchain? That depends on whether flash calling is a kind of fraud.

What Is Flash Calling?

Some people like to describe flash calling by giving examples of potential uses, but the best place to start is with an agnostic definition of flash calling that allows us to keep an open mind about how it is used. Flash calling is a way of using the A-party phone number to transmit information to the B-party so that it does not matter if the call is connected or not. Such a method of exchanging information is free from the perspective of the customer, because customers are not charged when an A-party dials a number but the B-party does not pick up. The information that is transferred is conveyed within the A-number itself. This may mean the CLI was intentionally spoofed by the A-party, and such spoofing may be legal if the A-party has the right to use that phone number.

A simple example might involve a business having the rights to 10,000 phone numbers in a single block, where the lowest number in that block ends with 0000 and the highest ends with 9999, whilst all the preceding digits are the same. 10,000 numbers in the range means there are 10,000 distinct messages that can be conveyed from the A-party to the B-party so long as the B-party knows how to associate each inbound number to a distinct message. The B-party does not need to accept the call: they can just work out the intended message from the CLI presented on their screen, or as stored in their log of missed calls. If we were writing spy fiction then we might invent a code where the A number ending 0000 means ‘yes’, the number ending 0001 means ‘no’, the number ending 0002 means ‘flee the country’ and so forth. But a much more likely use of this communication method is to convey a one-time password (OTP) to authenticate a new customer.

Because flash calls can be used as an alternative to sending an OTP by SMS there is understandable concern that widespread adoption of flash calling will damage telco revenues. Voice and SMS revenues are in overall decline but this has been partly offset by the growing use of A2P SMS messages sent by corporations to their customers for use as a second authentication factor. Businesses like Whatsapp are now switching from SMS to flash calls as a default mechanism to authenticate users. This method is free for Whatsapp and it also improves the experience for the end user, who is no longer obliged to retype the code received by SMS. The application installed on the end user’s phone can simply examine the log of calls received to identify a match with the expected A-number. The cost to the user is that they must allow the application to access the phone’s call log, somewhat compromising their privacy. However, flash calling means authentication can occur without the user needing to respond to the flash call in any way, making the process quicker and less intrusive than sending an OTP by SMS.

What Are the Fraud Risks?

In most countries, it appears there are no laws which prevent users of telephony services from making calls whilst knowing they will not be answered. Such a call may superficially resemble wangiri because the ring time is too short for the B-party to accept the call. Japan differs from other countries because they passed a law that makes it illegal to use machines to dial phones and then hang up before the call is connected. The purpose of this law was to tackle wangiri but it effectively prohibits flash calling too. Flash calling would be a crime in Japan but not in most other countries.

Most telecoms frauds represent violations of a contract with the telecommunications provider rather than a criminal offense. Telcos hence exert significant influence over what is considered unlawful activity by their customers. If a telco writes terms into a contract that the customer violates then the telco’s lawyers can seek redress through the courts. But if those terms are not written into the contract then no violation has taken place. Flash calling will not violate most current contracts, the terms of which were drafted before the adoption of SIP signaling made CLI spoofing as easy as it is today. Telcos could seek to add new terms to contracts to prohibit flash calling.

Thinking about prohibitions in contracts can become muddied because governments and regulators also place limits on what can be written into contracts. One important motivation for government is to ensure telcos provide services to all legitimate customers without prejudice. Telcos may be expressly obliged to provide a service to anyone who wants it in order to prevent the telco from engaging in anti-competitive behavior. Such provisions also help to ensure telcos meet the wider needs of society. If telcos tried to amend contracts to prohibit flash calling it would not be surprising if big businesses lobbied governments to obstruct the change. Unless the legal environment is clearly in the telco’s favor, as it would be in Japan, telcos must be wary of compiling anything which looks like a blacklist of customers who are engaged in flash calling whilst this activity is neither prohibited by law nor a violation of any contract. The sharing of intelligence about flash calling could be perceived as an exercise in anti-competitive behavior where multiple telcos might use the intelligence to withhold services from a group of customers just because the consumption of free services makes those customers less profitable for the telco.

Telcos face less risk if they choose to impose a charge for flash calls instead of trying to prohibit flash calls. For example, the telco might impose a set-up fee for calls that applies irrespective of whether the B-party accepts the call. This means the customer will be charged for instigating a call even though the conventional measure of the call’s duration is zero. Such a charge is less likely to be construed as anti-competitive because the telco can argue there is a link between the revenues received from the set-up charge and the direct operating costs for running a telco. Telcos may only decide to impose call set-up charges upon businesses that make a significant number of automated A2P calls; ordinary people and politicians would vehemently object to set-up charges for P2P calls. Under these conditions it would then be likely that some flash calling would be fraudulent because some businesses which should pay for the set-up of A2P calls will disguise those calls as P2P traffic.

The Bigger Picture

Flash calling is an example of how changes to network technology designed to reduce costs and improve services can enable new and previous unanticipated forms of communications activity. Nobody spent much time worrying about the potential to encode information in the final four digits of an A-number when it would have been necessary to connect 10,000 separate phones to perform the task. It used to be common for people to place calls, perhaps from a payphone, before hanging up after one ring, as a free way of signaling that they wanted to be called back. Nobody minded because the phone company that provided the payphone was also likely to provide the service to the B-party destined to return the call. Flash calling is more of a problem because it is a form of free riding. Somebody has to pay for the infrastructure that makes flash calling possible, and even the shortest flash call incurs additional costs for a telco, such as the electricity consumed. Free riding is problematic because the beneficiaries of free services – who are most likely to be big businesses – are not making a fair economic contribution towards the upkeep of those services.

Flash calling is the latest incarnation of a more general problem with how countries reimburse telcos for their role in creating, maintaining and verifying the digital identities of the country’s residents. I have written before about telephone numbers increasingly being used as a unique identifier for each human being even though they are used less and less for instigating actual communication, which was the original purpose of the phone number. If telcos are paid only for declining modes of communication, and not for their role in providing the infrastructure needed to verify a person’s identity, then there will eventually come a point where it is uneconomic for privately-owned businesses to do either. At that time the state will need to intervene to maintain an infrastructure that both government agencies and many private businesses will have to come to rely upon, even if they have not been paying for it.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.