One reason we cannot currently stop imposter fraud is the lack of a surefire method to connect a person who claims to represent an organization to some auditable proof that they are communicating on behalf of that organization. A recent court victory for the Marriott hotel chain helps to illustrate the problem. After three years of legal action, Marriott have won USD8mn in damages and an injunction against two Mexican businesses that made 66 million robocalls that used Marriott’s name to sell holiday and timeshare properties. That is a victory, but it comes rather late for anyone duped into buying a property because they thought they were dealing with Marriott. And if anybody started making robocalls that impersonated Marriott tomorrow then the same lengthy legal process would need to be followed to obtain an injunction against them.
Various parties are creating data repositories so telcos can verify if a call or message displaying a legal name or brand actually comes from an entity registered to use that name or brand. This means telcos can block a communication if the content suggests it comes from business X, but other details do not match the information about business X which has been stored in the repository. The difficulty with these repositories is that the world will end up with lots of different and incompatible repositories unless a body like the Mobile Ecosystem Forum creates a global federation to tie them all together. And that will be difficult because there are hundreds of players who will try to make money by establishing and running new repositories, whilst only a few can be trusted to manage repositories on a nonprofit basis and to impartially administer them everywhere, so that no country’s business interests receives favorable treatment.
Others are filling the void by offering lots of intelligence, both artificial and otherwise, to try to distinguish authentic communications from the work of imposters. Their methods will be useful up to a point, but only because we lack more reliable alternatives. If AI can be used to detect fraud, then fraudsters will also use it to make fraud harder to detect. What is really required is a piece of data which acts like a digital signature, and which cannot be corrupted, nor duplicated, and which can only be appended to a communication by the entity which demonstrably owns it. The signature also needs to be designed so somebody on the far end of the communication can verify the signature is genuine. In other words, we need a verifiable legal entity identifier (vLEI), as explained last year by three leading experts on a Commsrisk TV episode entitled “Turning Bank ID into Caller ID”.
One little news story which is actually a big news story is that the International Organization for Standardization (ISO) has published a new standard which explicitly covers vLEIs. The root of trust for vLEIs is the Global Legal Entity Identifier Foundation (GLEIF), an offshoot of the Financial Stability Board of the G20 countries. GLEIF was established in 2014 with a goal that sounds simple: create a common global identifier for each party to a financial transaction so everybody knows who they are dealing with. You now appreciate why that objective is difficult to achieve in practice, and also why it has become more necessary than ever before. In other words, GLEIF represents the other big sector that wants to prevent scammers using phones to steal from bank accounts. And they have a realistic chance of implementing a global framework where big businesses get their identities independently audited, and then apply digital signatures to calls and messages so they cannot be impersonated.
Per GLEIF’s press release about the new ISO standard:
This standard outlines how vLEIs utilize Authentic Chained Data Container (ACDC) technology and the Key Event Receipt Infrastructure (KERI) protocol to securely trace credentials… it describes how vLEIs can verify the identities of individuals representing organizations in official or functional roles, marking a significant advancement toward universally trusted digital verification of organizations and their authorized representatives.
To put it another way, the standard shows how a distributed but global architecture can be used to uniquely identify each party to a transaction. This is complemented by a process where third party auditors have verified that a unique identifier is only ever issued to the legal entity that deserves to to use the identifier.
All of this leaves the communications industry with a strategic choice, though not everybody knows enough to appreciate that the choice already exists. We can collectively devote a decade or two to jabbering about ‘collaboration’ whilst actually promoting lots of competing near-sighted, dead-end national and/or proprietary data repositories and technologies that each promise to tackle the challenge of authenticating corporate phone users, although none have much chance of becoming globally dominant. Or we can work with the banking sector on pursuing the most rapid implementation of a credible global solution that already has the implicit backing of the G20 governments. Based on past experience, I expect we will pursue the latter only after much time is wasted on the former.
Part 3 of ISO 17442-3:2024, the new section that adds vLEIs to the existing standard on Legal entity identifiers, can be purchased from here.



