For a long time, North America has been suffering a blight of nuisance calls and messages, known as robocalls. Some of these calls are legal, but many are not. Robocalls are automated calls that deliver a recorded message, often for telemarketing, alerts and payment reminders which are all legitimate uses of robocalling facilities. Fraudsters also use robocalling to scam people out of their data and money.
YouMail, one of the US companies who provide an app that combats illegal robocalling through an app, also provide statistics through their Robocall Index. In 2016, Americans received approximately 29 billion robocalls. In 2017 the volume of robocalls increased to over 30 billion, which equates to over 100 robocalls for every adult.
Looking at the Robocall Index statistics for March 2019, the trend isn’t slowing, with 5.2 billion robocalls taking place during the month. That’s 168 million per day, 7 million per hour or 2 thousand per second. Over 47% of those robocalls are illegal.
Whilst solutions are available to help intercept illegal calls, providers like YouMail can’t stop them all. Alex Quilici, CEO of YouMail, notes:
We’ve stopped well over 1b of these robocalls. The hardest thing for us is spoofed calls, so we’re rooting for the carriers to get authenticated caller ID out quickly, since we’re very fast at recognizing when a number has gone bad.
We were joined in October 2018 at RAG Kansas by Dr Eric Burger, CTO of the FCC and Research Professor at Georgetown University, who provided the keynote and joined the panel discussion on robocalling. In his keynote he wryly noted that approximately half of the calls he received to his FCC mobile were robocalls.
Commsrisk readers outside of North America may think that this problem is confined to that region but it has already reached Europe and will undoubtedly continue to spread whilst weaknesses in telephony networks remain unchecked. These fraudsters and con-artists aren’t encumbered by borders, and I now receive several automated calls and messages each month to my mobile and fixed-line.
Examples of Malicious Calls
I experience nuisance calls and SMS messages on a regular basis, with the originator usually claiming to be from HMRC, demanding payment of overdue taxes to prevent an arrest warrant being issued for me, or alleging to be from the police stating that they have an arrest warrant for me. This is utter nonsense and the reason I have unplugged my fixed-line at home. But these fraudsters continue to target the less well informed, and they use emotive subjects that can cause the recipient to react in panic.
Other forms of deceit include the spoofing of numbers to appear local to the neighborhood of a called party. Fraudsters also send SMS messages which appear to be from friends and family as an act of extortion, saying they are in trouble and require financial assistance.
It is critical for telecoms, regulatory and government bodies to reduce nuisance calls and messages, but only so much can be done to safeguard consumers. Consumer education is important, and I try to ensure that my family and friends are aware of the risks in responding to these malicious attempts.
How Is North America Dealing with Illegal Robocalls?
North America has been most actively tackling nuisance calls. The lessons they have learned are a valuable asset in preventing the spread of this blight.
Changing the caller ID helps perpetrators of robocalling, though there are legitimate reasons why manipulation of presented numbers must be allowed. For example, call centers which perform outbound calling will want a corporate number to be displayed instead of the employees’ direct line. The ability to spoof numbers, including readily available services which allow for SMS headers to be manipulated to present any number, are at the heart of the robocalling problem. Illegal robocallers spoof the calling party identifier to present themselves as local numbers or trusted brands. One example given by an attendee at the RAG Kansas event stated that they had received a call identifying as a former neighbor’s fixed-line number, even though that person knew that the number in question was no longer in use.
Organizations and groups, such as ATIS and the IETF, have created working groups of subject matter experts to help find solutions to fight back. Many readers will be familiar with two of these activities: STIR and SHAKEN. That may sound like instructions for making a cocktail, but they are intended to have more of a kick!
Secure Telephone Identity Revisited (STIR)
The IETF’s STIR working group will specify a SIP header-based mechanism for verification that the originator of a SIP session is authorized to use the claimed source number, where the session is established with SIP end to end.
Signature-based Handling of Asserted information using toKENs (SHAKEN)
The Secure Telephone Identity Governance Authority (STI-GA) is a critical body helping the industry mitigate the problem of unwanted robocalling. Working with the IETF’s STIR (Secure Telephone Identity Revisited) protocol, the ATIS-SIP Forum’s SHAKEN initiative specifies a practical mechanism for authenticating calls by attaching a ‘digital signature’ will help consumers to once again trust the caller ID displayed.
No Weak Links
In essence, STIR and SHAKEN allow telcos to authenticate and certify that calls are legitimate in their origin and that the originator has the ‘right’ to choose the number presented to the called party.
Widespread adoption is key to the success of these initiatives, as any remaining weaknesses will be targeted. If not adopted by all operators, it could leave gaps for continued exploitation in non-adopting providers, and potentially lead to customers losing faith in their provider and choosing to migrate to another who maintains certified transactions.
The successful adoption isn’t just a matter of policy for operators, as it also requires an IP based network infrastructure to support the solutions and operators will need to ensure a migration from the public switched telephone network to an IP network. This is a complex and costly change for any operator to implement.
What Is Being Done in the UK?
The British regulator, Ofcom, is cognizant of the impact to customers and is attempting to put changes and measures in place to protect end users. Ofcom recently announced a series of consultations which seek to address the migration of telephony services from PSTN to IP networks, and how prevention of nuisance calls and messaging can be included so as to safeguard consumers and ensure confidence in communication services. The consultations are on promoting trust in telephone numbers, the future of telephone numbers and the future of interconnection and call termination. All of these consultations are open for feedback until June 2019. They collectively cover more than just the protection of consumers from nuisance calls and messages. For example, they also seek to enhance number porting for customers.
In addition to the three Ofcom consultations, there already exists a joint initiative between Ofcom and the Information Commissioner which has an established working group of nine UK operators and involves technical standards being developed by NICC Standards, an independent organization and technical forum for the UK communications sector that develops interoperability standards for public communications networks and services in the UK.
Mobile UK, a trade association for mobile network operators EE, O2, Three and Vodafone, is also working to combat the growing problem in the mobile telecommunications space with an initiative called SMS PhishGuard. This includes development of a new registry to significantly reduce the ability for fraudsters to send messages that spoof a known and trusted brand in the message header. The process checks whether the sender using that sender ID is the genuine, registered party, blocking any messages that are fraudulent to ensure SMS can remain a trusted communication channel.
SMS PhishGuard teams are also supporting the work of Take Five To Stop Fraud, a UK awareness campaign that offers advice to help people protect themselves from fraud so customers can recognize scams, including phishing by SMS, and encouraging them to challenge requests of their personal or financial details.
What Next?
The work already undertaken in North America and the work now taking place in the UK and Europe is crucial to maintaining critical communications services and the confidence in them. I’ll be following the discussions and developments across the different regions with a view to helping and promoting the work being done. RAG will also be helping to support these activities, from education of the issues at the RAG events to contributing to discussions across the various regions.
This issue isn’t going away on its own. Anti-fraud practitioners need to be aware of the problems and solutions being put in place.