Few businesses have benefited more from the US regulator’s decision to impose STIR/SHAKEN on telcos than TransNexus, one of the approved SHAKEN certification authorities. Being a certification authority gives TransNexus the power to say voice calls from their clients have not had their calling line identity (CLI) spoofed, and also means TransNexus will enjoy predictable revenues from those clients. The extent to which TransNexus is riding the crest of a wave created by the regulator’s mandate can be gauged from their blog, which shares congratulatory news about the deployment of STIR/SHAKEN at least once a week. So when this blog asserts that the statistics since STIR/SHAKEN became mandatory include an ‘amazing and unexpected’ correlation, you can be sure that:
- the surprise is genuine; and
- nobody who argued for the adoption of STIR/SHAKEN predicted an outcome that should have been perfectly predictable to anyone who understands how telecoms fraudsters behave.
This is what TransNexus wrote:
…we found an amazing and unexpected correlation between robocalls and SHAKEN attestation level.
…calls with Partial B attestation are more likely to be robocalls than unsigned calls. The percentages dropped slightly in August and September, while the percentages of robocalls signed with Gateway C attestation increased.
Clearly, some robocallers have found a way to get their robocalls signed.
Before we break this finding down, it is worth reflecting on the old aphorism ‘they could not see the forest for the trees’. Some of the loudest advocates for STIR/SHAKEN are so engrossed in its details that they seem incapable of seeing, never mind addressing, the fundamental weaknesses of STIR/SHAKEN. Let us avoid another boring snoring discussion of STIR/SHAKEN’s technical detail and just recap some key essentials.
- Digital signatures are attached to calls so they can later be used to verify if the CLI matches the real origin of the call.
- An unsigned call is hence the same as the call that would have occurred if STIR/SHAKEN had never been invented.
- The quality of the signature depends on whether it is attached at origin as confirmation that the CLI is consistent with the specific phone used to dial that call, which is referred to as an A-grade attestation, or if the signature is attached further down the line, resulting in the B and C grades.
- The A grade is hence supposed to be more trustworthy than the B grade, which is supposed to be more trustworthy than the C grade.
So when TransNexus say they have found an ‘amazing and unexpected correlation’, what they mean to say is that they are surprised by the following fact: phone calls with B and C grade signatures are significantly less trustworthy than calls with no signatures.
Or to put it another way: a significant portion of calls that have an anti-spoofing signature are more likely to have had their CLI spoofed than calls which have no anti-spoofing signature.
This was perfectly predictable, and only groupthink amongst the supporters of STIR/SHAKEN has prevented them from anticipating this outcome. Let me explain why it was inevitable that, to use the words of TransNexus, “some robocallers have found a way to get their robocalls signed”.
To begin, we can start with an observation about how few US calls are validated using STIR/SHAKEN, even though it became mandatory for all but the smallest US telcos in June. Only a quarter of calls received in the USA are assured using STIR/SHAKEN. This is not because telcos are breaking any rules, but because STIR/SHAKEN can only be made to work for a minority of calls. STIR/SHAKEN fails unless every telco carries the call on an IP network, and requires all of those networks to have been modified to support STIR/SHAKEN. There are many legitimate call scenarios where STIR/SHAKEN cannot be made to work end-to-end. That is part of the reason why the system includes inferior grades of attestation, allowing for signatures to be applied downstream from the actual origin.
Now we can apply some simple statistical reasoning. Three-quarters of calls received in the USA are not assured using STIR/SHAKEN. Three-quarters is a very large share of any population. Such a large sample is extremely unlikely to be subject to a significant degree of sampling error. In other words, using numbers alone we may conclude this sample is highly likely to be representative of the whole. The STIR/SHAKEN data that TransNexus analyzed says there is a 3 percent chance that an unsigned call is a robocall. So if 3 percent is the proportion of robocalls for the three-quarters of the population that is unsigned, it is reasonable to infer 3 percent of all calls would be robocalls if STIR/SHAKEN had never been implemented.
Smart Alecs amongst you will have already noticed the problem with the argument in that last paragraph: is it unsafe to make that inference because the behavior of fraudsters is likely to have changed as a consequence of implementing STIR/SHAKEN. That is true. It is a helpful observation. You cannot use statistics like these to make inferences between two populations where one is ‘before’ a change that occurs, and the other is ‘after’ the change, especially when the change may alter human behavior. If nothing of substance changed, we could infer that 3 percent was the rate of robocalls both before and after the adoption of STIR/SHAKEN, but something did change, and fraudsters knew of the change. So now ask yourself the following question. Would you expect professional fraudsters to react to STIR/SHAKEN by doing nothing different? Or would you rather expect that professional fraudsters will take deliberate and urgent steps to make their calls seem legitimate by exploiting obvious weaknesses in the new STIR/SHAKEN authentication system?
The high correlation between fraud and the B and C grades of STIR/SHAKEN attestation should have been anticipated because anyone with real-world experience of how fraudsters behave should have realized fraudsters will proactively use STIR/SHAKEN to disguise bad traffic. This confirms my suspicion that the supporters of STIR/SHAKEN are predominantly lawyers, politicians and network engineers who want to believe it will work, to the exclusion of experienced and unbiased fraud managers who would have pointed out its weaknesses if properly engaged at an early enough stage of development.
Nothing really prevents criminals getting A-grade attestation for robocalls if they wanted it, but they are unlikely to pursue this course of action because it would cost too much. In contrast, there are straightforward ways to obtain a B or C grade attestation with little cost or effort. That is because a system whose philosophy is based on end-to-end authentication of calls was then designed to accept loopholes for calls that, for one commercial reason or another, telcos do not want to authenticate from end-to-end. To put it simply, the designers of STIR/SHAKEN made no allowance for the fact that if you create a method for deception so it can be used for legitimate purposes, then fraudsters will also use the same method of deception for illegitimate purposes too.
A simple illustration should suffice. Many telcos profit from the legal deception that occurs whenever a big business makes an outgoing call to a customer but presents a CLI that does not reflect the specific phone used to originate that call. Some may make a semantic argument about whether this really is a deception, but such people also fail to see the forest for the trees. If you create a method to manipulate a CLI, whilst also certifying that it is a ‘good’ CLI, then bad people will use the same method for bad reasons. So if you are not careful, you create a form of authentication that will be actively adopted by criminals because they want to exploit the flaws that allow their bad actions to be better disguised than they were before.
The telecoms industry is riven with bad actors. We all know that. And there are many bad businesses across all sectors. Fraudsters are organized criminals; they know how to set up companies, or how to corrupt them from the inside. The people responsible for artificially-inflated traffic, or short-stopping, or carousel fraud are not people who exist outside of the telecoms ecosystem. As I was writing this article I received an unsolicited message from a stranger who seemingly works for a legitimate telecoms business but who asked a question that no legitimate business would ask. So as soon as it was decided to create categories of certificates that supposedly provide some comfort that the CLI can be trusted, even though it is known that the CLI does not reflect the actual source of the call, then the designers of STIR/SHAKEN created a metaphorical back door with a huge sign suspended above it: “FRAUDSTERS ENTER HERE”.
It is clear that the US regulator is pivoting to one of the oldest and simplest tropes to explain away the poor results delivered by STIR/SHAKEN: they will increasingly blame foreigners for robocalls. This will also be used by the USA to pressure their closest allies into adopting the same anti-spoofing technology, which will doubtless please investors in the North American businesses that created and sell this technology. But nobody in the real world is protected by blaming foreigners for crime if there are plenty of criminals within your country who exploit your anti-crime system to disguise their crimes!
I doubt the people responsible for STIR/SHAKEN have any idea how to close the loopholes they created. One reason they cannot see the forest for the trees is because they prefer not to see a forest of loopholes when profits and reputations depend on counting every tree as a success. None of them want to make more fundamental reforms to a legal and regulatory environment that is trying to depress the number of illegal robocalls whilst simultaneously permitting mind-boggling numbers of legal robocalls. The problem is analogous to the situation that Americans face when dealing with gun crime. They know they do not want bad people shooting good people, but with so many guns already in circulation, it becomes nearly impossible to reduce gun crime without consciously limiting the approved uses of guns too.
My prediction is that the USA is now in such a technical, commercial, legal and regulatory mess that they will never significantly reduce robocalls unless ordinary people start abandoning telephony voice services altogether. The question for other countries is whether they really believe the best way forward involves following the lead of the USA.