In her recent article for Commsrisk, AB Handshake Corporation CEO Nadejda Papernaia drew a compelling analogy between her company’s technology and the messaging technology that underpins international banking. Both guarantee the A party and B party have the same information about the transaction. Both do this by creating a separate and secure messaging channel that cannot be corrupted and is only used for this purpose. Both offer a global solution to a global problem. The main differences are that the banking transaction is a payment whilst the telephony transaction is a call, and the international banking sector collectively solved their problem in the 1970’s with the creation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT). SWIFT’s messaging technology was rapidly adopted and is now used by over 11,000 institutions across 212 countries. Banks worked out how to use telecommunication to eradicate many categories of fraud over 40 years ago; telecommunications providers still argue about how to do the same.
But why are we arguing? I think there is a simple explanation. People may be sidetracked by arguments about technology but the real issue is motivation. The banks were highly motivated. Reputable banks had many good reasons to insulate themselves from rogue elements in their global sector. So they did. They knew they would make consistently healthier profits if customers had faith in the system, so they acted collectively to marginalize those businesses that were most willing to resort to dishonesty to boost profits in the short term. There was a sharp divide between banks that wanted an incorruptible system and banks that changed their name at the end of each quarter. Many chose to act decisively when presented with an opportunity to fix some of the problems that occur whenever employees of one company have to trust employees of a different company on the other side of the planet. It was clear which banks wore white hats, whilst the telecoms industry still suffers from too many shades of gray. And when many of your competitors and partners are content to inhabit the gray zone, it can become difficult to believe anyone will cooperate in adopting a process that would eradicate frauds.
The anti-fraud community is trying to make progress, but the rate of improvement is painfully slow. One example of progress is the number of firms that have signed up to the GLF Code of Conduct. Principle 4 of the Code states:
All reasonable action to be taken to avoid payment flows to the instigators of fraudulent traffic.
Where the instigators of fraudulent traffic have been identified beyond reasonable doubt, carriers will individually seek to stop payment flows as soon as technically and commercially feasible subject to any relevant legal obligations. The originating carrier will remain responsible for the fraudulent traffic and financially liable in case the payment flows cannot be stopped by the downstream carrier(s).
When I was younger, I used to comment that it was strange that a person might believe what was said about telcos checking the accuracy of telephone bills if the person routinely received inaccurate bills for their own phone. It was odd that carriers would inevitably tolerate a degree of variance in their separate accounts of how much wholesale traffic had passed between them, but ‘experts’ would claim that retail bills were virtually error-free, or else claim that the error rates for retail bills were orders of magnitude worse than the worst interconnect bill. There were even people who argued that every error on every bill is always in the customer’s favor, even if that customer is another carrier. To argue that every carrier must be wary of being overcharged, but that none ever overcharges, is an example of what psychologists call cognitive dissonance. Believing in contradictory facts leads to stress, and psychology explains how a person’s perception of reality can become warped in order to ease this tension. We have the same psychological issues with carrier fraud.
I have seen errors on my own phone bill, and I know what I have heard with my own ears. You may have never received an erroneous bill (or perhaps you do not check them like I do) and you may have never heard what I have heard people say. However, it seems unlikely that I am alone in having heard senior managers from top international carriers telling their peers that they will behave in ways that contradict the anti-fraud standards their businesses publicly pretend to support. I have heard it. And there is nothing I can usefully do about it, even though I have the luxury of writing this for an audience of professionals who really care about fraud. Blowing the whistle on specific examples of hypocrisy would serve little purpose, because whistle blowers just get excluded from conversations, whilst the people who really need to change will continue in their jobs, doing it the same way, wasting everybody’s time with aimless talk about pedantic adherence to rules and convoluted technical solutions to fraud that never work well. A public promise to stop fraud is not the same as the enforcement of that promise. Ours is an industry where all sorts of people in all sorts of telcos make promises, and then carry on regardless, because they know nobody will call out the dissonance between what they say and what they do.
Banks do reverse transactions occasionally, but imagine if their approach was skewed in the way telcos place so much emphasis on correcting errors and frauds after they have occurred. Telcos can stop a payment, but the call has still taken place. A business can afford to only focus on the money; customers get upset because they have been harried, even if the losses they suffer are later compensated. If banks behaved like telcos then few of us would dare to make an international transfer. These days, there are fewer of us who like to answer our phones. Prevention is better than cure, but we are stuck in a loop where we only discuss cures because some telcos – probably the ones who like gray profits – resist the adoption of methods that would prevent fraud.
There is no need to rely on telcos promising to be good and honest. We could just check there are no errors or frauds in individual transactions, in the same way that carriers routinely check that interconnect bills are consistent with their own network’s measures of traffic. Nadejda Papernaia promotes a check that works much like SWIFT; her AB Handshake is the metaphorical equivalent of using a standalone channel to exchange secure messages between the A and B party operators when a call is being set up. If the details of the actual call are consistent with the AB Handshake messages then both telcos know the call is being connected as it should. If a verification message contains information that is inconsistent with the call, or no message has been received, then the operator knows something is wrong with the call, so they can stop it from being connected. Instead of relying on trust, in the way signaling protocols like SS7 depend on trust, the two businesses can simply check each other’s work.
Checking another business is not tantamount to an insult. If two companies are willing to adopt a process to check each other then it means neither has anything to hide. The most important benefit of implementing the check is to clarify which businesses oppose the implementation of checks. The exchange of the verification messages makes certain frauds impossible, because many frauds exploit mismatches between what is known to the A party network and the B party network. For example, frauds may be based on the manipulation of the CLI or the stretching of the duration of the call after one party has hung up. So the rational inference is that businesses who reject dirty profits would benefit from the adoption of checks that would highlight which of their competitors are less careful about the ways they generate profit. This is more rational than believing everybody who signs a code of conduct will follow it in practice, even though nobody is checking if they are, and nobody is complaining when staff reveal how little they respect the promises made by their companies.
Our lack of confidence in other telcos is confirmed by how we handle the issue of withholding payment. Nobody thinks the police is full of experts in telecoms fraud. Nobody thinks they really add any value by issuing a police report about a telecoms fraud. They are only writing on the report what a specialist telecoms professional is telling them to write. But we need the police to underpin our way of withholding payments because they are impartial, and so can be trusted. Does it not seem odd that we trust another carrier to respect a code of conduct that says payments to criminals should be stopped, but then we need the police because we do not trust the carriers to be honest about which payments should be stopped?
Ordinary people do not care about white collar crimes when the only victim is a company’s profit and loss statement, so it is understandable that the police will give telecoms fraud the lowest possible priority amongst the many crimes they deal with. Some in our industry try to show there is a link between telecoms fraud and terrorism to incentivize the police to do more. However, there is already a link between the frauds that hurt subscribers and the frauds that hurt telcos, and that rarely seems to motivate telcos to do as much as they should to protect their own customers. We know this, but still persevere with an approach that depends on a carrier asking a police force to produce a piece of paper so it can be sent to somebody else in a different carrier.
Trying to stop payment is now more difficult than stopping a bad call in the first place. The irony is that telcos continue to follow an old paradigm for how communications services must work, with the assumption that they must trust each other because any crime will only be evident after it has been committed. This then leads to distrust, because bad actors have the opportunity to commit crime now whilst only being detected later. Prevention is better than detection. And we can prevent fraud if we can simply choose to work together.
I admire the people behind the AB Handshake Corporation, because they are pitching technology that provides the secure verification channel that works in parallel with the set up of voice calls. The detail of how this technology works is unimportant. What makes them admirable is not the sophistication of their technology; they have a product which works, but other firms could also have developed solutions based on the same principles. Since I began researching this topic I have found several examples of academics working on methods of validating calls that are essentially the same as the peer-to-peer method proposed by the AB Handshake Corporation, with the main difference being that they developed checks from user-to-user instead of telco-to-telco. Peer-to-peer solutions like these make intuitive sense, and do not need to be technological marvels. What makes the AB Handshake Corporation admirable is that they are pitching a common sense universal answer to a problem that some people do not want solved. Before they sell the technology, they must sell the idea of telcos working together. SWIFT worked so well because so many banks agreed to it from inception. I wish I had confidence that the telecoms industry could do the same.
This explains why carriers cannot fix fraud: they do not believe they can, because they do not believe they can trust other telcos to cooperate effectively at the time when cooperation would be most effective. The method stated above is sound. The problem is that most of us believe that the majority of telcos are too cynical to use this method in practice. We are like characters in tragic play; we are condemned to our fate because we are convinced it is fate. We are sure we cannot work together, so we do not attempt to prove ourselves wrong.
Or perhaps you will prove me wrong…