20.5k unique visitors in the last 3 days

The Solution to CLI Spoofing Is GSMA Call Check

You have probably not heard of the cheapest, simplest, easiest way to detect the manipulation of caller IDs.

What if there was a method that allowed the telco which terminates a call and the telco which originates a call to exchange data in real time so both would know that a call starts and ends where it appeared to start and end? Such a method would guarantee that none of the calls from the A-party had spoofed calling line identifiers (CLIs), also known as caller IDs. It would also guarantee that the call reached the correct B-party, preventing carriers from engaging in the fraudulent short-stopping of traffic. A swathe of crimes that harm consumers and telcos would be eliminated. It may surprise you to learn that this method already exists, although it has received hardly any publicity. You may not recognize the name ‘Call Check’ despite it potentially becoming the most important innovation in global telecoms fraud prevention. However, you will have heard of the GSMA, which quietly launched Call Check last year.

There are numerous reasons to use Call Check. Compared to other methods, GSMA Call Check is cheap, simple and easy to implement. Any two telcos could use it to provide assurance to each other, whether they are in the same country or if the call crosses international borders. It works across all kinds of networks, whether IP or TDM. It is not affected by how the call is routed through intermediate carriers. There is no dependence on intermediate carriers, saving them money on alternatives that demand they also implement new technology. This makes GSMA Call Check truly universal, without the need for lots of difficult coordination of rules and protocols by hundreds of different national regulators.

There would be other benefits too. Call Check would make tracing the source of a call instantaneous. Wholesale carriers would not need to do anything to make Call Check work, but it would prevent them from committing certain kinds of fraud that are currently commonplace. If every originating and terminating telco decided to implement it tomorrow then all illegal spoofing of calls would be gone by the end of the year, along with many other frauds. The only real obstacle to success is that Call Check only works if adopted by the telcos at both the start and the end of the call. That, as usual, is the biggest hurdle to solving the collective problem: there is least incentive to adopt the solution first, and most incentive to wait until others have adopted it. So instead of solving the problem, we talk and talk around the problem, and waste time on half-hearted and ill-fated experiments with less effective techniques, and thus assist criminals in sustaining their illegal profits for as long as they possibly can.

Telcos could collaborate on fraud prevention more than they currently do. The absence of voluntary collaboration tends to result in two phases. A do-nothing phase of lawlessness allows good telcos to minimize their costs whilst bad actors run wild. This is followed by a phase where compliance is imposed from above. The latter phase may see regulators trying to impose centralized solutions that are overly expensive and heavy-handed because the good telcos failed to identify, trial and refine better methods when they had the opportunity.

The question of whether problems need to be solved used a centralized solution or a peer-to-peer solution is not unique to voice telecommunications. Long-standing readers of Commsrisk will be aware that the same question arose with email. Decades of work have still not delivered a satisfactory solution to the email ecosystem’s problems with spam and scams, as evident from research demonstrating political bias in junk filters and the difficulty involved in training people to identify phishing emails. However, the voice ecosystem should have a massive advantage. In principle, the assignment of a phone number to a user should be much more controllable than the assignment of an email address. Instead of leveraging this advantage, some participants in the voice ecosystem appear intent on repeating mistakes that were made with email by putting too much faith in algorithms meant to identify harmful communications that are already in transit. They fail to place enough emphasis on identifying and punishing businesses that originate bad traffic.

It may seem paradoxical at first, but a peer-to-peer approach will be superior at eliminating bad actors from the voice ecosystem than any centralized strategy could be. That is because there is no worldwide government, and no worldwide police. Governments and regulators have limited jurisdiction. In contrast, as demonstrated by the success of roaming, telcos can police each other by choosing who they do business with. This makes them potentially more agile in tackling wrongdoing than any legal or regulatory system could be. The way we police roaming is through testing what occurs on other networks. GSMA Call Check is effectively a different kind of test, executed every time somebody makes a call between telco A and telco B. B asks A if the call really came from them; A asks B if the call was really terminated with them. If any of this data proves to be unreliable then there will be no doubt about who is at fault. We will very quickly be able to identify bad actors and threaten them with disconnection from the voice ecosystem.

Some readers will immediately question how I can describe GSMA Call Check as a peer-to-peer method when it obviously involves the GSMA. Are they not the centralized body in this solution? The difference is that the GSMA’s role in this model provides coordination, not governance. Call Check tells the originating and terminating telcos if there is a mismatch indicative of fraud. Reporting the discrepancy is not the same as giving an order to block the call. Both telcos could allow the call to go ahead. This is the essential distinction between a peer-to-peer method like GSMA Call Check and a centralized method like STIR/SHAKEN. For STIR/SHAKEN to work, there has to be centralization of the power to issue the certificates used to sign calls. The explicit threat is that bad actors will be exiled from the voice ecosystem by having their certificates revoked by the centralized power. This then begs a serious question about who gets to make those centralized decisions. It would be as if a single centralized committee had been created to decide which international roaming agreements would be approved and which would be prohibited, instead of the worldwide evolution of bilateral agreements that actually occurred.

Regular readers know of my objections to any attempt to internationalize STIR/SHAKEN, so I will not labor the point. I ask only that we honestly reflect about the reality of who would control STIR/SHAKEN if it was made global, and hence where power would be concentrated. The power would reside with US corporations, answerable only to US regulators and the US government. Those US corporations have already set up the global governance body for STIR/SHAKEN in anticipation of the rest of the world meekly submitting to their authority. The response from the rest of the world has been less than enthusiastic. Partly this is because of the do-nothing tendency that inhibits any form of collaboration. But it is also because regulatory authorities in the USA are highly politicized. Their decisions can switch overnight if there is a change in the nation’s democratically-elected government. This makes US leadership unsuited to delivering the stability and predictability required when centralizing decisions over which telcos will be excommunicated from the global voice ecosystem.

One straightforward example of US politics delivering erratic changes in policy comes in the form of net neutrality. First there were no rules about net neutrality, which upset a lot of American voters. Then Obama was elected as President, and the Democrat-led Federal Communications Commission (FCC) adopted a controversial interpretation of their powers so they could impose net neutrality. Then Trump was elected President, and the Republican-led FCC reversed the policy. Then Biden was elected President, and the Democrat-led FCC found new justifications for net neutrality. Now Trump is back, and we know that means another reversal of the FCC’s stance. This is the level at which most people pay attention to swings in US regulatory policy, but the same swings occur with respect to topics that receive less attention, such as protecting consumers from harm. Just four days ago, the Republican-led FCC postponed for twelve months the adoption of robotext blocking rules that had been drafted under the previous Democrat leadership and which were due to come into effect yesterday. This is just one small example of how US policy on consumer protection and prohibition of business activities can rapidly reverse after an election.

On Friday I will publish an article highlighting how the politicization of the FCC encouraged the suppression of data about harmful calls that should have been reported to the US government. Evidently the outgoing Democrats did not want to hand ammunition to Republican critics who now are in the ascendancy. Whichever side you favor in these political fights, I hope we can all agree that it would be dangerous to give US politicians greater power to interfere with which foreign telcos are allowed to be in business, especially given the risk of wild swings in policy every four years.

I have often been critical of the GSMA, but personal feelings should not affect evaluations of risks and their potential mitigations. GSMA Call Check is the right method for telcos that sincerely wish to protect customers from spoofed calls, but are not willing to gift too much power to US corporations that would not be accountable to any foreign government. GSMA Call Check also has the merit of being quick, cheap and simple. It detects frauds that hurt telcos, as well as scams that hurt customers. The peer-to-peer model that is the essence of Call Check can be made to work globally just like the bilateral agreements which are essential to roaming. And because the method is backed by the GSMA, it already has a degree of credibility that will reassure regulators who may otherwise doubt the capacity of telcos to voluntarily eliminate spoofed calls. That is why the promotion of GSMA Call Check is one of the three missions that prompted me to keep Commsrisk going.

The GSMA’s webpage about Call Check can be found here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email