Fighting Spoofing

One of the biggest problems with the telephone network today is spoofing – where robocalls are generated using stolen numbers to mask the identity of the caller. Spoofing and robocalls are the biggest source of complaints to the FCC and NANC (the North American Numbering Council) reports that in 2016 there were 2.4 billion robocalls per month – a number that has surely grown. As recently as a year ago I rarely got robocalls on my cellphone but now get half a dozen per day.

The FCC called upon NANC to find a solution to the problem. NANC used the Call Authentication Trust Anchor Working Group to find a solution to the problem. In May of this year the FCC accepted the recommendations of this group to implement a ‘taken’ system to authenticate that calling numbers are authentic.  Last week Chairman Ajit Pai asked the industry to speed up implementation of the solution, warning that the FCC would issue an order to do so if the industry didn’t solve the problem quickly.

The proposed solution involves a new process used to authenticate the originating telephone number for calls. The concept is to issue ‘tokens’ to carriers that allow them to authenticate, in real-time, that the originating number of a telephone call is really from the party that owns the number. This will mean a whole new overlay on the PSTN to make this validation quickly before a call is terminated.

In addition to developing the specifications for how the process will work, the NANC working group recommended the following industry process for making this work:

  • The industry needs to select a governance authority to take ownership of the process so that it’s implemented uniformly across the industry;
  • The working group also recommended that a policy administrator be chosen that will administer the day-to-day implementation of the new process;
  • The working group also recommended specific roles and responsibilities for the governance authority and policy administrator;
  • Set the goal to have those two entities in place within a year. I think the FCC Chairman’s frustration is due to the fact that this was recommended in May 2018 and I don’t think that the governance authority or policy administrator have been chosen.

Of course, this means a new industry protocol and process and comes with a slew of new acronyms. Primary among this is SHAKEN which represents new SIP protocols used specifically for purpose of creating the all authentication tokens. Also used is STIR (secure telephone identity revisited) which is the IETF group that created the specific protocols for telephony. This leads to the cute acronym SHAKEN/STIR which is being used to describe the whole process (and which would definitely not be approved by James Bond).

The working specifications recognize that what is being prepared is just the first step in the process. They understand that as soon as they implement any solution that spammers will instantly begin looking for workarounds. The initial concept is to first begin be implementing this with the largest carriers and that will still leave a lot of holes with numbers assigned to smaller carriers, numbers deep inside PBX trunk groups, numbers used for Internet calling like Skype. However, the goal is to eventually cover the whole industry.

The concept is that this is going to have to be a dynamic process. I envision it much like the software companies that build spam filters. The group making this work will have to constantly create patches to fix vulnerabilities used by spammers. I have my doubts that anything like this will ever fully stop spoofing and that spammers will always be one step ahead of the spoofing police.

This is a concern for small carriers because it sounds like something new that a voice provider is going to have to pay for. It’s likely that there will be vendors that can do this for small carriers, but that sounds like another check to write to be able to provide voice service.

3 thoughts on “Fighting Spoofing

  1. STIR/SHAKEN addresses the identification of spoofing (also used by BDRs for outbound sales calls). But not directly the robocaller. If a robocaller uses legit Caller ID, then it will go through. So what else needs to be done?

    Like

    • You are right and many robocalls use legitimate phone numbers. One of the other things the FCC needs to do is to levy big fines for callers that repeatedly violate the Do Not Call rules. I’m on the Do Not Call list and still get half a dozens calls or more each day.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s