Fighting Spoofing

One of the biggest problems with the telephone network today is spoofing – where robocalls are generated using stolen numbers to mask the identity of the caller. Spoofing and robocalls are the biggest source of complaints to the FCC and NANC (the North American Numbering Council) reports that in 2016 there were 2.4 billion robocalls per month – a number that has surely grown. As recently as a year ago I rarely got robocalls on my cellphone but now get half a dozen per day.

The FCC called upon NANC to find a solution to the problem. NANC used the Call Authentication Trust Anchor Working Group to find a solution to the problem. In May of this year the FCC accepted the recommendations of this group to implement a ‘taken’ system to authenticate that calling numbers are authentic.  Last week Chairman Ajit Pai asked the industry to speed up implementation of the solution, warning that the FCC would issue an order to do so if the industry didn’t solve the problem quickly.

The proposed solution involves a new process used to authenticate the originating telephone number for calls. The concept is to issue ‘tokens’ to carriers that allow them to authenticate, in real-time, that the originating number of a telephone call is really from the party that owns the number. This will mean a whole new overlay on the PSTN to make this validation quickly before a call is terminated.

In addition to developing the specifications for how the process will work, the NANC working group recommended the following industry process for making this work:

  • The industry needs to select a governance authority to take ownership of the process so that it’s implemented uniformly across the industry;
  • The working group also recommended that a policy administrator be chosen that will administer the day-to-day implementation of the new process;
  • The working group also recommended specific roles and responsibilities for the governance authority and policy administrator;
  • Set the goal to have those two entities in place within a year. I think the FCC Chairman’s frustration is due to the fact that this was recommended in May 2018 and I don’t think that the governance authority or policy administrator have been chosen.

Of course, this means a new industry protocol and process and comes with a slew of new acronyms. Primary among this is SHAKEN which represents new SIP protocols used specifically for purpose of creating the all authentication tokens. Also used is STIR (secure telephone identity revisited) which is the IETF group that created the specific protocols for telephony. This leads to the cute acronym SHAKEN/STIR which is being used to describe the whole process (and which would definitely not be approved by James Bond).

The working specifications recognize that what is being prepared is just the first step in the process. They understand that as soon as they implement any solution that spammers will instantly begin looking for workarounds. The initial concept is to first begin be implementing this with the largest carriers and that will still leave a lot of holes with numbers assigned to smaller carriers, numbers deep inside PBX trunk groups, numbers used for Internet calling like Skype. However, the goal is to eventually cover the whole industry.

The concept is that this is going to have to be a dynamic process. I envision it much like the software companies that build spam filters. The group making this work will have to constantly create patches to fix vulnerabilities used by spammers. I have my doubts that anything like this will ever fully stop spoofing and that spammers will always be one step ahead of the spoofing police.

This is a concern for small carriers because it sounds like something new that a voice provider is going to have to pay for. It’s likely that there will be vendors that can do this for small carriers, but that sounds like another check to write to be able to provide voice service.

The End of Robocalls?

The FCC took action recently to block certain kinds of robocalls. These are the automated calls we are all familiar with where you hear a recording when you pick up the phone. The FCC estimates that there are over 2.4 billion robocalls per month. If you read the news articles that came out after the FCC order you would assume that this order means the end of all robocalls – but it doesn’t.

The FCC action is intended to eliminate robocalls that come from spoofed sources. Spoofing is when the caller hides their phone number or changes the originating number for caller ID. Callers have numerous reasons to spoof calls. Some spoofers are scammers and use robocalls to initiate fraud. For example, the IRS says that over $26 M in fraud is done each year from robocalls posing as tax collection calls. Other callers use spoofing to avoid the Do-Not-Call rules which is supposed to prevent solicitation calls to people who have elected to not receive them. If the number that shows up on caller ID is wrong, then there is no way for the FCC to catch or fine a caller from violating those calling rules.

The FCC accepted a proposal from a ‘strike force’ of large companies like AT&T, Google, Apple and Comcast to tackle the issue. Some spoofed calls will be relatively easy to block, like when spoofers use numbers that can’t be real such as 000-000-0000. But spoofers also use disconnected or unused numbers and these will be more challenging to find. A spoofer could use a legitimate number for a short time and abandon it before being blocked. Spoofing is similar to computer hacking in that it’s a game of cat and mouse – and you’d expect spoofers to figure ways around any schemes to catch them. It will be interesting to see how effective the strike force is at blocking spoofed calls.

But it’s important to remember that a lot of robocalls are legitimate and will continue. First, anybody is allowed to make a legitimate robocall to people who are not on the Do-Not-Call list. But even if you are on that list, all sorts of entities are allowed to call you. For example, any merchant like a bank, credit card, insurance company, cell phone provider, etc. is allowed to call their own customers. Government are allowed to call citizens and that means that political robocalls are legitimate as well as calls from other parts of the government. Certainly nobody is against localities that send out robocalls to warn of tornados, flooding or hurricane evacuations.

And some robocalls are useful. For example, the high school where our daughter goes calls once a week to tell us about things going on at the school. For the most part these are things that you would never hear about from your child.

There is no doubt that robocalls are a huge issue. The FCC says they are by far the number one type of complaint they get. I haven’t had a landline in twenty years, but the last time I spent a few days at my mother-in-law’s house, who still has a landline, I was amazed at the number of solicitation calls she got per day – both robocalls and from live callers. She’s on the Do-Not-Call list and still gets 5 – 10 calls per day.

I think a lot of people will be surprised to find that the FCC’s action won’t stop legitimate robocalls – and that has to be a huge percentage of the calls made. Your bank and other vendors that call you are doing so legitimately and do not try to hide who they are when they call. And I think that when that sinks in that the public they will be disappointed. That fault lies with the many misleading news articles declaring the end of robocalling. The FCC was clear in its own declaration that this was an action taken to try to eliminate scam calls. But if history has taught us anything it is that scammers will always find a way to do what they do. This order may slow scammers down, but they will find other ways to scam people – including figuring out how to still call using robocalls. I hope the strike force can find a way to stop this, but my guess is they will just slow it down, at best.