Tag Archives: spoofing

Progress Against Robocalling

I mostly write about broadband these days, but we can’t forget that telephony is still a significant part of the industry. While the national penetration rate of residential landline telephones has dropped to about 20%, most businesses continue to have telephones, and practically everybody has a cellphone.

The bane of telephony continues to be robocalling and other nuisance calls that pester anybody with a telephone. There are bad actors that impersonate government or commercial entities with the goal of scamming the elderly and other vulnerable individuals. Scammers pretend to be the Social Security Administration, banks, utilities, the local sheriff, or tech companies in an attempt to solicit credit card numbers or other valuable data from people. In a more development robocalls are used to launch denial of service attacks against hospitals and public service entities to block the ability to send or receive legitimate phone calls.

There is a systematic industry effort to squash robocalling. The Industry Traceback Group includes a collaboration of over 400 wireline, wireless, VoIP, and cable companies that are tackling the robocalling issue. This group works with law enforcement to trace, identify, and stop the sources of illegal robocalling. The group’s goal is to block or shut down illegal robocalling.

https://tracebacks.org/

The effort is having an impact and routinely has been able to black robocall operations. Earlier this year, the FCC issued a record $225 million in fines against two Texas companies, Rising Eagle and JSquared Telecom. These companies had been making billions of illegal spoofed calls (where they used a false call-from number) to sell fraudulent health insurance. The callers claimed to represent major insurance companies like Aetna, Blue Cross Blue Shield, Cigna, and UnitedHealth Group.

There was a Supreme Court decision earlier in 2022 which threatened to weaken the effort to slow and stop robocalling. The case, Facebook v. Duguid, focused on the definition of an automatic telephone dialing system, which is commonly called an autodialer, as defined in the Telephone Consumer Protection Act (TCPA) from 1991. The Act defined an autodialer as equipment that can store telephone numbers to be used by a random or sequential number generator. The Supreme Court ruled in favor of Facebook and found that definition to be narrow and to only apply to a specific type of calling equipment.

This ruling hasn’t slowed down the Industry Tracking Group since most robocalls still violate the 1991 legislation. Calls made for the purposes of scams still violate the law. It is still illegal to call cell phones with a prerecorded or artificial voice without the permission of the user. Telemarketing calls often also violate state laws when spoofing with false caller ID is used with the intent to defraud or cause harm to call recipients.

The large FCC fine and the attempt to shut down robocalling operations have, unfortunately, driven the robocalling industry overseas, and a large percentage of robocalls now originate from overseas.

The industry is fighting against robocalling in several ways. First, many carriers have provided call-blocking tools to subscribers to block calls from unwanted numbers. The industry has implemented and continues to refine the STIR/SHAKEN process that makes it harder for robocallers to spoof telephone numbers. Probably most importantly, the industry is working with law enforcement to shut down illegal robocalling operations.

One of the most interesting features of the effort is the labeling of calls. I use AT&T for cell service, and my caller ID labels routinely identifies calls as either a telemarketing call or as potential spam. While it’s annoying to continue to get these calls, it’s comforting to be able to ignore them.

Fighting Spoofing

One of the biggest problems with the telephone network today is spoofing – where robocalls are generated using stolen numbers to mask the identity of the caller. Spoofing and robocalls are the biggest source of complaints to the FCC and NANC (the North American Numbering Council) reports that in 2016 there were 2.4 billion robocalls per month – a number that has surely grown. As recently as a year ago I rarely got robocalls on my cellphone but now get half a dozen per day.

The FCC called upon NANC to find a solution to the problem. NANC used the Call Authentication Trust Anchor Working Group to find a solution to the problem. In May of this year the FCC accepted the recommendations of this group to implement a ‘taken’ system to authenticate that calling numbers are authentic.  Last week Chairman Ajit Pai asked the industry to speed up implementation of the solution, warning that the FCC would issue an order to do so if the industry didn’t solve the problem quickly.

The proposed solution involves a new process used to authenticate the originating telephone number for calls. The concept is to issue ‘tokens’ to carriers that allow them to authenticate, in real-time, that the originating number of a telephone call is really from the party that owns the number. This will mean a whole new overlay on the PSTN to make this validation quickly before a call is terminated.

In addition to developing the specifications for how the process will work, the NANC working group recommended the following industry process for making this work:

  • The industry needs to select a governance authority to take ownership of the process so that it’s implemented uniformly across the industry;
  • The working group also recommended that a policy administrator be chosen that will administer the day-to-day implementation of the new process;
  • The working group also recommended specific roles and responsibilities for the governance authority and policy administrator;
  • Set the goal to have those two entities in place within a year. I think the FCC Chairman’s frustration is due to the fact that this was recommended in May 2018 and I don’t think that the governance authority or policy administrator have been chosen.

Of course, this means a new industry protocol and process and comes with a slew of new acronyms. Primary among this is SHAKEN which represents new SIP protocols used specifically for purpose of creating the all authentication tokens. Also used is STIR (secure telephone identity revisited) which is the IETF group that created the specific protocols for telephony. This leads to the cute acronym SHAKEN/STIR which is being used to describe the whole process (and which would definitely not be approved by James Bond).

The working specifications recognize that what is being prepared is just the first step in the process. They understand that as soon as they implement any solution that spammers will instantly begin looking for workarounds. The initial concept is to first begin be implementing this with the largest carriers and that will still leave a lot of holes with numbers assigned to smaller carriers, numbers deep inside PBX trunk groups, numbers used for Internet calling like Skype. However, the goal is to eventually cover the whole industry.

The concept is that this is going to have to be a dynamic process. I envision it much like the software companies that build spam filters. The group making this work will have to constantly create patches to fix vulnerabilities used by spammers. I have my doubts that anything like this will ever fully stop spoofing and that spammers will always be one step ahead of the spoofing police.

This is a concern for small carriers because it sounds like something new that a voice provider is going to have to pay for. It’s likely that there will be vendors that can do this for small carriers, but that sounds like another check to write to be able to provide voice service.

The End of Robocalls?

The FCC took action recently to block certain kinds of robocalls. These are the automated calls we are all familiar with where you hear a recording when you pick up the phone. The FCC estimates that there are over 2.4 billion robocalls per month. If you read the news articles that came out after the FCC order you would assume that this order means the end of all robocalls – but it doesn’t.

The FCC action is intended to eliminate robocalls that come from spoofed sources. Spoofing is when the caller hides their phone number or changes the originating number for caller ID. Callers have numerous reasons to spoof calls. Some spoofers are scammers and use robocalls to initiate fraud. For example, the IRS says that over $26 M in fraud is done each year from robocalls posing as tax collection calls. Other callers use spoofing to avoid the Do-Not-Call rules which is supposed to prevent solicitation calls to people who have elected to not receive them. If the number that shows up on caller ID is wrong, then there is no way for the FCC to catch or fine a caller from violating those calling rules.

The FCC accepted a proposal from a ‘strike force’ of large companies like AT&T, Google, Apple and Comcast to tackle the issue. Some spoofed calls will be relatively easy to block, like when spoofers use numbers that can’t be real such as 000-000-0000. But spoofers also use disconnected or unused numbers and these will be more challenging to find. A spoofer could use a legitimate number for a short time and abandon it before being blocked. Spoofing is similar to computer hacking in that it’s a game of cat and mouse – and you’d expect spoofers to figure ways around any schemes to catch them. It will be interesting to see how effective the strike force is at blocking spoofed calls.

But it’s important to remember that a lot of robocalls are legitimate and will continue. First, anybody is allowed to make a legitimate robocall to people who are not on the Do-Not-Call list. But even if you are on that list, all sorts of entities are allowed to call you. For example, any merchant like a bank, credit card, insurance company, cell phone provider, etc. is allowed to call their own customers. Government are allowed to call citizens and that means that political robocalls are legitimate as well as calls from other parts of the government. Certainly nobody is against localities that send out robocalls to warn of tornados, flooding or hurricane evacuations.

And some robocalls are useful. For example, the high school where our daughter goes calls once a week to tell us about things going on at the school. For the most part these are things that you would never hear about from your child.

There is no doubt that robocalls are a huge issue. The FCC says they are by far the number one type of complaint they get. I haven’t had a landline in twenty years, but the last time I spent a few days at my mother-in-law’s house, who still has a landline, I was amazed at the number of solicitation calls she got per day – both robocalls and from live callers. She’s on the Do-Not-Call list and still gets 5 – 10 calls per day.

I think a lot of people will be surprised to find that the FCC’s action won’t stop legitimate robocalls – and that has to be a huge percentage of the calls made. Your bank and other vendors that call you are doing so legitimately and do not try to hide who they are when they call. And I think that when that sinks in that the public they will be disappointed. That fault lies with the many misleading news articles declaring the end of robocalling. The FCC was clear in its own declaration that this was an action taken to try to eliminate scam calls. But if history has taught us anything it is that scammers will always find a way to do what they do. This order may slow scammers down, but they will find other ways to scam people – including figuring out how to still call using robocalls. I hope the strike force can find a way to stop this, but my guess is they will just slow it down, at best.