In January 2021, Americans received 4 billion robocalls.
That equates to almost 1,500 calls every second. Seen from a different angle,
every mobile phone in the US received a robocall almost every second day during
the month.
What is a robocall?
So, what is a robocall? It is an automated call that
delivers a scripted or recorded message. Sometimes these calls are legitimate
and legal; most often they are not. At the very least, a large proportion of
the calls are annoying spam. However, an ever-increasing number of these calls
are scam attempts of one kind or another.
Fraudulent Intent
In 1995, Clifford Stoll, astronomer, author, and teacher,
fobbed off the internet as “a passing fad” in his book “Silicon Snake Oil”. He
dismissed e-commerce, suggesting that the lack of personal contact would render
it non-viable. He also cited the lack of secure online payment mechanisms.
He could be forgiven for not knowing, at the time, just how
spectacularly wrong he would be proven.
In 2010, this topic resurfaced on Boing Boing, a zine
founded in 1988 and turned website in 1995. Stoll was quoted as saying “of my
many mistakes, flubs, and howlers, few have been as public as my 1995 howler….
Now, whenever I think I know what’s happening, I temper my thoughts: Might be
wrong, Cliff….”.
Little would he have known, at the time, the extent to which
the internet would grow. He would never have imagined that, less than a quarter
of a century later, trillions of dollars would be transacted through the
internet annually.
That tens of thousands of e-commerce deals would take place
every single day of the year. And that this would continue to grow with no limit
in sight.
And, of course, this created a rich picking field for all
manner of people with sinister intent. Although fraud was perpetrated via the
internet as far back as 1994, the explosive advance in communications
technology has facilitated the growth thereof to over $500 billion globally in
recent times.
A sizeable portion of these ill-gotten gains come by way of
telephone calls.
The Role of VOIP
The internet has given us VoIP (Voice over Internet
Protocol). This is a much cheaper, or even free, channel for voice
communication. Technological improvement has largely eliminated the quality
issues that were experienced in the early days of VoIP.
It is estimated that, in 2021, the number of VoIP users will
reach 3 billion. That is a huge pool of potential victims and a very strong
incentive for criminals. Sadly, this has paved the way for more crimes to be
committed through telephone calls. And for those crimes to become more and more
sophisticated.
VoIP has made it possible for criminals to bombard consumers
with these scam calls. Technology has also enabled those criminals to employ
ever more stealthy tactics to penetrate the defenses of even the most
suspicious consumers.
Stealth measures include presenting false caller-identity
information. Numbers and names of callers can now be easily falsified to trick
a call recipient into accepting a fraudulent call.
Here a scam, there a scam….
The range and sophistication of phone scams have evolved
continuously since the first ones. At first, the scams were executed via fax
and elaborate email campaigns. Victims were drawn slowly into a sometimes very
credible trap where they had to pass on an amount of money for a handling fee.
An amount of money, usually quite substantial, was paid to
the victim. The victim was instructed to remit 90% of the amount to a third
party, retaining the 10% as a commission. Within hours of making the onward
payment, the received funds would “bounce”, leaving the victim out of pocket.
Pets were sold across the globe and administration or
vaccination fees were paid upfront by the client. Only, there was no pet. As
soon as you paid the fees, the seller disappeared.
Then, autodiallers and sweatshop-style call centers came
along. Suddenly the IRS was on the lookout for you for back taxes, your
insurance was expiring and you risked all sorts of misfortune if you did not
pay a certain amount immediately. By credit or debit card, right there and
then. Even on a Saturday or Sunday afternoon.
Such was the aggression and audacity of the callers. Those
victims that did fall for these scams were generally caught unawares. And so
intimidated by the caller’s threatening tone, that they offered the card
details with a sigh of relief having avoided a financial catastrophe.
These are but two examples. There is a long list of tactics
that developed. Many of them are still very common today. The delivery has just
become slicker and more and more convincing over time.
Often now, as mentioned earlier, the caller identity is
spoofed. In other words, the caller presents a false number to the call
recipient. The number would usually be instantly recognizable; that of a public
institution like the tax authority or that of a well-known bank or insurance
company.
Punchdrunk consumers eventually learn to recognize some of
the signs of these scams and start to build their own defenses. The most common
mechanism is to simply not take a call when the number is withheld or
unfamiliar. This, in itself, carries some risk.
Sometimes the calls may well be legitimate and have the
objective of sharing important information or serve to remind a consumer of an
upcoming payment or renewal deadline. Failure to respond may initiate some form
of late payment or default penalty. Or a policy could lapse, exposing the
consumer to uninsured risk.
Legislated Protection Measures
Several countries have introduced guidelines and limitations
to afford some protection to consumers. The legitimate uses of robocalls are
regulated in different ways by the authorities in different countries.
For example, in Canada, a consumer can register their
numbers on a National Do Not Call List. Callers are obliged to honor this list.
In most cases, a consumer’s explicit consent is required before marketing
communications are permitted.
There are certain exemptions, though. Robocalls are
permitted for political canvassing, charities, and solicitation of
subscriptions by newspaper publishers. You may also still legally receive calls
from any institution that you have a current relationship with.
In the US, the Telephone Consumer Protection Act of 1991
stipulates the rules for telemarketing and the use of automated communications
equipment.
Although telemarketing is permitted, a comprehensive set of
guidelines must be adhered to, amongst others:
· - Marketing calls are only permitted between 8 am
and 9 pm local time.
· - A “Do not Call” list must be maintained by all
companies that do telemarketing. This list pertains to the company specifically
and lists every subscriber that has asked not to be called. The subscriber’s
wish must be honored for five years.
· - All telemarketers are required to adhere to the
National Do Not Call Registry. This is a database of persons who do not wish to
receive any marketing calls from anyone.
· - All callers are required to provide their name
or the name of the organization they represent and an address or telephone
number where they can be contacted.
· - Automated calls to emergency services,
healthcare facilities, medical practitioners’ premises, or mobile phone lines
are prohibited. Also prohibited are any calls for which the recipient will be
charged.
In addition to these federal regulations and guidelines,
each state has or may have supplemental rules.
All of these provisions, and others not listed above, are
designed to protect the interests of consumers and protect them from the incessant deluge of fraudulent calls.
Protection by Service Providers
Whilst these regulatory measures afford some protection, it
is only really the honest people that allow themselves to be bound by them.
Rules do not apply to criminals.
This is why, over and above the protective measures
legislated by governments, telephone operators and internet service providers
also implement a variety of measures to try and protect their subscribers.
Verizon, for instance, provides tips on how to identify a
scam call. Tips such as:
· - Do not pick calls up from withheld or unknown
numbers
· - Do not share any personal or financial
information
· - Legitimate callers will never try to pressure
you into making a decision or a payment immediately
· - If the caller purports to represent an
organization that you have an existing relationship with, they will know your
details. They may need to ask one or two questions to verify your identity
· - Any request for ID, Social Security, or bank
card or account numbers is a scam
· - A recorded message is very likely spam.
· - A call that requires you to respond by pressing
a button is seeking to confirm that they have reached a valid number. The
motive is spam or a scam.
They also advise subscribers not to call back numbers they
do not recognize. More often than not these calls are to premium-rate numbers
where the scammer earns money at the caller's expense.
Personal measures
All the regulations and the measures and advice provided by
service providers are still not adequate for complete consumer security.
Consumers have also been implementing apps and habits to protect themselves.
Despite everything, these calls persist. Enough people are
still falling for them to make it attractive for the scammers. And the tactics
used by the criminals continue to develop unabated and they become more and
more sophisticated and credible.
STIR/SHAKEN
This is why, on December 30th, 2019, the
Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) law was
promulgated. One of the objectives of the law is to set a timeline for the
implementation of STIR/SHAKEN.
Pursuant to the legislation, the Federal Communications
Commission was mandated to report back by the end of 2020 on the progress made
with the roll-out of STIR/SHAKEN. The legislation also requires national
service providers to complete the implementation of STIR/SHAKEN by the end of
June 2021. Regional service providers have
until June 30th, 2022 to have implemented the technology.
What is STIR/SHAKEN?
STIR is an acronym for Secure Telephony Identity
Revisited and SHAKEN stands for Secure Handling of Asserted
information using toKENs.
How STIR Works
STIR is a working group set up under the Internet
Engineering Task Force. It aims to further the development and implementation
of protocols that allow a caller ID to be transmitted via a digitally signed
certificate. Further, it allows this caller ID certificate to be checked as it
moves through interconnected networks.
When the call eventually reaches the target subscriber,
their service provider can verify that the call originated from the number
displayed on the caller ID.
The STIR technology has limitations, though.
· - It cannot block calls or prevent a caller from
spoofing a number
· - It does not analyze call data to identify spam
or scam calls
· - It operates only on VoIP
The fact that STIR only addresses caller ID on the VoIP
portion of a call, means it is not a complete end-to-end tool.
When a call originates on VoIP, a Session Initiation
Protocol (SIP) header is created that attaches to the call. This SIP header
contains, at the very least, the to and from telephone numbers. The STIR
technology allows this SIP header to be digitally signed by the service
provider.
The signature is in the form of attestation. There are three
levels of attestation:
·
Level A – the caller is authentic and has the
authority to use the calling number
·
Level B – the number is validated but not the
authority of the caller using the number
·
Level C – neither the caller nor the number is
authenticated. The service provider only attests to where it received the
incoming call.
The attestation is added to the SIP header. This is the
assurance that is passed onto the subscriber’s service provider. Whilst a call
remains in a VoIP network, the SIP header stays with it as does the digital
signature.
The older telephony protocol, Signalling System No. 7 (SS7)
is unable to handle the STIR digital signature. Therefore, as soon as a call
passes from VoIP to SS7, the caller ID detail remains with the call but the
attestation details provided by the digital signature cannot be carried onward.
The subscriber, therefore, has no grounds on which to trust the caller ID that
is presented.
The other major weakness is that, despite STIR, the caller
ID can still be spoofed. The calling identity is caller-initiated and is not
necessarily tied to the number of the calling line. As long as a call is
navigating through a VoIP network, anyone can add attestation data to the SIP
header.
STIR information can be manipulated. Criminals can have
their caller ID information signed by a willing VoIP provider even if the
provider knows it is false.
To address these weaknesses, the Alliance for
Telecommunications Industry Solutions (ATIS), began developing SHAKEN. SHAKEN
establishes standards for passing the STIR information through all protocols
present in interconnected networks, whether VoIP or SS7.
SHAKEN also introduces standards for inter-protocol call and
data handling:
·
adding SIP header information to calls initiated
in SS7 networks
·
handling the data for calls that exit these
networks into the Plain Old Telephone System (POTS).
This will close the loop and provide integrity of the caller
information from the inception of a call to the end. STIR/SHAKEN will introduce
authentication and verification services. These will be independent of the
service providers.
The simple flow of a call would now look like this:
·
Caller initiates call
·
The originating service provider receives call
data and forwards it to an independent authentication service
·
The authentication service issues a certificate
confirming the caller's credentials and updates a certificate repository.
·
The call travels through the network, navigating
between any number of providers. Certificate information remains intact
throughout.
·
When received by the receiving subscriber’s
service provider, the certificate is verified.
·
This terminating service provider will compare
the received certificate against a known database, the certificate repository.
·
If the caller ID details are verified, the call
will be connected to the receiver.
Even the most basic filtering and blocking of calls with
harmful intent will go a long way towards stamping out robocalls and protecting
consumers from fraudulent calls.
The Secure Telephony Identity Governance Authority (STI-GA)
has been established to oversee the activities of every participant in this
industry. The authority is represented by service providers across all aspects
of the industry and a technical advisory committee.
The STI-GA has been tasked with the establishment of Policy
Administrators that assess service providers and approve them to receive tokens
and approve the authentication of calls so that they can be exchanged with
other participating operators in the network.
Since the laws have been introduced, the acceptance of
STIR/SHAKEN has been surprisingly good. At least 55 carriers in the US alone
have registered with the Policy Administrators for approval to sign calls as
STIR/SHAKEN authenticated.
At least 15 major operators have confirmed rolling out
STIR/SHAKEN in their networks. Once this deployment has been completed, more
than two-thirds of telephone numbers in the US will benefit from these
measures.
The total success of STIR/SHAKEN is, however, dependent on
its adoption globally. A chain is as strong as its weakest link. Just so,
robocalls will endure as long as any communications authority fails to stamp
them out.
Post a Comment