All Together Now: Why and How Service Providers, Vendors and Regulators are Joining Forces to Thwart Caller ID Spoofing
Most forms of communications fraud have one thing in common: They exploit trust.
Take caller ID. UK consumers receive 5 billion nuisance calls each year, according to Ofcom. Calling Line Identity spoofing enables many of those robocalls and other nuisance calls by exploiting consumer trust in caller ID information.
“As well as direct harm from scams, the misuse or spoofing of CLI data can also reduce consumer trust in the system as the caller line identity (CLI) is no longer effective as an identifier about the source of the call,” Ofcom said. “Without this trust, there is a greater risk of harm, as consumers may be reluctant to accept calls undermining the general utility of the phone service.”
CLI spoofing also exploits trust between businesses. Fraudsters understand that service providers trust one another and their business clients, so they either compromise the business caller’s platform or they make their calls and text messages appear to originate from legitimate businesses or service provider networks. This wolf-in-sheep’s-clothing tactic helps them get past service provider filters to target consumers.
These are just a few examples of the myriad of ways fraudsters exploit trust, which highlights why no single service provider, vendor or regulator can effectively fight back on its own. Only a tightly coordinated, ecosystem-based approach can thwart and mitigate fraud across multiple attack vectors.
In fact, the need for an industrywide effort has been increasingly apparent for the better part of a decade. As a 2014 ITU CLI spoofing workshop presentation concluded: “Co-operation between national and international carriers is essential. A harmonized international solution (i.e., ITU policy measure) could help.”
iconectiv is leading several of these industry-wide approaches:
- Validating INtegrity of End-to-End Signaling (VINES) is a new GSMA work item in the Fraud and Security Group developing recommendations to prevent internetwork signaling fraud, which includes illegal spoofing, toll bypass and other frauds. Chaired by iconectiv, VINES can also help service providers ensure that many legitimate business calls are not mistakenly flagged as spam.
- Canada and the U.S. have mandated the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) framework for authenticating call information. iconectiv is the U.S. Secure Telephone Identity Policy Administrator (STI-PA) and also is using this expertise to help VINES explore how elements of STIR/SHAKEN could ensure authentic internetwork and cross-border calls. The UK is among the countries considering adopting the STIR/SHAKEN model. “We think it has the prospect of making a very significant contribution to providing assurance about the identity of the caller,” Ofcom said.
Another major initiative involves the European Union’s Electronic Communications Code, which is being updated to address CLI spoofing. Once complete, EU members will use it as the basis for legislation in their countries. ETSI also is working to define how to manage spoofing mitigation. That framework is expected to be released after the EU ECC is complete.
In the meantime, some countries are plowing ahead on their own. For example, in July 2020, France revised its Postal and Electronic Communications Code to impose restrictions on telephone canvassing and enable service provider intervention in order to limit nuisance robocalling. France will also require service providers to ensure the authenticity of telephone numbers used as caller ID for calls and messages. When they can’t verify a telephone number, service providers must terminate routing of that call or message. All of that points to a future that restores consumer trust in communications – worldwide.