Robocalling and Caller ID Spoofing – Detect, Mitigate and Deter

According to the FCC, robocalls and Caller ID spoofing (often associated with telemarketing) are the number one source of consumer complaints — and I could not agree more.  In a four-hour period last week, I received no less than eight robocalls — everything from surveys, to travel promotions, to political calls, to people claiming they were from the Federal Government and that there was a warrant out for my arrest!

According to YouMail’s Robocall Index, which estimates monthly robocall volume in the United States, over 2.6 billion robocalls were placed nationwide in September 2016, equaling approximately 8.1 calls per person affected — a nearly 300 percent increase from a year ago.

What is driving this rapid increase in robocalls? Technology such as cloud hosting services and call-generation software platforms combined with the Internet (rather than international voice circuits with high per-minute costs) provides an attractive (and potentially lucrative) environment for telemarketers.

This problem has become so large that in July the FCC established a Robocalling Strike Force, composed of over 30 leading telecommunications service providers and equipment manufacturers with the mission to “accelerate development and adoption of new tools and solutions to abate the proliferation of illegal and unwanted robocalls…”

Industry Developments – Techniques and Approaches

Because the technology options for robocallers will continue to evolve, there is no “one size fits all” solution to this problem. As such, the industry is developing a layered and flexible response that can adapt to changing tactics.

One notable challenge will be ensuring that legitimate and valid use cases of robocalling are not blocked.  Common examples include school announcements, weather alerts, prescription notifications and medical appointment reminders.

Some of the solutions being implemented in this multi-layer approach include:

• Deployment of SHAKEN/STIR framework (just to be clear this is not about how you take your martini!)
• Call Detail Record (CDR) Traceback
• Deployment of Do Not Originate Servers
• Blacklist/whitelists with data analytics
• Post Call reporting mechanism

In order to address these concerns, the industry is focusing its efforts across three key areas:  source authentication, network and consumer blocking tools.  The industry is also facilitating effective enforcement with the power to traceback and shut-down offending accounts.  The goal of these solutions is to protect the consumers from unwanted calls and give them more control over the calls and texts they receive.

This blog post will focus primarily on the authentication process.

Authentication

STIR (Secure Telephony Identity Revisited) is the standard developed by IETF that defines a signature to verify the calling number, and specifies how it will be transported in SIP “on the wire” whereas SHAKEN (Signature-based Handling of Asserted information using toKENs) is the framework document developed by ATIS/SIP Forum IP-NNI task force to provide an implementation profile for service providers implementing STIR.  SHAKEN/STIR will be the basis for verifying calls, classifying calls and facilitating the ability to trust the caller ID information. However, the full benefits of this standard will only be realized on networks that have been fully transitioned to IP and will offer limited or no mitigation for calls that either originate or terminate on the PSTN.

These standards will perform what is known as attestation: providing verification of the caller’s legitimacy – related to its origination. In short, the service provider will classify the origination of the call into three levels of attestation: Full, Partial and Gateway.

1. Full Attestation: the signing provider is responsible for origination of the call onto the network; has a direct authenticated relationship with the customer, including identity; and has a verified association with the telephone number used for the call
2. Partial Attestation: the signing provider is responsible for origination of the call onto the network; has a direct authenticated relationship with the customer, including identity; but does NOT have a verified association with the telephone number used for the call
3. Gateway Attestation: the signing provider is the entry point of the call onto its network, but has no relationship with the initiator of the call.

Although there are many additional steps in the process, mitigating problems associated with Caller ID spoofing will require calls to be signed by the originating carrier and verified by the terminating carrier to determine if the calling party information for the call is legitimate.

No Easy or Single Solution

The ability to combat the growing problem of robocalls requires participation from a number of parties that include not only the service providers, but  third-party platform and services companies, the FCC, the Federal Trade Commission as well as the consumer.

Although the SHAKEN/STIR mitigation techniques do not solve the problem, they are foundational capabilities which others can build upon. Without reliable calling party information, other solutions such as Do Not Originate lists or even robocalling blocking services will continue to be at risk – as they have no way of knowing if a number has been spoofed.

While these techniques can help reduce the number of unwanted calls – their capabilities will be greatly improved by STIR/SHAKEN.

ATIS and Robocalling

In October 2016, the Robocall Strike Force issued its report outlining its plans to develop comprehensive methods to prevent, detect, and filter unwanted robocalls.

As noted in the report some of ATIS’ work initiatives will address the following:

1. Source authentication and caller ID: ATIS has accelerated its work on the standards to authenticate and verify caller identification for calls carried over an Internet Protocol (IP) network. The goal is to ensure robocall-blocking applications have access to accurate calling party information, and create higher end-user confidence in the identification of incoming calls for VoIP.
2. A certificate framework and governance model:   ATIS is developing a framework under which cryptographic certificates would be issued to service providers, as well as an entire structure and ecosystem under which they will be managed. This work will protect the integrity of the calling party authentication service by ensuring that certificates are only provided to entities entitled to receive them.
3. Lab testing of new tools and solutions: ATIS is also working to validate key caller-ID elements to support deployment in service provider networks. This work will facilitate the testing of implementations based on these industry standards to assess their effectiveness for signing and verifying calling numbers.

ATIS looks forward to continuing its efforts to mitigate caller ID spoofing and robocalling—and to advancing the mission of the Robocall Strike Force with all due urgency.

ATIS has delivered a wide range of resources to mitigate caller ID spoofing and robocalling, including the whitepapers Calling Party Spoofing Mechanisms and Mitigation Techniques as well as Developing Calling Party Spoofing Mitigation Techniques: ATIS’ Role.