Lessons from a Spy: How 007 is Helping Telecom Industry Fight Robocalling Fraud
In the iconic spy world brought to us through the imagination of Ian Fleming, I’ve found the array of gadgets almost as thrilling as the action sequences. Remember the invisible car in ‘Die Another Day’ and how James Bond was able to control it remotely. A little out of whack, right? But that was 20 years ago. One look at today’s autonomous cars, and somehow that level of innovation doesn’t seem so implausible anymore.
Here’s another less known fact: In the time it has taken you to read this, nearly 55,000 robocalls have made its ways to phone numbers across the globe. Robocalls are automatically dialed telemarketing calls that play pre-recorded ads and promote products. Sounds harmless, right? Not always. In many cases, robocalling acts as a gateway to scam people out of millions of dollars, mostly through CLI spoofing.
According to research, robocall fraud may cost consumers US $40 billion globally by 2022.
Shaken, not stirred: A cocktail of safeguards
In 2019, the Federal Communications Commission was called in to help. They came up with the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted information using toKENs, also known as the STIR/SHAKEN framework.
Admittedly, the FCC had to do a lot of head-scratching to come up with a name that would render the acronym STIR/SHAKEN. If the acronym sounds familiar, it is because it was inspired by secret agent 007 James Bond himself who famously prefers his Martinis shaken, not stirred.
STIR/SHAKEN is a set of rules, protocols, and procedures designed to enhance call integrity through authenticating caller ID information by assigning each call with an encrypted digital fingerprint, enabling receivers to tell an illegally spoofed call from a legitimate one. In March 2020, the framework became a mandate for all CSPs to follow to curb the issue is CLI spoofing and, in effect, robocalls.
While US regulators are busy enforcing STIR/SHAKEN for the common good, there are some loopholes:
- STIR/SHAKEN presently only works with IP-based telephone networks. Service providers will not be able to properly authenticate calls originating from non-IP systems such as copper landline wires.
- The authentication process does not indicate whether a call is legal/illegal or wanted/unwanted. It just digitally attests to whether the caller can use the particular number.
- STIR/SHAKEN applies to only phone calls but not to text messaging. Scammers can still originate illegal messages via spam SMS
- Finally, the framework is expensive to implement, making smaller carriers shy away from adopting these standards.
STIR/SHAKEN is indeed the right step forward in reducing robocalls for good, but there is still more work to be done. The issue of crime through robocalling is heavily disguised. Cybercriminals are moving from people to faceless, nameless robots. The i3 Forum report called ‘Caller ID Spoofing’ believes that relying on industry standards alone may not be enough to fight the villain in robocalls. The need of the hour is advanced high-tech real-time capabilities relying on analysis, investigation, probabilities, and a deep dive into patterns of fraud.
Why regulators and CSPs must work together
James Bond aficionados already know Agent Q – Bond’s go-to person at the research and development division of the British Secret Service. Q is known for equipping Bond with state-of-the-art tech to fend off villains. Bond is often incredulous about Q’s inventions until they save his life many times in the field. The tempering force, or regulator, in this seemingly tenuous relationship between the technology-savvy Quartermaster and the expert spy, is the Agent M. I find that this trifecta mirrors what we see between regulators, CSPs, and technology. To effectively reduce robocalling fraud, both entities – telcos and regulators – must work together, incorporating the latest technologies.
And, STIR/SHAKEN is one step in the right direction.
On their part, US regulators have released a roadmap of anti-robocall principles that serve as a guide for CSPs. They recommend:
- Enable call blocking and call labeling services to all customers at no charge
- Implement STIR/SHAKEN call authentication
- Monitor network traffic, especially high-volume calls, to gauge patterns similar to robocalls
- Investigate suspicious calls, identify the source, and institute ways to terminate these calls.
- Confirm the identity of commercial customers to whitelist these
- Strictly enforce ‘traceback’ so that illegal robocalls can be checked during the transport of voice calls
Fraud Management Solutions are Telecom’s Agent Q
Although STIR/SHAKEN is an excellent starting point for the CSPs to address the robocall menace, it is not enough to ensure an end to robocalls. Using analytics in addition to STIR/SHAKEN will provide insights for quick action.
In fact, in 2019, the FCC allowed telcos to block calls based on reasonable analytics designed to identify unwanted calls without explicit consumer action as long as the consumer is given the option to opt-out of the blocking service. Additionally, in July 2020, the FCC further strengthened analytics-based blocking by adding safe harbors for service providers from liability under the Communications Act and the Commission’s rules for erroneous call blocking. It is now critical to have an advanced analytical solution that provides a multi-tier defense mechanism to combat this. Solutions such as the Subex Fraud Management system makes use of real-time signaling level analysis, paired with advanced machine learning techniques and hybrid rule engine, thus providing new opportunities to drive a prevention-based approach.
CSPs should urgently take up the issue of robocalling as a priority. Its long-standing impact on customers can be rather severe. Robocall fraud can cause operators to completely lose customer trust and credibility, resulting in substantial revenue loss.
Time is of the essence. In this respect, reel life mimics real life. As Agent Q famously tells James Bond, “I can do more damage on my laptop, sitting in my pajamas, before my first cup of Earl Grey than you can do a year in the field.”
Combating Robocalls with Multi-Tiered Detection and Prevention Approach
Jacob Howell is an experienced Revenue Assurance and Fraud Management practitioner with 25 years of experience working with top wireless, wireline, a mobile virtual network operator (MVNO), and VoIP service providers. Drawing upon those experiences, he currently leads Subex’s Business Consulting group for North America.
Mr. Howell is also a Certified Data Scientist, Blockchain Certified Expert (BCE), Certified Communications Security Professional (CCSP), Executive Secretary of the Communications Fraud Control Association (CFCA), the author of the CFCA’s Global Telecom Industry Fraud Loss Survey since 2007, and a popular presenter.