We all get them, those annoying calls from telemarketers, scammers, and even those that are legitimate but we do not want to receive. While the U.S. has focused on calls generated by automated dialers (robocalls), the real problem goes well beyond that. Other countries have more accurately labeled this problem as nuisance calls, pesky calls, or even just unwanted calls. There is one characteristic between all of these: they use the Session Initiation Protocol (News - Alert) (SIP) feature of being able to change the number displayed as the calling party.
The issue is that many of these calls are legal, from licensed telemarketers who are playing by the rules. They have a huge lobbying presence defending their rights to interrupt our dinners. The current legislation will not prevent those calls from getting through. Make sure your number is on the Do Not Call Registry, and these calls will be greatly reduced.
It’s the other class of calls that we are battling as an industry: Call centers that do not play by any rules and consistently find new ways around filters and firewalls designed to stop their calls. There is so much money to be made by these call centers that they will do anything to stay in business.
The problem is actually in the technology itself. When the Internet Engineering Task Force (IETF) developed SIP, there was a feature that allowed for the alteration of the calling party parameter. This was by design, and there were a lot of good reasons for allowing this feature. Women calling from battered women’s shelters for example would not want the true number (and, therefore, location) displayed when they called family. Yet, even good intentions sometimes carry consequences.
The criminal society quickly learned of this capability and began taking advantage of the feature. Today, it has become so prolific that even phone companies are providing services where call centers can route their outbound calls to a softswitch and change the calling number to make the call appear as if it is a call from a local caller, rather than from across the nation (or from another country).
Telephone companies now complain that fixed-line services are on the decline. This is because fixed-line numbers are the most often hit by fraudulent, illegal nuisance calls. It has become so easy that criminal organizations are flooding the country with fraudulent calls.
The problem is not just in the U.S. Many other countries suffer from fraudulent calls being made by changing the calling number. In Europe, this is often referred to as CLI Spoofing (Calling Line Identifier). Regulators in other countries have approached the problem differently, and many have not found a means for dealing with the problem at all.
OFCOM, the regulator in the UK, has created a blacklist of numbers known to generate fraudulent calls. Telephone companies are then allowed to block these calls. This has been fairly effective, but not entirely. It does not capture every call, especially when the number being spoofed is a legitimate number assigned to a real subscriber.
What we see today is a scenario where someone will use a real number, assigned to a real subscriber, and make thousands of fraudulent calls. If they do not receive an answer, they may leave a message or just simply hang up. The called party later sees they missed a call and they attempt to call back, but they are ringing the phone of the real subscriber, who unfortunately receives hundreds of call backs from angry callers insisting they were called by this number.
There are many other different flavors of how these scams work. The IETF has been working over the last several years to resolve this problem. It is too late to simply prevent the number from being altered, but it is not too late to provide for a means of authenticating the calling number with some form of certificate.
The Secure Telephony Identifier Revisited (STIR) working group created a means where a telephone company can digitally sign a SIP call before sending it to its destination. When the SIP call is generated in their network, if they are the ‘owner’ of the number (the calling number falls within the range of numbers they have been allocated), they can add a digital certificate into the SIP header.
When the destination network receives the SIP INVITE, they can verify the certificate is authentic and provide some form of identifier to the called party to signify that the call probably is legitimate.
The Alliance for Telecommunications Industry Solutions (ATIS) defined a standard for implementing STIR, and defined a certificate framework. This framework allows telephone companies to receive a certificate and for receiving networks to authenticate the certificate. This framework is called the Signature-based Handling of Asserted Information using toKENs (SHAKEN).
Collectively, this duo of standards is referred to as STIR/SHAKEN (enter James Bond with a martini, and you get the joke). Kudos to the engineers who must have worked overtime to figure out what words are needed to create this acronym.
Now that STIR/SHAKEN is out and ready for implementation, the FCC (News - Alert) put forth regulation requiring the telephone companies to implement STIR/SHAKEN. There was a lot of pressure from Congress for the FCC to enforce this, and after seeing only a few companies move forward to implementation Chairman Pai finally issued the regulation. Canada CRTC had already required this a year earlier.
The problem will be that this alone will not stop the calls. Analytics, and other measures must be implemented as well to put a dent in the calls. This is a positive first step, but it creates many challenges.
Small telephone companies do not have the resources to implement STIR/SHAKEN, and they are left wondering when the mandate will be applied to them (they have been given a small reprieve). Another problem is how to deal with calls that originate in a SIP network (like from a call center in India) but eventually get converted to an SS7 ISUP call. The IETF has begun looking into this problem as well, working on a standard for out-of-band STIR. The idea is to still digitally sign the call in the originating network, but passing the certification outside of SS7 through another channel (simply an IP circuit where telephone companies can still receive the certificate and authenticate it).
There are other problems that need to be worked out (too complex to cover in this short article) but industry is looking into how to resolve those problems as well. STIR/SHAKEN is only mandated in North America, but as other countries become familiar with the concept (Australia, India, and many countries in Europe have been watching closely) we may see widespread deployment of the technology, but not overnight.
The most eloquent solution for all operators would be a cloud service supporting STIR/SHAKEN, removing the CAPEX requirement for implementation. If this were offered as Software-as-a-Service (SaaS (News - Alert)), it would greatly reduce the cost for all operators, and may accelerate the implementation of STIR/SHAKEN. Couple this with a cloud-based analytics platform, and we could be well on our way to mitigating the scourge of nuisance calls ringing our phones.
About the author: Travis Russell has been in telecommunications more than 35 years, with experience in radio, voice and data networking. As a cyber security professional and technologist, Mr. Russell has a long career focused in telecommunications cyber security and fraud, with expertise in SIP, SS7, and Diameter technologies. He participates in a number of standards bodies and trade associations, including the GSMA (News - Alert), IETF, CTIA, ATIS, and is currently the chair for the FCC Communications Security, Reliability, and Interoperability Council (CSRIC) working group 3, focused on security. Mr. Russell has authored several technical books, including “Signaling System #7,” “Session Initiation Protocol,” “IP Multimedia Subsystem,” and “LTE Signaling With Diameter,” all published through McGraw-Hill. His book, “Telecommunications Protocols” is still used in colleges and universities today for teaching the fundamentals of telecommunications, and is printed in four languages. Mr. Russell holds several patents and patents pending focusing on cyber security and fraud solutions, and has lectured at colleges, universities, and industry events all over the world. He is currently Director of Cyber Security at Oracle (News - Alert) Communications.
Edited by
Erik Linask
