Stopping Illegally Spoofed Calls: Our Q&A with Jon Peterson
The communications industry is seeing some major developments in the fight against illegal robocalling and caller ID spoofing. I recently spoke to our very own expert, Jon Peterson, to get his insight on what is being done to protect consumers and businesses.
Peterson is a Neustar Fellow, where he is the resident expert on security and network routing. He has deep expertise in both traditional telephony protocols and Internet technology, and is the Area Director of IETF’s Transport and RAI Areas and the Internet Engineering Steering Group. Peterson has firmly established his reputation as an extremely knowledgeable technologist who is spearheading the future of the Internet.
Neustar: Illegal robocalls and caller ID spoofing have been noted as key reasons why 24.9 million Americans lost a total of $8.9 billion to phone scams in 2017. How did we get here?
Jon Peterson: This can be traced back to the early Internet days in the late ′90s where the industry was working to get the Session Initiation Protocol (SIP)-based applications to work with telephone networks to support services such as Voice over IP (VoIP). While we were focused on the benefits, such as enabling inexpensive calls and richer services, hindsight is 20/20. These systems were designed without enough appreciation for what the security consequences would be. Unfortunately, what we ended up doing as part of developing VoIP was enabling identities to be impersonated in the telephone network.
VoIP is the channel of choice for robocalls because they are cheap, or even free, and can be made from anywhere on the planet. The other benefit is that VoIP is like an email, where you can input whatever you like in the ‘From’ header field in your email. So, unfortunately, we’re now in a situation where the PSTN (public switched telephone network) often just accepts what the VoIP application is saying who the caller-party number is. Unfortunately, this means you can impersonate the White House, the IRS or whoever else you want to be. This has made consumers reluctant to pick up the phone no matter who is calling, and that is hurting businesses that need to reach their customers.
What is the industry doing to solve this issue?
JP: For the past few years, I’ve been a lead author in a working group that was established by the Internet Engineering Task Force (IETF) to devise a way to stop illegal robocallers and spoofers from passing this bogus information on to the public telephone network unchecked. As a result, we’ve developed a new technology standard called STIR (Secure Telephony Identity Revisited), which enables a way to provide verified information about the calling party, as well as the call’s origin, to the end-user.
In ATIS (Alliance for Telecommunications Industry Standards), we also worked toward a framework that supports STIR. It is called SHAKEN (Secure Handling of Asserted information using toKENs), which defines how communications service providers should implement the STIR technology. To help drive SHAKEN compliance, we run the ATIS Robocalling Testbed, which is hosted by the Neustar Trust Lab. This is a shared resource designed to help carriers, app developers, handset manufacturers and solution developers to come together to test different use cases.
Does this mean that the end of caller ID spoofing is in sight?
JP: The main STIR standards are now available — they were published this year as RFC8224 through RC8226 — and operators can start to use them today. But there is still more to be done to protect consumers from caller ID spoofing. We are still looking at a lot of corner cases in the STIR/SHAKEN framework. For example, I’m currently looking into how to get STIR to work properly with certain call-forwarding scenarios. There’s a lot of complexity still to be ironed out.
Regulators in the U.S. and Canada have been keeping a close eye on the development of the STIR standards and have set out timelines for the operators in their respective markets to implement them. In the U.S., they have laid out a one-year timetable for key operators to take certain steps. In Canada, they are much more aggressive and have mandated that carriers sign SIP calls by March 2019. I would expect to see some of the big carriers to start signing calls this year with the smaller providers following on from there.
What is being done to protect consumers and businesses?
JP: The most important thing to understand about STIR/SHAKEN is that it is a technology and framework which tells you if a call is being impersonated. However, it doesn’t answer the question that the consumer really has, which is, “should I pick up the phone?” Today, our Caller ID business helps consumers decide that when they see a caller name.
I think there is a further opportunity, once these standards are implemented, to not just prevent abuse but to help consumers understand call relevance better. That is how businesses can get the attention of consumers and begin rebuilding their trust. When calls come in, we need to quickly communicate how the call is relevant, and why they should pick up a call before sending it to voicemail.
For example, there are many reasons why your power company could be calling you. However, a consumer has no way to determine whether it’s a sales call or if it’s a notification of a planned power outage. The more you know about what is going on, about who is calling and why, the better we can help consumers decide if they should answer a call. I see this as an interesting area to explore further.
Did You Know?
The Neustar Trust Lab plays a key role in adoption and implementation of STIR/SHAKEN as the exclusive host of the ATIS Robocalling Testbed. The Testbed serves as the industry interoperability test facility to validate the effectiveness of caller authentication standards and the SHAKEN framework as a way to better combat illegal robocalls and call spoofing on IP-based networks. To learn more about the Neustar Trust Lab visit https://www.communications.neustar/caller-intelligence/trust-lab.