Shaken by Robocalls? The Need for Mobile ID Authentication

‘Robocalls,’ whereby mobile users answer a call to find an automated system mimicking human patterns of speech, are a familiar nuisance to most.  It’s fairly common now to stop in the middle of something to take a call, and find on the other end of the line a series of recordings telling us we can claim compensation for an accident we’ve never had, or something similar – sometimes addressing us by name. They’re typically just a waste of time, but are also used to scam victims – and their apparently increasing frequency of late illustrates clearly the need for improved caller verification.

The communications watchdog in the US, the Federal Communications Commission, announced this month that it intends to intensify action against robocalls. The FCC wants to increase pressure on phone companies to implement two sets of standards aimed at combatting this pandemic: SHAKEN (Signature-based Handling of Asserted information using toKENs) and STIR (Secure Telephony Identity Revisited).  The SHAKEN/STIR framework requires calls to be ‘signed’ as legitimate by the originating network operator, and validate by receiving networks, before reaching consumers.  A summit is planned for July 11, with FCC Chairman Ajit Pai saying he “expects major phone companies to implement SHAKEN/STIR caller ID authentication standards this year,” and that the summit will allow the FCC “to examine industry’s progress toward meeting this deadline.”

But despite his firm tone, there has been criticism of Chairman Pai’s solution of another summit to discuss the problem, when action to date has appeared rather scant.  Earlier this month 42 state attorneys wrote to the FCC warning that robocalls are proving a much-resented feature of modern American life, and Pai’s response was considered by many not to have gone far enough. Even Pai’s FCC colleague Jessica Rosenworcel listed three measures that could already have been taken to combat the epidemic: namely, requiring call authentication technology, making free tools available to users to block robocalls, and setting up a specific robocall enforcement division within the FCC. Yet the problem persists, and users are wondering why.

SHAKEN/STIR is also aimed at combatting a form of perhaps more unsettling than robocalls: Caller ID spoofing, by which scammers mimic the mobile ID of a trusted number, in order to convince victims to part with sensitive information.  In one recent case, a British businesswoman had £90,000 siphoned from bank account after receiving a call from what appeared to be the phone number of her bank; even the quite tech-savvy can, as in this case, be caught off guard by those who appear on a mobile display to be someone they’re not.  There are also victims beyond those who suffer the scams themselves. If you’ve ever received a call from somebody insisting they have a missed call from you – but you’re quite certain you haven’t tried to reach them – it’s quite possible that your phone number was used in caller ID spoofing. The implications here for reputational harm to individuals and businesses are clear.

Operators are already helping here with proprietary solutions: TELUS announced successful completion of testing with Neustar’s Certified Caller suite, a system enabling call verification by mobile users under the SHAKEN/STIR protocol.  And, as commercial telecommunications move increasingly to text-based materials with the rise of Rich Communications Services (RCS), the answer will in many cases will lie in precisely that industry-wide innovation. With Verified Sender a standard function of RCS, many of the instances we see now of mysterious and possibly fraudulent SMS activity – whereby users receive text messages purporting to be from a trust business – will be consigned to history.  Verizon’s recent announcement that it has updated security on its messaging platform to offer features like Spam Detection, Spam Filter, and Report Numbers free as standard is indicative of a welcome trend. For now, we may be pestered by phantom calls and text messages, but the mobile industry is on the case – and in time these should be gradually forgotten.