Robocalls are proliferating and becoming increasingly sophisticated and deceptive, purporting to be from banks or government agencies to trick and scare people into revealing personal information or transferring money. Recent advances in technology have reduced the cost of calling to close to nothing and made it easier to “spoof,” or misrepresent, the originating number or caller ID. The famous Do Not Call list, while effective against unwanted calls from legitimate businesses, is no deterrent to criminals intent on fraud. Seniors are especially vulnerable, and for this reason, the Senate Special Committee on Aging held hearings in June on possible new legislation to prevent unwanted calls. Among those testifying was Henning Schulzrinne
who provided the biggest takeaway of the day: technology offers solutions.
More than 10 years after the Do Not Call list was instituted, more robocall complaints than ever are being received by the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC).
Technological advances are partly to blame. As the telephone infrastructure is changing from traditional copper wires to Voice-over-IP
(VoIP) technology, what was once expensive and difficult—international calling, auto-dialing, falsifying caller ID information—has become cheap and easy, making it possible for almost anyone with a laptop and an Internet connection to flood phones with millions of robocalls and to do so from any location in the world.
The nature of the calls themselves has changed also. Before the list, most robocalls were legitimate telemarketers looking to make a sale. Against those calls, the Do Not Call list has been largely effective, leaving the field wide open to illegitimate operators who, like bank robbers walking past the meter on the way into the bank, ignore the Do Not Call list to commit the bigger crime of fraud, either conning victims into divulging personal information or of selling services or products that never materialize.
What you can do against robocalling
- Hang up immediately. Do not press buttons or engage the caller.
- Sign up for Nomorobo or other services that blacklist numbers of known robocallers. (Nomorobo is available only in the US and only from certain carriers.) Or sign up for services such as GoogleVoice’s free feature that prompts callers to say state their names before you pick up.
- File a complaint with the FTC. Complaints help define patterns of fraud and abuse, sometimes leading to investigations that result in fines.
To increase their odds of success and because VoIP makes it easy, robocallers often impersonate a legitimate bank or government agency. It’s called spoofing, and it is quasi-legal. The Caller ID Act of 2009 does make spoofing a crime but only when it is used to harm or defraud someone, something possible to prove only after the fact. No one seems too concerned, and companies openly sell spoofing software. There is even a free iPhone app for spoofing. An app is strictly small scale and for targeting specific individuals; for spoofing at industrial-scale, robocallers are likely to turn to open-source phone switch software when inserting fake phone numbers into millions of calls.
And they usually get away with it. Experiments done by system staff at Columbia University showed that even large carriers do not reject implausible phone numbers such as 311-555-2368
Testing showed that clearly fictitious numbers were transmitted even though it would be easy for phone carriers to identify and block them.
The ability of robocallers to associate their numbers with any other number or caller ID name gives rise to a whole slew of semi-plausible scams: the IRS demanding payment for overdue taxes, the Social Security Administration requesting an account number to make a deposit, an extradition threat from local police if a debt is not immediately repaid. There are many others, like the one that promises a “free” medical alert system
. Most people today know enough to be wary of such calls, but the robocallers’ simple business model—flood phones with millions of cheap calls to flush out the few naïve victims that make the business model work—is robust against a low success rate. Even a 95% or 99% suppression rate would not sufficiently discourage robocallers if it leaves the most likely victims unprotected.
Because senior citizens are especially vulnerable to such scams, the Senate Special Committee on Aging in June held hearings on possible legislative solutions. Chaired by Susan Collins (R-Maine), the committee called four witnesses—a small business owner who logged 62 robocalls within a month, an FTC representative who testified about her agency’s difficulty in dealing with the problem, and a Missouri Deputy Attorney General whose office last year fielded 57,000 complaints, 52,000 of which concerned unwanted calls.
Testifying about the technology aspects was Henning Schulzrinne
, who developed the key protocols that enable VoIP and who continues to work on VoIP protocols as a professor of computer science at Columbia University. He is also knowledgeable about the policy issues, having served as the Chief Technologist at the FCC from 2012 to 2014. While currently consulting for the agency, it was in his private role as a technology expert that he addressed the committee.
After summarizing eight categories of scams, Schulzrinne described the technology solutions, which fall into roughly three categories: filtering, caller ID and name authentication, and gateway blocking. Each, summarized below, has its strong points and limitations. (For the full transcript of Schulzrinne’s testimony, go here
Filtering, either through a third-party service or a downloaded app, works by checking each incoming call against a white list of trustworthy phone numbers or a black list of nonacceptable ones compiled in one of several ways: from FTC and FCC customer complaints, crowd-sourced by consumers, or collected through honeypots. (Honeypots are stealth servers programmed to act like normal phones—with numbers not assigned to any individual or company—for the express purpose of capturing the phone numbers of robocallers.) Built-in safeguards can ensure emergency alert calls get through as do calls placed from medical facilities; unknown phone numbers can be verified by making callers prove that they are human rather than robotic.
Filtering today has several drawbacks. It puts the onus on individuals, and it protects only those who know about filtering and are willing to do the setup, generally the most sophisticated people who are unlikely to fall for a scam in any case. By protecting the people who least need it, filtering today leaves the most vulnerable even more exposed.
Extending filtering to others is not currently easy. Filtering works on many landlines, and it is usually available only through large cable companies like Time Warner or Comcast that support external filtering services such as Nomorobo
And filters are easily avoided by robocallers’ use of spoofing.
Caller ID and name authentication
Spoofing is perhaps the most nefarious aspect of the scamming schemes; almost anyone is likely to pick up when seeing the phone number of the local police department or the IRS. Spoofing has other bad uses as well since a caller ID is often used to verify one’s identity when gaining access to voicemail or when calling a bank, utility, or airline.
Preventing spoofing is necessary both to make filtering effective and to stop robocallers from impersonating others, and Schulzrinne offered possible ways to do it. One is to authenticate the originating number to ensure the caller is authorized to use the caller ID contained in the call setup message. Authentication would require phone carriers to insert links to new cryptographic certificates so any carrier along the way could validate the signature and detect spoofed caller IDs. These calls could then be labeled in some way or, if the customer prefers, rejected.
However, it’s not clear how much the phone carriers will do voluntarily. For years, carriers have resisted appeals to block robocalls, claiming that federal law prohibits them as common carriers from doing so. The FCC pulled the rug out from this excuse in a June 18 vote that explicitly states that phone companies are legally allowed to provide filtering to those customers who request it. (The FCC does not currently, however, obligate phone companies to provide filtering.)
Using his deep knowledge of the protocols, Schulzrinne offered an alternative approach to preventing spoofing, one that does not rely on carriers. The VoIP protocols (specifically the Session Initiation Protocol
, or SIP) allow for changing the mechanics how caller ID information is generated, and thus make it difficult to do spoofing in the first place.
Currently ID information is collected from many different databases and is often not validated, making it easy for fraudulent callers to insert any information they like, especially for numbers that have not been assigned to a carrier. Because SIP allows the calling carrier to insert name information directly into the call signaling request, it’s possible to avoid looking up the information in databases and making it easier to track who generated the information. Longer term, carriers may also indicate that they have validated the information by cross-checking them against service address records or credit card billing information, for example.
Blocking at the VoIP gateway (“do not originate”)
Perhaps Schulzrinne’s most innovative proposal is a do-not-originate list that would cut off robocalls closer to the source: at the VoIP gateways that connect VoIP calls to the traditional phone system. While VoIP robocalls can be placed from anywhere in the world, all such calls pass through such gateways to enter the traditional circuit-switched phone lines used by most large US companies and large carriers. (Companies generally contract with a carrier that operates a VoIP gateway on their behalf to handle the transition for all incoming and outgoing calls.)
VoIP gateways currently do not check whether the originating number is valid or not. However, it would be easy to program them to reject originating phone numbers of companies that did not contract for their services or numbers known to be out of service. Any calls from numbers on a list to not originate—a reverse do-not-call list—would be rejected by the gateway and thus blocked from entering the phone system. Alternatively, the gateway could replace the fake caller ID information with a fraud indicator, such as the (made-up) area code 666. Consumer-chosen call filtering technologies can then reject those calls if the carrier prefers not to. While companies would have to list themselves on do-not-originate lists, those companies most likely to be impersonated would have incentive to do so.
The do-not-originate approach has the advantage that it can be implemented quickly and easily, without any changes in telephony protocols. Nor does it require cooperation of other phone carriers. It is no substitute for authentication, but it should prevent many of the most harmful calls from reaching consumers.
Breaking the business model
Each of the three methods—filtering, authentication, VoIP gateway blocking—does its part to add to the difficulty and expense of robocalling, but each addresses only a subpart of the problem. The do-not-originate list addresses spoofing of high-profile numbers of government agencies and banks but not other legitimate-sounding numbers robocallers invent (“Card Svcs,” “Medcare”). Authentication stops robocallers from impersonating legitimate businesses and government agencies (and makes fraudulent calls less likely to pay off) but does nothing to prevent robocalls themselves. Filtering can stop robocalls but currently protects the relatively few individuals who use it and is easily circumvented by spoofing.
But used in combination with one another, the three methods complement one another to undermine the economics of robocalling. Once authentication is in place to prevent spoofing and people can trust that phone numbers are legitimate, white lists of acceptable numbers—government agencies, banks, doctors—can be compiled and safely and widely distributed to protect even the most vulnerable. And without spoofing to disguise their calls, robocallers quickly get identified and black-listed (and in the best case, shut down by law enforcement).
It’s the combination of methods, working in conjunction with the VoIP technology and the supporting protocols, that stands the best chance of approaching the 100% suppression rate needed to put an end to robocalling. Since it was technology that allowed robocalling in the first place, it’s only fitting that technology be part of the solution.
The full transcript of Schulzrinne’s testimony is here
. The full hearing is here