Digitization on smartphone.
Interested in learning what’s next for the gaming industry? Join gaming executives to discuss the emerging part of the industry at GamesBeat Summit Next this October. Sign up now.
Federal Communications Commission (FCC) STIR/SHAKEN is urgently needed before final implementation on June 30, 2021. There are approximately 4 to 5 billion fraudulent robocalls in the US each month (as of 2021). And the attack became more and more ferocious.
STIR/SHAKEN is designed in a constantly changing fraud environment. Fraudsters are no longer trying to cash in on telecom deals; today, it’s about collecting personal and financial data. Enter “Robocall Big Bang,” where attackers around the world are exploiting vulnerabilities in current technology to directly target end users.
Regulators know this, so STIR/SHAKEN is a set of technical protocols and governance framework standards designed to combat robocalls, most of which have deceptive call lines Identification (CLI), or Caller ID. This is how fraudsters convince US customers that they are getting a call from someone in the US when in fact they are not. Given that the carrier originating the call should “sign” and verify that each call is legitimate, STIR/SHAKEN should bring confidence to the end user and the terminating carrier (the final destination of the call – in this case the US) when they When validating Caller ID received on an IP network.
Good in theory, but BICS FraudGuard shows a 65% increase in attacks targeting US users between November 2021 and February 2022.
MetaBeat will be on October 4 Gathering thought leaders in San Francisco today to provide guidance on how Metaverse technologies are changing the way all industries communicate and do business, CA.
So, where is the problem and how can we solve it?
Call traffic is not a straight line: STIR/SHAKEN problem
At the heart of the STIR/SHAKEN shortcomings is a misunderstanding of how international voice traffic works.
International call traffic is not a straight line. Rarely is a call going directly from a country’s carrier or a US mobile network operator with many “hops” in the middle: you may see traffic going between three or four carriers, but see as many as There are seven to eight separate connections between carriers as traffic spreads across the globe.
If an operator in Singapore falsely certifies that the US CLI is authentic in a fraudulent call, and if a large number of hops occur before the US operator’s final destination, then all The prescribed method proves that the CLI – and invocation – is ultimately meaningless.
Once you have many intermediaries in international traffic, you lose traceability. The CLI’s signature will only be passed on to the different operators in the chain if the call is also traveling over the IP network, which is not always the case. To make matters worse, data protection laws and company policies often further prevent carriers in the U.S. from tracing the origin of calls. And since foreign operators are not subject to FCC regulations, there is little incentive to implement STIR/SHAKEN.
requires global adoption
In other words, STIR/SHAKEN forces international gateway providers to sign CLIs in an expensive way, they can’t imagine they are real. All the intermediary international gateway provider can do is to confirm that the call has been authenticated by the earlier operator (if the CLI signature is passed in the SIP header). Alternatively, they can attribute “C-level proof” to the call (minimum trust level), effectively confirming that they themselves are not manipulating incoming calls from a completely different place.
What is the value of this “proof”? Not much for the comfort and safety of American customers.
Strategies like STIR/SHAKEN only work for all other countries using the US CLI to send calls, which is unrealistic. Although the US is the dominant geopolitical The player has all the leverage, but it can never impose its domestic regulation on operators in Japan, Zimbabwe or Australia. Its governance framework was simply not designed to adapt to the international environment.
A quick look at the Robocall Index shows that the year-over-year number of robocalls is down, but not down. More than enough to justify the enormous cost to international operators of performing low-value C-level call certification.
AI combats fraud
In response to the robocall dilemma, for regulation to be effective, we need a global framework that applies equally to all international parties. But the complexity of the situation means it’s unlikely to happen anytime soon.
Tools such as analytics and machine learning (ML) can mitigate this and are already part of FCC regulations. In fact, BICS runs a FraudGuard platform that draws intelligence from more than 900 service providers and then applies AI to detect and block incoming fraudulent calls and text messages. Last year, BICS blocked millions of calls in front of U.S. carriers and users.
Part of the reason AI works here is that the answer to fighting fraud is not “know your customer” but “know your traffic”, and in this regard, AI Will track traffic behavior very well. But these tools cannot be relied upon as crutches. They need to be used with care so as not to block legitimate traffic and cause legal disputes between international operators.
Time for a more humble solution
Tracebacks, also supported by FCC regulations and led by the Industry Traceback Group (ITG), is a root cause of fraudulent calls responsible party. Beginning with the last carrier, calls are traced back through many carriers, bypassing non-disclosure agreements and privacy legislation as much as possible to find bad actors. Punishing robocallers has to be part of our strategy, not punishing the best-effort middlemen, but admittedly it’s a very long process.
Fortunately, there are simpler solutions. One is to provide international operators with clearer information on the North American Numbering Plan (NANPS) to easily distinguish between “good” traffic and “bad” traffic (i.e. which US CLIs can generate traffic from overseas in addition to roaming end users) ?) .
Carriers often assign numbers and ranges to businesses operating overseas so that they can generate traffic from outside the United States—call centers serving customers in the United States often Carry US CLIs, even if they come from elsewhere. The list of these enterprise numbers can be shared with the international telecommunications community; any inbound number that is not on the list and does not show human roaming behavior will be flagged as suspicious.
New Threats in the 5G World
In a 5G and Internet of Things (IoT) world, taking more steps to combat fraud and security threats will only become more important .
This shift will increase the complexity of the telecom ecosystem, inevitably creating more entry points and loopholes for fraudsters. a network
Only the weakest link is strong, so we need to bring our A-game into the international community of fraud prevention and security. This includes stricter vetting of whom we trade with, especially if other parties are found to be making deceptive calls.
Fraud prevention never stands still. Fraudsters are constantly adapting and expanding geographically. There is no single magic solution, but we must recognize that we can never completely eliminate fraud. Protocols such as STIR/SHAKEN are the starting point for securing the telecom ecosystem, but the challenges of international borders require a truly global collaborative approach across the ecosystem, including national regulators and operators.
Katia Gonzales is Head of Fraud Prevention at BICS and Chair of the i3 Fraud Forum
Welcome to the VentureBeat community!
DataDecisionMakers is a place for experts, including technologists who do data work, to share data-related insights and innovations.
If you want to learn about cutting edge ideas and the latest information, best practices and the future of data and data technologies, join our DataDecisionMakers.
You may even consider publishing your own article!
Read more from DataDecisionMakers