6 Takeaways from the RoboCall StrikeForce

Yesterday, the FCC RoboCall StrikeForce presented their final report, actions, and recommendations. Next Caller Account Executive Tim Prugar sat in on the webcast, and here are his takeaways.

There are few greater pleasures in life than taking a seat in a cozy chair, slipping on some headphones, and watching an hour-long livestream of a government hearing. Yesterday, at 1:00 PM EST, that’s precisely what I got to do. Believe in yourself kids…dreams really do come true.

Before getting to the meat of the presentation, a solid recognition, admiration, and appreciation of the work that the StrikeForce members put in is in order. The StrikeForce was assembled in Late July, and over the course of 60 days the committee engaged in over 100 meetings, produced a 47 page report, and rolled out an aggressive timeline for continued action steps. From my estimation, this committee worked at blazing speed, and should be commended for that.

Now, onto my key takeaways:

 

1.     The FCC Has Fantastic Taste in Music

The waiting music the FCC plays on its website before the livestream kicks in? A soft jazz version of Michael Jackson’s “Man in the Mirror”, inarguably one of the greatest songs ever recorded.

 

 

2.     Both the FCC and Carriers Will Focus on Increasing Consumer Information

 One of the largest tangible outputs of the StrikeForce was the launch of a brand new FCC website:

https://www.fcc.gov/stop-unwanted-calls

The site approaches RoboCalls from a perspective of lessening their impact. The site gives consumers information on what RoboCalls are, the legal regulations surrounding telemarketing, remedies that customers can take to protect themselves from RoboCalls, as well as a clearly identified place for lodging complaints.

As technical solutions are much more difficult and costly to build, look for both carriers and government actors to create better-educated consumers, particularly those consumers that fit demographics that are at-risk for phone fraud.

 

3.     VOIP Throws a Wrench in the System

 One of the trends that came up multiple times during the report is that any technical solution to be launched by Carriers to stop RoboCalls and Call Spoofing needs to be able to detect both calls that originate from traditional landlines as well as internet-based VOIP calls. AT&T stated explicitly that the majority of call spoofing originates through VOIP, so being able to analyze and detect these type of calls is of primary importance. Look for Carriers to heavily invest in R&D or vendor solutions that can analyze landline, mobile, and VOIP to detect spoofing…preferably real-time.

 

4.     Info-Sharing and Cooperation Among Carriers is a Must

One of the most celebrated outputs of the StrikeForce was the “Do Not Originate” (DNO) List. The DNO list, as documented here, allows organizations who do not make outbound calls displaying their inbound number (IRS, 911) to petition to have their number blocked by carriers when it displays as the outbound number. The IRS made written DNO Requests for a series of numbers, and reported a 90% reduction in reports of IRS scam calls following the deployment of a DNO.

To be fair, it’s unclear how much of that reduction was due to these raids in India, but it is still an impressive result.

A successful adoption of a national DNO Registry requires cooperation across Carriers. In addition, the StrikeForce made recommendations to increase sharing of information on “bad actors” across networks, effectively creating a “telecommunications profile” of a phone scammer. The committee also suggested creating “Call Categories” as an industry that will limit false positives when blocking spoofed or potentially fraudulent calls.

 

5.     The Government Has a Tolerance For False Positives

One of the largest concerns for Carriers when cracking down on RoboCalls and Call Spoofing is pretty straightforward: what are the legal and business ramifications for blocking flagged calls that are actually legitimate?

The FCC made it clear that, if Carriers are doing their due diligence and making a good faith effort when blocking calls, the FCC will push for “safe harbor” to protect Carriers from litigation, either criminal or civil.

As Commissioner Rosenworcel stated, “If you need to break things to get this done, just ask.” This was my second favorite quote of hers on the day, finishing slightly behind “I DON’T BELIEVE IN PARTICIPATION TROPHIES.” The FCC should hire Mike Gundy.

 

6.     The Carriers are Expected to Foot the Bill

check-splitting-etiquette_600x390-600x390.jpeg

So it’s easy to agree in theory that RoboCalls and Call Spoofing are bad. It’s even somewhat easy to agree on the technology that’s most effective for stopping said calls. Where things get tricky is identifying how, and who, exactly, will be paying for the R&D, technology, training, and deployment. Luckily, FCC Chairman Tom Wheeler laid out the government’s position pretty clearly:

The Carriers will be expected to foot the bill, as stopping RoboCalls is “the cost of doing business” and falls under the umbrella of supplying a high-quality service.

It will be interesting to see what impact that stance will have on timelines, innovation, and deployment. 

The FCC vs. The Proliferation of Robocalling

 

By: ShirWan Little

 

Lets face it, few things are as annoying as answering the phone and being immediately greeted by a recording trying to lure you into handing over your credit card information. This increasingly common situation is a result of robocalling.  Currently, robocalling scams account for over $350 million in financial losses every year in the United States.  Moreover, the robocalling scourge has become the most common complaint that the FCC receives from the public. The “Do Not Call List” was created over ten years ago to resolve this very problem.  Unfortunately, the Do Not Call list has failed miserably at this goal. Let’s dive into why the DNC List fails to stop these fraudsters, why robocalling has become so popular and what the FCC is doing to try to stop it.

 

Do Not Call

At the creation of the “Do Not Call List,” the majority of robocalls were legitimate telemarketers selling real products.  Against those calls, the “Do Not Call List” has remained largely effective.  However, a lot has changed since the “Do Not Call List” went into effect in the early 2000s. In particular, the widespread availability of commercial Voice over Internet Protocol(VoIP) services.  The advancement of VoiP technology made international calling, and phone spoofing (falsifying caller ID information) very cheap.  Consequently, the majority of modern day robocalls blatantly ignore the “Do Not Call List” in attempts to commit fraud.

 

Tricking the Caller ID

Today, anyone with a laptop and an Internet connection can flood millions of phones with robocalls from any location in the world. Spoofing is perhaps the most nefarious aspect of this type of fraud; people are more likely to answer phone calls when seemingly legitimate organizations appear on caller ID. Furthermore, caller ID is often used to verify one's identity when gaining access to banks.  For that reason, robocalling scams rely heavily on phone spoofing. For instance, one of the more notable scams entails fraudsters masquerading as IRS officials and demanding immediate payment for overdue taxes.  Over the past two years this scam alone has cost taxpayers $31 million.

 

"Do Not Originate" vs. Do Not Call

In spite of these findings, many in the telecom industry have been hesitant to adopt solutions to stop robocalling, citing concerns that existing alternatives will inadvertently block a portion of legitimate calls. Nonetheless, the FCC has continued to urge these companies to take action.  FCC Chairman Tom Wheeler even wrote letters to the chief executives of the largest companies in the telecom industry asking them to produce solutions to reduce robocalls. Currently, all of the notable alternative solutions fall into 3 distinct methods; "Do Not Originate" list, Authentication/ Identity validation and filtering.

 

The “Do Not Originate” list, basically the opposite of the Do Not Call list, would stop robocalls at the VoIP gateways that connect VoIP calls to the traditional phone system.  While VoIP robocalls can be placed from anywhere in the world, all such calls pass through these gateways to enter the traditional circuit-switched phone lines.3 This list would allow commonly spoofed entities such as the IRS, FBI and banks to register their outbound numbers in a database. Calls from those numbers that originate from certain gateways would then raise red flags and most likely be blocked. Additionally, this approach can be implemented without any changes in telephony protocols and does not require cooperation of other phone carriers. Yet it still is no substitute for authentication.

 

Authentication and Filtering

Authentication is the most effective way to prevent spoofing. There are a few different ways to implement this methods, one of the more promising is through the use of third party APIs to analyze the meta data of callers.  Authentication is crucial to stopping robocallers from impersonating others and to facilitate effective filtration. The main drawback of this method is that it would most likely require the difficult task of gaining the cooperation of the major telecom companies to be successful.

 

Filtering works by checking each incoming call against a white list of trustworthy phone numbers or a black list of numbers you should reject. Although filtering can be very helpful in reducing robocalling it still has several drawbacks. Most notably, if there is nothing in place to stop spoofing, filtering can be easily circumvented by spoofing a new number.

 

A Cocktail Approach

In total, the three methods complement each other very well. Each of the methods does its part to reduce robocalling in a different way; if used in combination with one another, these methods could eliminate the current robocalling epidemic. The “Do Not Originate List” eliminates the ability to spoof high-profile numbers like the IRS.  Authentication makes fraudulent calls less likely to pay off by stopping robocallers from impersonating others. Filtering can help block all confirmed fraudsters.

So Sayeth The Times: 3 Reasons Why Biometric Authentication Should Give You Pause

 

In Tuesday's New York Times, the Room for Debate blog took on concerns surrounding the growing use of biometric authentication in the banking sector. Typically these arguments are more polarizing, with a traditional "A IS GOOD vs. A IS TERRIBLE!" style of debate. But when it came to Biometrics, something interesting happened: both sides agreed that Biometric Authentication is an imperfect, and sometimes deeply flawed, science. They merely disagreed on the implications of that for banking security. 

Look, Biometric Authentication is LIGHT YEARS ahead of static passwords and easily-researchable security questions. It's here to stay. The debate isn't whether or not banks should utilize biometric authentication - the debate is whether these financial behemoths should be relying on biometrics as their sole, or even their main, first-stage fraud solution. To make a football analogy, the Carolina Panthers would never say to their quarterback "Hey, Cam, you're revolutionizing the quarterback position and doing things we never thought possible - we can just rely on you and don't need to have an