“Anchor of Trust” - Robocall Mitigation

Sign up for Daily CommTech Brief here.

Session Abstract:

Trust is the foundation for communications. But for over a decade, that trust has been under relentless assault by fraudsters. In the U.S. alone, an average of 60 billion illegal robocalls are made each year.

On this session to discuss how the telecom industry has made major strides toward restoring trust in communications, starting with the concept of an “anchor of trust,” that would enable authorized verification of callers are George Cray, Senior Vice President, Products & Services, iconectiv, Linda Vandeloop, AVP External Affairs/Regulatory with AT&T and last, Sekar Ganesan, Lead Member of Technical Staff also with AT&T.

Executive Speakers:

  • Linda Vandeloop - AVP External Affairs/Regulatory, AT&T

  • Sekar Ganesan - Lead Member of Technical Staff, AT&T

  • George Cray - Senior Vice President, Products & Services, iconectiv

 

Transcription

Abe: Trust is a foundation for communications, but for over a decade, that trust has been under relentless assault by fraudsters. In the US alone and average of 60 billion illegal robocalls are made each and every year. On this session to discuss how the telecom industry has made major strides towards restoring trust and communications. That's starting with the concept of the anchor of trust that would enable authorized verification of callers are, George Cray, he's senior vice president, products and services at iconectiv. We also have Linda Vandeloop, she's assistant vice president, external affairs and regulatory with at AT&T. And last we have Sekar Ganesan, he's lead member of the technical staff also with AT&T, and speakers welcome. 

 

All: [Welcome. Thanks] 


Abe: Well, thanks for being here. So Linda, if you don't mind, I'm going to start with you on the topic of robocalling and that mitigation. So why is robocalling and spam calling really such a big challenge for communications service providers and really consumers alike, Linda?


Linda: Couple of reasons, one, robocalls are easy and inexpensive to make, and they're very profitable and robocallers are free from regulations either because they ignore them or because they're outside of the FCC and domestic enforcement agency jurisdiction because they start internationally. And the robocallers are very agile and they adapt to all of the tools that we put in place. And so there really is no silver bullet. There's no one thing that's going to stop robocalls. We really need an entire toolbox. And over the years we've developed some pretty good tools. There's as you mentioned, the caller ID authentication, which is otherwise known as stir shaken, which identifies when a call has not been spoofed. 

We also have consumer tools and analytics that block fraud calls and label other types of calls to give consumers more information when deciding whether to answer a call. We have our own analytics where we analyze all of the traffic and block calls when we detect suspicious fraud calls. We have industry trace back group to trace the illegal robocall campaigns back to the originator, and then work with enforcement agencies to get them stopped. And then consumer education. And the robocallers are always adapting to these tools. And so we always have to be on guard and be ready to modify as well.


Abe: George again, just helping Linda set the stage here robocalling and the challenge for CSPs and also consumers.

George: Yeah, no doubt. I mean, where Linda started, one of the big drivers here with the low cost of voiceover IP calling and how easy it is to actually spoof a phone number that, just made it a real low barrier to entry for these fraudsters who just find it's way easier to continue to pump calls through the network. The ability to spoof a call is there, it's very easy to evade kind of capture. And so we see that many of the fraudsters move offshore. It makes it even harder to really track them down and catch them. And that's why it is important that we come up with mechanisms to either prevent that call from being delivered or an ability to trace that call and be able to trace it back in other I guess tools in the toolkit that various service providers use.

Abe: So George, I'm going to stay with you. So what is, and I mentioned this in the introduction, and so what is the concept of the anchor of trust that would really enable authorized verification of callers? And how does let's say stir shaken enable service providers that cryptographically sign and verify calling numbers?

George: Yeah, and that is the key point. I think over the past few years, the telecom industry has been making strides to try to restore trust in the communications. So this anchor of trust really was born out of the North American numbering council. They had a working group, still to this day, this working group called the call authentication trust anchor working group, the CATA working group, came out with the best practices. And what they were looking to do is recommend the adoption of stir shaken and stir was really an international standard that the IETF had proposed and this version of it, stir shaken would become the framework that service providers would adopt, that allows them to cryptographically sign legitimate calls from their network. And so, this will help increase call, answer rates, basically legitimate businesses who are placing calls across the network.

The service provider can attest and validate that this is indeed a legitimate phone call, and then that can be delivered to the terminating handset so that there can be more trust in actually accepting that phone call. So immediately stir shaking had some impact on lowering robocall, but I think one thing we all have to keep in mind, it doesn't actually stop the robocall. It really is more about labeling the calls and providing an attestation for the calls that go through the network. And there's a simple ABC kind of attribution that they give to the call types. And an attestation is one that you should trust. And it's a call, that you should trust the caller because they have the right to use the phone number. And the service provider could validate that indeed, this call did emanate from that enterprise. And therefore the consumer on the far end should actually trust the call. And then there's an attestation B and an attestation C and C is one you should not trust. And those are typically the ones that are potential spam, potential robocalls and potential fraudsters on the other end.

Abe: Yeah. Sekar. So George has said something pretty poignant. He said, we're not going to be stopping the robocalls, but we'll be mitigating the robocalls. From AT&T's perspective, do you have any comment on that?

Sekar: Yeah, I think, as George was saying, the anchor of trust, the concept is to be able to increase the trust for consumers, to be able to answer a call. And that's what stir shaken was meant for and is meant for. And they do that by, it starts with the providers and the carriers, knowing their customer to be able to authenticate them appropriately. And so if every carrier everywhere domestically or globally can do that appropriately, then we don't have a problem in terms of robocalling. So, I mean, that's what it needs to be able to take this anchor of trust to the next level. I mean, the other thing is stir shaken by itself, does not provide the intent of the caller. I mean, so that's where some of the other tools that Linda mentioned in terms of analytics, encourages them to be able to get that to the next level of building the anchor of trust.

Linda: Yeah. Can I give an example there? An A attestation could be a fraud call because sometimes the scammers don't spoof the call, they get access to blocks of numbers and they make the calls directly. So they're authorized to use the number, but they're still committing fraud. They're still trying to steal money. They're still scammers. So in that case, they could get an A attestation, hopefully it's blocked through analytics because if the analytics company sees that it has an A attestation, but it has a really bad reputation, that the green check mark is not going to be passed on to the customer.

Abe: So George Linda just gave an example of how an enterprise may be compromised by not trusting their caller ID and SMS messaging. Can you give us maybe an updated example or use case or what have you along the same lines as what Linda mentioned?

George: Well, yeah, I think there's many examples of fraudster perpetrating, whether it be the IRS or the Microsoft help desk, or you can pick your favorite in order to defraud a consumer. And really that happens on not only phone calls, it happens in emails, it happens in text messaging. And so this is something that consumers have to deal with on a regular basis. And the fraudsters tend to use multiple mechanisms in order to reach those consumers and defraud them. So it is complex. It does take a lot of tools. I think one of the things that Linda brought out though, was the fact that the industry trace back group, once you go ahead and start signing calls and you have cryptographic signatures on calls, if there are bad actors even getting an a attestation or any other attestation, it arms the industry traceback group with a way to go back and really shut down and call out the offenders. And I think that's an important part of this. Again, we're arming the ecosystem with more information and more ability to really put the bad guys out of business

Abe: So Sekar with stir shaken, how did service providers and other stakeholders then take really the next step to ensure that all legitimate calls realize proper a level attestation Sekar? 

Sekar: Okay. As I started to say earlier, I mean, it started with basically knowing your customer so that now you can say, I know this customer I can authenticate. I'm confident that this a level attestation is what I need to provide for that particular caller. And then once you do that, then you carry that over with the digital signature across when you are sending the call to another carrier. So the other part of stir shaken that's important to be able to have that relate is end to end IP. I mean, I know there are discussions going on in terms of out of band shaken or shaken with TDM, but I think the most important aspect of stir shaken working everywhere is building these bridges of IP networks between the carriers. I mean, that's where we have seen this to be most effective is when carriers have these end to end IP networks between them and other carriers, then we're able to provide stir shaken to the fullest extent. And you see those calls being verified and the callers getting those displays, that gives them confidence to be able to answer the calls

Abe: And George anything to add?

George: No, definitely, I think one of the flip side of the story is there's actually legitimate calls that are being labeled as spam because it's very difficult for originating service providers to always know whether or not an enterprise has the right to that number, especially the way TNS phone numbers are given out these days. In many cases there could be situations where the originating service provider for that call didn't actually provide the telephone number. And so because of that the service providers got together with CTIA and they've introduced a registered caller, which is basically a centralized telephone number registry that provides industry-standard framework for presenting consumers with the calling party information. 

Here originating voice service providers can use registered caller to get information about the phone number and help raise attestation for calls that may not have gotten an a attestation without it. So this is an important development, which again helps better attest more phone calls on the network, which also allows more calls to be trusted by consumers. This information is available to service providers at no charge. So anyone trying to sign calls using stir shaken and assign these [13:07 inaudible] calls can take advantage of registered call or to help them better assign the proper level of attestation on each call.

Abe: And Linda, anything to add?

Linda: Just, yeah, I mean databases like registered caller is going to be a very good tool to, I think we call it elevating the attestation level when we don't know that the enterprise is authorized to use the number, because we didn't give them the number. I think there's a couple of other alternatives out in the industry that are being developed as well. So I think we're going to be seeing more and more through a level attestations.

Abe: George, I'm going to go back to you and then back to Linda again. So why is the extra layer of rich call data RCD important for enterprises? So incoming calls can be delivered with the calling name and logo of the business making that call and information about the calls intent, George.

George: Sure. I think rich call data as you described it is those three extra elements? Most of what we've talked about so far has all been about the telephone number and whether a consumer should trust that telephone number. And should I answer that call? Now we're talking about actually adding calling name, calling logo and the call intent or reason for the call. And so if you can go ahead and bundle that into the information that's delivered to the consumer, that would give consumers more reason to make a decision on whether to answer a call or not. And so clearly the goal of all of this is to get more calls answered and more calls completed. It's important for businesses because they're spending a lot of money trying to reach people.

So legitimate businesses are kind of hurt by the fact that so many calls go into voicemail. If maybe it's a pharmacy trying to tell you that your prescription is ready for pickup or maybe there's a fraud alert and they're trying to reach you in order for you to act on that information. They're going to have to keep reaching back out. And so the ability for you to discern that this is a call I probably do want to answer, the rich call data is one of those elements that would probably add to your confidence. And again, everything is under assault and everything is under attack, but the more clues we can give consumers as to why they should trust a call is what we're trying to really do as an ecosystem. Because if trust is eroded and no one can really trust a phone call we really have blown this whole level of communication. We don't want that to happen and we really want to bring trust back into voice calling because there's no doubt we've lost it.

Abe: So Sekar and Linda and Linda I'll start with you, anything to add on rich call data and the importance for enterprises? I'll start with Linda again.

Linda: Yeah. I just think the more information consumers have when deciding to answer the call the better. And so again, that combined with the analytics that really evaluate kind of the reputation of the call will be helpful for consumers.

Abe: Yeah. Sekar, from a technical standpoint, anything to add?

Sekar: I mean, I'll start with an example and to add to what Linda was saying. So one time I was making a reservation with chase travel and they call me back. I saw the 800 number, but the mark was as a spam call. So I did not answer the call and they had to call me several times before I answered the call. When we have a secure way of delivering an RCD that says, yep, it's chase calling for this purpose or whatever it is, then it should really help in terms of getting those important calls to be answered appropriately. I think in terms of technical implementation, I would say making sure that this information has being provided for in a secure way, so that it's not, I guess spoofed, or has gone through some other mechanisms of being compromised. So I think that's what we need to really focus on to make sure that the RCD information is something that is useful for the consumers. 

Abe: Sekar you kind of answered my next question, but I am going to circle back with you and let you finish the program. I'm going to go back to George. So, George what are the next steps for service providers to really ensure that their enterprise customers are protected from these fraudsters in illegal robocalls?

George: Well, I would say, there's a number of things that service providers are doing. We're up over 600 service providers who have adopted stir shaken. So that's a real positive. We mentioned this rich call data, which I think will start to see over time more of this coming into the voice calling ecosystem and that will be important to give consumers more ability to trust who's calling them. I also expect that there will probably be pushes beyond our borders because one of the challenges we have is not all calls start within the US. We have calls that start from other countries and there's no way today where those can be signed or tested at the start. And so I think pushing beyond our borders is another evolution to stir shaken and really the global problem of how do we deal with voice call fraudsters and spamming and spoofing and all the challenges. I think this is a global issue, not just an US issue.

Abe: And Linda next steps.

Linda: Next steps, ongoing steps. We need to continually perfect the tools to detect improper attestations because that's starting to happen. I mean, we're starting to see improper attestations, A attestations where they shouldn't be. So we've got to perfect the tools to detect that and to take action and also develop the tools to detect basically I guess, spoofed or improper rich call data because they can figure that out just like they figured out how to spoof a number. It may be a little bit harder, but the scammers are going to be able to to do that. And the other thing, and George mentioned the international component and that's so important, but I think we need to expand even beyond stir shaken, we need to really expand the industry or just the industry and enforcement collaboration that we have developed so well in the United States. 


We need to expand that internationally because we also need to understand the unique challenges that the international service providers have, that maybe we've already tackled or taken care of, things like every domestic provider is required to cooperate in Traceback, they don't necessarily have that internationally. So understanding the challenges they have and working with them to overcome those challenges, I think that's going to be our next big frontier, I guess.

Abe: Sekar, you had a few comments earlier, but is there anything in addition you wanted to add after listening to George and Linda?

Sekar: No, I think they covered it. I mean, I just go back and make my point again, which is, I think end to end IP continuing to increase the amount of traffic that's IP, especially between all the carriers within the us. I mean, obviously there is the international part of it, but I think at least domestically, if we can button that up and get all the traffic to the IP, I think it'll go a long way in terms of not just stir shaken and call ID authentication, but also the RCD. 

Abe: So we've done this steady drumbeat of discussion, of the short discussions with the carrier community and also the solution provider community, if I can call it that, supplier community. And I feel like it's such a steady drumbeat type of topic as far as robocall mitigation, but it really requires that steady stream of discussions. So I want to thank AT&T or both of you for being here. Linda, again, we've done this before, but Sekar, this is our first time. I know we had a couple technical problems, but that's why we booked the full hour in case something like that happens we can actually continue and get the job done here. So we really appreciate both of you and your time today. 

Linda: Thank you. 

Sekar: Thank you.

Abe: You're welcome. And George, as always we want to thank iconectiv and the team over there. I do believe a couple of your team members are on this line and watching the program. So we always appreciate your support and if it wasn't for iconectiv, we wouldn't be able to do these programs. So hopefully we we'll see you in a couple of months in Las Vegas and we can do this in person.

George: Definitely plan to be there and look forward to it. Thank you.

Abe: Thank you so much. Thanks again for your time. And for all of you out there for this segment online and on demand, you can go to the network media group.com, so long.

 


For any inquiries, please email anejad@thenetworkmediagroup.com