Britons are getting hit with more dodgy calls and texts than ever before, prompting Ofcom to nudge the telco industry into doing something about it. We spoke to Eli Katz, CEO, XConnect about what can be done to bat away the spam.
A lot of organisations and companies have by now declared that the amount of spam calls looking to defraud people out of their money is increasing, citing various factors such as the war in Ukraine and technologies and techniques that make it easier to do so.
In fact, last month we were told Britons will receive 4 billion spam calls this year, and that the average person receives six nuisance calls every month.
Meanwhile UK comms regulator Ofcom reckons three quarters of UK adults received at least one suspicious call and/or text message and/or app message on their landline and/or mobile phone in the three months up to August 2022. Of those, 700,000 acted upon the instructions of the scammers and thus got ripped off.
This apparently prompted the regulator to announce new rules for telecoms firms which will come into effect next May, which are supposed to make it harder for that dodgy call to get through in the first place.
To explore these measures and the latest tech that’s being deployed to combat spam, we spoke with Eli Katz, CEO telecoms data firm XConnect.
What is behind the increase in fraud calls and texts and where is it coming from?
I think you’ve got two sides to it. One is certainly that world of impersonation and the scamming side – poor old granny being contacted by the ‘bank’ or the ‘government’ or some other entity. The ability now for nefarious actors to spoof CLI (calling line identification) and the ability to generate thousands of calls, to kind of industrialise all of that, just becomes much easier as the technology improves. The value that can be done through social engineering combined with caller ID is what’s driving this.
It should also be pointed out that a number of times you do feel that there are state actors involved in this as well, apart from private criminal activity. So there’s a dual play here both on a state level, as well as private level. All of this is not making lives pleasant for us as consumers.
Presumably this is a global problem and each country is having to come up with its own ways of combatting it?
If we just want to cover the two or three steps that an industry or regulator – and it’s a little bit of both – can do to deliver on that journey of restoring trust in caller ID, the first step, which is really what Ofcom have taken in their most recent consultation process and conclusion, is what we call validation of caller ID. This means is its at least a viable caller ID?
It’s not doing the second stage, which says ‘I can give you confidence that the call is not being spoofed in any way.’ But the first stage means ‘is the caller ID a valid caller that exists in the Ofcom numbering plan?’ Ofcom have a complex numbering plan that manages the allocation of ranges and numbers to all UK operators that’s updated on a weekly basis, you have blocks in there which are reserved which are not meant for use, or internal use only.
So at the minimum, the number that’s been presented on a call, is that actually coming from a valid range? So that’s the first very minimal basic step that needs to be done, and Ofcom have now taken [it]. There’s an enhancement on that first step, which is what’s called DNO – do not originate. And this is this is a very interesting concept. It’s a very smart move by Ofcom to do it, replicating what’s been done in various other countries – the USA was first.
What does a DNR list achieve?
The concept of a DNR list says that this this number is a valid number, however the entity that is receiving calls on that number have stated that they do not want this number to ever be an originating number. I’ll give you an example of where that is extremely important nowadays.
Let’s say Barclays Bank do an advertising push everywhere, all over the media, all over your social media saying that ‘this is our number please contact us if you’re a customer’ or they’re trying to sell you some nice services, etc. Now once that number is out there in the public it is very easily spoofable by the nefarious actors.
They can take that number, spoof that in a CLI, make that call to granny and say ‘look, we are Barclays Bank you can see we are Barclays Bank because that that number which you’re seeing on your handset is the number that if you open in your newspaper and social media, you will see on our advert saying please contact us on this number.’
Most banks and other financial institutions, and some government departments as well, have identified this and they have a main inbound number for them to be contacted by, but that number will never be used as an outbound number. It’s too easily spoofable and becomes too easy to interact by social engineering and other activities. So Ofcom have created a list of do not originate numbers. And therefore you should never see a call coming from one of these numbers. And that number is designated by the enterprise, the financial institution, the bank, the government department, etc.
This is the second element of that validation and the second important part of this Ofcom conclusion… if telecoms operators see a number in the CLI that is on this do not originate list, then that call must be blocked. In the UK, that’s now got tens of thousands of numbers in that list, in the USA it’s about two million altogether.
There’s a second step, which is a much bigger step and that’s what they did in America. It’s a concept called Stir/Shaken – named after our beloved 007. And the idea behind it is it’s a technology solution that states that when you receive a call it applies the concept of a certificate, like when you’re using a web browser and you’re and you’re talking to an HTTPS, so is secure. It’s the same kind of concept whereby this call is called a ‘secured call’ in the sense of the caller ID has been verified by the originator all the way through to the terminator. So that’s much more of a complex step, it’s a much bigger step by both the regulator and the industry.
Are there any barriers to the telco industry adopting these measures?
For the industry to adopt even this first stage of what we call caller ID validation capabilities, for some operators it’s an interesting technology challenge. Because for a telecoms operator to start having to introduce capabilities to scan, screen and to detect the caller ID, it is not something that they’ve typically been used to. We [Xconnect} are enabling these types of services for both national telecom operators as well as global carriers to be able to introduce that kind of capability via cloud services or other ways to validate caller ID. This is quite a big step forward for many operators and it’s a very important step because it’s part of a global trend towards the care and attention on trusted caller ID.
What are the wider implications of this tech for the telecoms industry?
It’s a genuine Holy Grail, because if the industry both on the messaging side and on the voice side can get to the stage whereby there is implicit trust in the caller ID, then that brings a whole new life into telecoms… because now you have the concept of a trusted caller ID.
You can introduce things like what’s called ‘branded calling’ – imagine having a logo and a reason for why the financial institution is trying to call you. And all of this is taking telecoms to the next big stage, but that can only be done when you have the foundation of restored trust and caller ID. So this should be seen not simply as a way to prevent negatives – spamming, spoofing, impersonating and scamming – but also helping to lay the foundation for that next step, both on the voice side and on the messaging side.
Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.