31 May 2023: Robocalls and Call Authentication

In this show we discuss the issues surrounding automated nuisance calls and the methods that could be used to help phone users identify who is calling them before they accept the call. The guests are: Professor Feng Hao of the University of Warwick, a recipient of a research grant into call authentication who has also given expert testimony to UK parliamentary committees; Pierce Gorman, whose 30 years of service in the network engineering teams of Sprint and T-Mobile US led to his playing a leading role in the implementation of STIR/SHAKEN; and Sathvik Prasad, Research Assistant at North Carolina State University (NCSU), where he was a leading member of the team that conducted an award-winning study of robocalls.

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

A paper describing the work done by Sathvik and his NCSU colleagues to develop SnorCall, a machine learning model that analyzes the content of robocalls, can be found here.

Transcript (auto-generated)

Hi, this is the Communications Risk Show and I'm your host, Eric Priezkalns. Every Wednesday,
we talk to risk experts from around the world of electronic communications and we broadcast
live so you can also join the conversation, submitting questions and observations as we
go along. To ask a question, just type into the window immediately beneath the live stream
on our website at tv.commsrisk.com. Messages are anonymous, so include your name if you
want me to read it out. We also stream live on LinkedIn. Feel free to leave a comment
over there. A member of our team will pass them along and I will try to read out as many
of your comments and questions as time permits. I am hoping and expecting there will be
plenty of feedback to the show because it is such a big topic we're going to cover
today. Today, we're going to have not one, not two, but three expert guests to debate
the issues surrounding nuisance robo calls and the use of call authentication technologies
to stop them. Joining us later will be Professor Feng Hao of the University of Warwick, a recipient
of a research grant into call authentication, who has also given expert testimony on this
subject to parliamentary committees in the UK. Pierce Gorman, whose 34 years of service
and network engineering teams are Sprint and T-Mobile US, led to his playing a leading
role in the implementation of stir-shaking in the United States and Sattvic Prasad, research
assistant at North Carolina State University, where he was a leading member of the team
that conducted an award-winning study of robo calls. But first, allow me to introduce our
regular co-presenters, Ed Finegold and Lee Scargall. Ed joins us from Chicago, where
he's an author, analyst and strategic advisor to tech and telecoms businesses. And Lee comes
to us from Bahrain. He travels the world as an executive and consultant who has managed
the risks of com providers in the Middle East, Europe, Caribbean and Asia. Welcome Lee. Welcome
Ed. Now, normally the three of us spend times chatting about recent news stories concerning
risks for coms providers and their customers. But the problem of illegal robo calls and
scam calls causes so much annoyance. And the amount now being spent by telcos in some countries
in terms of tackling them is now so enormous. It's fair to say that there's probably no
subject in telecoms risk management that is commandeering as large a budget as call authentication
is commandeering now. So let's warm the audience up by setting the scene. Ed, just the other
week, I saw that FCC chair Jessica Rosenworcel was given an interview by CBS News about robo
calls. You see, it's such mainstream stuff, even CBS News is covering it. The questions,
however, sadly, were very soft indeed. The interview was clearly just feeding lines that
had already been provided by the FCC instead of asking genuinely taxing questions. Nusense
robo calls clearly concern the public, but judging the public's perception is difficult.
I'd like you, Ed, to give your score out of 10 for the following. Firstly, the public's
perception of how well the FCC is tackling robo call and your perception of how well
the FCC is tackling robo calls.
OK, so first of all, let me just start out by saying that I'm really wound up about this
topic like I know a lot of people are, and I'm feeling it right now. The blood is pumping.
I have a workout, you know, a boxing workout after the show, and I'm worried I'm going
to be out of gas after this one, so bear with me. Yeah, so here's the story. I think on
the FCC side, in terms of the public, it seems to me, if you watch enough YouTube videos,
you might get the sense that if you wouldn't ask the general public how they thought the
FCC was doing on robo calls, the most frequent answer would probably be, who's the FCC? That's
part of it. But I did go and ask a friend of mine who knows who the FCC is, just randomly
what he thought about this, and this is a person who's not in this community. He is
a master developer, but he's not a security person specifically, right? And the response
that came back was pretty straightforward. It was, you know, geez, my mom gets 10 of
those texts or calls a day. It's annoying. It's out of control. And honestly, I don't
know who's succeeding with these scams. So I thought that that was actually a really
interesting response. I realize it's one person and it's anecdotal, but I felt like it kind
of reflects, you know, like a broader sense of, you know, this is a problem. I'm getting,
you know, inured to living with it. It's an annoyance. I don't necessarily tag anybody
to do anything about it or not. It's just another bullet I have to dodge, which may
go back to the who's the FCC, right? Does anyone even realize that anyone's responsible
for dealing with robo calling? It might be an overarching question. So then for someone
like me, who I'm a former regulatory reporter, you asked me, what do I, how do I think they're
doing? I'm going to very generously give the FCC a five and I'll tell you why I'm gonna
give them a five. Okay. I'm giving them a five because they acknowledge that there's
a problem. Okay. And they have taken steps to try to address it. If I have a fair critique
of that approach without just shredding stir shaken, which we've done, and then we have
plenty more time to do if we want, I think I would say that even if stir shaken worked
perfectly, it's still only one element of defense. And this is an issue, I think that
needs a combination of layered defense and enforcement, if you really want to solve it.
And that's just coming from me, that's from coming, you know, talking to the experts in
this community about this very issue. But again, so FCC, I think about a five, then
only because they've made it a, an issue that's in the public that people should pay attention
to.
Okay, thank you for that five out of tennis. I agree with you. That is a generous five
out of 10.
Now, Lee, it's still a failing grid.
Now, Lee, it's tempting to always talk about the USA in this context, but it's important
not to talk about the USA in this context solely because, well, even if you were trying
to tackle colors within just within one country, that'd be pointless because there's international
phone calls too. So you can't solve problems just in one country in isolation. You worked
in telecoms risk management all over the world, Lee. Can you ever remember an occasion when
a single national regulator was so determined to dictate how every country tackles a telecoms
crime and the way that the FCC is currently seeking to dictate how telcos and regulators
around the world deal with illegal robo calls?
Just before I deal with that question, Eric, I just want to say that I wholeheartedly agree
with what Ed said there. It has to be a layered approach. There's no silver bullet to this,
right? So I completely agree with what Ed was saying there. To get back to your question,
the short answer is no, I don't, right? Now, regulators, they tend to be assertive in their
home territories, right? And they impose it. They don't really impose it on other countries,
right? So that's pretty unusual what's going on here. But also for me, it's a little hard
to understand this because when I look at the numbers and I see this month on month,
they're just not coming down, right? Instead, the numbers are going up. So I think there's
some kind of a political agenda, which has seemed to be like the pushing for this particular
solution, which to me, it doesn't really appear to be effective at reducing robo calling.
But I guess we're going to find out more later on with the guests.
Well, we've got three great guests to talk about the technology and the alternatives
we can follow as well. But I think you're absolutely right. And on the money that this
is a very unusual situation. But the key thing is, if there had been dramatic improvement
in the results in the United States of America, we wouldn't be debating this now. We won't
be debating this now because it would be just a matter of fact that others would follow
the approach being taken in the USA. It's the poor results being delivered for American
consumers, which now opens up the space for revisiting the debate that probably should
have had more options considering the first place. But that's just my opinion. Let's take
a short break. Here's a message from our serious sponsors, Blue Jump. Are you launching new
network services? There's no better way to check they're working correctly than using
real network devices to do all the things that your customers do, including streaming
films using Facebook or making a satellite call. Using the latest test devices means
you can also check new 5g network deployments and the use of eSIMs on your network. Do you
need to assure roaming usage and costs? Roaming revenues are picked up following the pandemic,
but telcos cannot afford to be relaxed about losing income if customers are unable to use
their services whilst abroad. So check they get those services by auditing where they're
provided at key locations. Are you concerned that tariffs are not always applied correctly
to all types of usage? Daily heartbeat tests would support rating assurance and give you
continuity of comfort whenever there is a network service update. Are you interested
in validating the interconnect routes used for polls terminating on your network? The
proliferation of VoIP services means it's never been more important for telcos to ensure
traffic is routed correctly and termination fees are levied as they should, protecting
you from SIM box refiling and OTT bypass. Originating tests from other countries means
if they terminate on your network, you can use a risk-based approach that covers the
most important routes and gives you real-time insights into fraud, but without tipping off
any fraudsters as to what you're doing. Whatever your goal, testing will tell you if you're
on track and when it comes to testing network services, there's no better partner than the
team of specialists at Blue Gem. There's so much that can be achieved by implementing
testing strategies that include test calls and other test events over your networks,
but purchasing your own dedicated infrastructure to create all sorts of network events from
lots of different locations will be prohibitively expensive. That's why the smart approach is
to ask Blue Gem to use their global deployment of test probes on your behalf. Blue Gem test
network services on behalf of telcos, governments, and software companies. They use real phone
devices that do all the things that people do with phones, creating real customer journeys.
So reach out to Blue Gem to learn more. Their URL? B-L-U-G-E-M dot com. Blue Gem.
Right, returns to the theme of the show here, guys, which is nuisance robocalls. Lee, the
UK comms regulator Ofcom has instigated a consultation on whether the UK should implement
a copy of the stir-shaken anti-speaving technology devised in the USA as a means to reduce robocalls.
There are only three countries that have already committed to using stir-shaken and making
it mandatory for their telcos. The USA, Canada, and France. And frankly, nobody would be following
their lead if the decision was based solely on the results delivered so far in those countries.
Many more countries implemented other kinds of countermeasures for scam calls and spam
robocalls, but you wouldn't know that from Ofcom's consultation documents, which tell
readers about the three countries that have adopted stir-shaken and the alternative road
taken by just two other countries, Finland and Germany, commenting about them that no
data is yet available to assess the relative effectiveness of these regulatory approaches.
And to some extent, that's true, although one could also say no data is yet available
to assess the effectiveness of regulatory approaches in the USA, Canada, and France.
So for some reason, they don't mention that. Now, Germany is essentially taking a version
of the steps that's already been taken in the UK, and which Ofcom says has been successful,
though they provide no numerical analysis, no data to back their assertion it's successful.
So Lee, long-winded question, but hopefully one that sets you up nicely here. Speaking
as a Brit who has worked in fraud management around the world, and is currently working
with Middle Eastern regulators and telcos on anti-scam initiatives, can you speculate
on the reasons why Britain's regulator is seemingly completely ignorant of all the other
countries that have used all these other methods? You talk about the layers, all the other layers
that could be implemented, all the other choices available. Can you speculate as to why they're
ignoring the work that's been very successfully done in countries like Australia, the methods
being used in several Middle Eastern countries, for example? Do you think it's because the
UK regulator is too lazy, too cheap to employ impartial consultants like you, or have they
just chosen, consciously chosen to ignore alternatives to US strategy?
Well, they seem to be quite selective in choosing the solutions which they're trying to push
forward. But so I actually, look, I believe Ofcom are fully aware of the alternative solutions
out there. But as I said earlier, I think there's a wider political agenda here, not
just from the US, but also from the UK as well. Because there's some very cost effective
solutions out there that have been implemented, and they're obviously been overlooked by Ofcom.
So I guess only they know the answer, Eric. But in my opinion, if you want a global standard
for robo calling, then it should be agreed at the global level first by everyone. And
I think there's still time to do that before everybody starts going off down these rabbit
holes.
Well, I mean, I'd come back straight at you and say, USA, Canada, France, if UK follows
in their footsteps, that's four out of the G7 countries, four of the big economies in
the world on the same track. That's what it looks like to me, I get suspicious that first
for no particular obvious reason, the same plan is not being pushed aggressively throughout
the whole of the countries that on the North American numbering plan, of which there are
very many countries on the North American numbering plan, which are not currently seen
to have any plans whatsoever to adopt, stir shaken, or follow the US approach. And yet
I would have thought be a much more logical choice to start with. Because surely, if you're
worried about scam traffic, you should be worried about calls from places where people
are poor, because where people are poor, that's where you cite call centers that scam people.
So is this is this already now being stitched up at the highest level? Is this really about
an extension of US defense policy here, translating to the cybersecurity realm?
Well, I think so. Because I mean, those five countries that you mentioned there, Eric,
they are part of the G7. But it's also they're all part of the Five Eyes community.
Good point. Now, Ed, should the FCC be stepping back and spending more time looking at alternatives
implemented in other countries? I know they're horribly leading questions, but they're still
fun anyway. Since I mean, the FCC approach, I'm not hearing anything about them learning
from other countries, I see a lot of bipartisan signed signed agreements, that there's going
to be exchange of information, but nothing that anybody else ever seems to do ever seems
to alter the FCC's approach. Are they making a fundamental mistake by refusing to take
notice of others? Or do you think they actually are taking notice and choosing to ignore it
because it's inconvenient?
Yeah, I mean, I have sort of two cheeky answers to this that aren't meant to be cheeky, they're
actually meant to be serious. But we do try to have fun on the show a little bit on what
can be an intense topic. So one is, you know, in thinking about what Lee was just saying,
you know, about picking up stir shaken and then replicating that across the G7. And that
being an extension of defense policy, Eric, you mentioned and what that means that it
becomes this, you know, the obvious analogy is the red herring, right, that then gets
replicated here is what it feels like. What I actually came into before the show before
I thought red herring on this discussion was that it reminds me of the rabbit and Monty
pythons Holy Grail. If you remember that when they build a big rabbit and the enemy drain
the French dragon inside the castle, but nobody's inside of it, and then just throw it back
over the wall at them and, you know, tell them to get lost. And to me, that's what stir
shaken feels like. And now we're making more rabbits. You know, Lee mentioned the rabbit
hole. So that's one thing. So but for that reason, right? So yeah, I mean, I think the
second cheeky answer other than yes, there should be more is, maybe I'm wrong, but I
don't think I've seen a FCC sponsored symposium, you know, with a hackathon that brings all
the best minds in robo calling or anti robo calling technology together to really get
after this problem. Have we seen that kind of a symposium happen?
Well, there is Yes, there was. There was, to be fair, though, again, you know, my question
to you is about an international context. So there was an FCC FTC joint symposium in
the USA. But if you look at who attended that symposium in the USA, and this is like maybe
four years ago now, forgive me if I've got the exact date wrong. But if you look at who
attended that symposium, well, who attends a symposium like that? It's not a wide cross
section of professionals from around the industry. It's not the international partners you need
to be working with. It's American businesses seeing an opportunity to sell some technology.
And I've got representatives of those businesses, too, right, Eric, it's very canned. And that
way, those symposiums that are sort of FCC led, in my experience can be very canned.
The opposite of what we see in big international tech symposiums that do result in good collaboration,
what have you. So it's just like a fundamentally different approach that I think is lacking
to what's, you know, really a largely technical problem.
And so then I sense you're asking for kind of cultural change we've never seen before.
We've never seen this kind of like culture of genuine dialogue that involves I mean,
we talk about layers a lot. Okay, but you know, let's focus on the layers a lot. We
have things we have institutions where people can talk to each other. So engineering, when
it comes to engineering, there are places where engineers can come together and talk
to each other. But we need something that's not just international for one kind of professional,
you need something that's international for a multidisciplinary approach, if you're talking
about a layered strategy, because there will be some professionals suited to solving to
addressing some of the layers, and they won't have the right skill set to work on and give
the right answer. So you need pains me to say it, you do need lawyers in the room. But
you also I think really, we've missed out, we haven't had enough anti fraud professionals.
And when I think about the UK consultation, it seems almost to me like a replication of
mistakes made in the USA, where the anti fraud professionals are simply not included in the
dialogue and not included in the conversation. And yet they should be central, because they're
the ones who best understand what scammers what criminals do, and the way in which they
will adapt to change and anticipate and the anti fraud professional is the best at anticipation.
So you know, the whack a mole analogy, I find that tiresome, I find it tiresome, because
we're not trying to anticipate what the criminals are going to do next. We just go, oh, well,
they're always change. Oh, well, we do you, you do your best, but you can't do it. And
come on, this is pathetic. We're talking about billions of dollars impact on the economy
about crime that's very serious and causes a lot of harm for a lot of people. And yet
people just go, well, it's like this fairground game whack a mole, we try our best, but sometimes
we miss Oh, God's sakes. Anyway, let's have another ad break before I get any crazier.
Let me take this opportunity to talk about the symmetry prison fact of the week, an interesting
fact supplied by the team at symmetry solutions, and their prison fraud intelligence service.
This week's fact relates to the team at symmetry and the work that they do. Over the course
of 2022, they identified over 11,800,000 phone numbers advertised for sale to fraudsters.
That's an average of 32,455 new phone numbers offered for sale to fraudsters each and every
day. As of today, the prison voice database contains 11,268,462 phone numbers currently
associated with voice frauds. And their SMS database contains 2,577,395 numbers associated
with messaging fraud. You might want to keep the scale of that finding in mind next time
you see a hot list of fraud numbers that includes no more than a few dozen ranges. Now learn
more about symmetry prison service prison services at their website symmetry solutions.co.uk.
So back to the chat again here, guys, apologies if I'm going on a rant because we need to
get these guests on because they're the real experts here. But before we bring them on,
my question to both of you is inflation of traffic inevitably going to become a universal
problem? Now we've talked about floods of robo calls and robo texts and part of a more
general trend of networks carrying ever increasing volumes of traffic, artificial inflation of
traffic also occurs because the way machines are being used to generate traffic, fraud
managers and traditional telcos be familiar with the age old problem of artificial inflation
of traffic. But then it usually involves somebody creating a revenue stream by stimulating calls
towards the destination they control doing so in a way that increases their income, often
without paying for the origination of that traffic. And a few weeks ago, we had Tim Biddle
of Cinch on the show. And he discussed the more recent but extremely serious variation
of the theme where messaging traffic is artificially generated by bots, which create bogus internet
profiles and then sims stimulate the sending of SMS messages. And the same issue is now
come up again with Spotify, the music streaming service. They removed tens of thousands of
songs from their platform after they were warned of suspicious activity by one of the
big music businesses, Universal Music. And here's the quirk. All the songs that were
removed were created by people who simply typed a few words into a platform called Boomi,
which uses AI to generate a new song that matches the description the user provided.
Boomi's homepage even encourages users by saying, submit your songs to streaming platforms
and get paid when people listen. And even more recently, online advertising measurement
business Double Verify reports a significant rise in the fraudulent inflation of video
advert impressions on connected TVs with unprotected ad campaigns serving 11.2% of all their traffic
being fraudulent. Lee, are human institutions failing to see and anticipate these analogous
network crimes that occur because of the way networks work and the way users are incentivized
to terminate traffic on those networks? Are we failing to see analogy because we keep
looking at every problem in isolation rather than looking at the whole?
Yeah, well, I think if you're going to create a certain type of behavior, then it's all
about how do you reward that person, right? So if your payment model is based around the
number of minutes or the number of downloads, the number of impressions, and people are
going to try and game the system, right? So when new products and services are launched,
right, especially those with new payment models, then you really need to consider the ways
which could drive that fraudulent behavior. Now, funnily enough, this actually came up
in conversation yesterday. So we were looking at ways as to how do we kind of incentivize
customers to report spam, SMS spam messages to 7726. There was somebody in the room, they
actually suggested, why don't we give away three minutes or three GBs for each new spam
message that's reported, right? So, and this actually started off a fierce debate because
then it's like we thought, well, hang on, would people actually abuse the system here
to create more spam messages, right, just to get three minutes? So you've really got
to be careful about that. But, you know, you're right in what you said there. You said this
is an age-old problem. And I'll just go back to an old World War II story. So when Japan,
when they invaded Burma, they had a rat problem. It was quite well known, this rat problem.
And they wanted to promote some kind of like public hygiene. So they gave everybody a rat
trap. And if you wanted to pass around Yangon, then you had to have this token. Each rat
was worth a token. So if you wanted to pass around, you had to have this token. Now, some
people actually realized the business opportunity here that if they bred the rats, they could
actually sell them to the people who actually don't buy them, right? So again, you just
have to, it's just an old story. Keep it lighthearted, yeah.
I see the point there. I mean, for me, it does seem as though we're always surprised
that this happens. Oh, who could have thought Spotify might have been abused? Who might
have thought that an advert on a connected TV might be abused? It's just the same thing
over and over again. And we're not really learning. We're not doing enough cross-fertilization
of ideas. Everybody's sat in their silo solving a problem independently each time. Anyway,
Ed, I want to bring you in on this one here, because I want you to like be giving us some
stick here because I'm a European, right? Okay. And I think this is time for the Americans
to give the Europeans some stick. Now, the big European telcos want to effectively
scrap the part of net neutrality, which stops them billing tech firms like Netflix and Google
for the extent to which content stimulates demand for network traffic. Firms like Vodafone
are the ones saying they can't afford network upgrades like 5G, unless the big US tech firms
are forced to pay towards them. Shouldn't we question whether telcos should first be
doing more to deal with the artificial inflation of traffic before they start moaning about
the demands being placed upon them? You know, it's interesting that you attach
these two subjects together, and I understand the logic. I just would tend to think that
the folks arguing this from the telco side would never even bother to go there in the
sense that when I first started reading stories about sort of this, like you're saying, unwinding
of net neutrality that's going on, it just read to me more like payback. Hey, it's payback
time. And then my next reaction was that it's too late and it's a very lazy way to go about
things. And it's honestly, it's frustrating to spend a lot of time as a researcher, you
know, over the last 20 years watching the telecom industry miss a lot of opportunities
and do a lot of things to pay anything but forward. And I certainly saw a lot of that
in 1996 around, you know, telecom deregulation in the US and the way that was manipulated,
which I've talked about before on the show. So to see it, it's kind of the same old bag
of tricks to like, don't make me do anything new or interesting. Let me manipulate the
playing field. And as long as like, you know, in this Texas Hold'em game, I keep sitting
next to the dealer, right? That's fine with me. I just need to keep my position. And that's
what it feels like to me. So, you know, should they be held to account to reduce artificial
traffic? I kind of think they should anyway. But I like your counter argument. I always
come at it from the other side and making arguments like, well, I can't afford to carry
your traffic because there's too much traffic. I'd say, well, okay, cut out all the artificial
stuff and then come back and talk to me again. And so 60 days from now, we'll have another
conversation.
As a rule of thumb, I would just assume 10% of all traffic is unnecessary. And it could
be stripped out if you are making the effort to strip out unnecessary traffic. But we don't
strip it out because somebody is making money off that 10% of traffic and they don't want
to lose that traffic because it's profitable for them. And so as a result, we go around
in a circle where we say, well, we haven't got enough money to put into capital expenditure
to support the networks for all this traffic. So we're just going around and around chasing
ourself in terms of capital costs and operating revenues.
It's something that I think, Eric, is human nature in the sense that like, even in something
innocuous, like if you work in corporate marketing and you've had to go in and do like a full
web traffic and SEO audit, you know, on your web properties for the corporation, right,
and go in and you produce these reports and you dig down into something, you know, like
Google Webmaster Tools, you know, those kinds of things. And you look at the real details
of where your traffic's coming from and what are the session links look like and where
are the originations and all those details. And you very quickly realize that half or
more of your traffic is all just bots. So these little, you know, senseless sessions.
And then you say, uh-oh, I have to report upstairs. Which number do I report? Do I report
reality because I want to talk about the quality of like leads I'm generating or am I talking
about volume because people like big numbers, right? So you automatically end up in a compromised
argument in any one of these channels when it comes to, you know, the fact that there's
just always artificially inflated traffic. And what is it? If you don't do the hard work
to look at what it is and you leave it there, yeah, I'm with you. It's kind of like you're
doing your math with the wrong denominator, right?
People want the artificially inflated traffic until they don't want to. They can't have
their cake and eat it. Anyway, let's have a lighthearted segment. We always have two
minutes of lighthearted segment right in the middle of our show, courtesy of Geoffrey Ross
and our fantastic sponsors, One Ridge. As ever, Geoffrey takes us on a trip around the
world where he sees the world through the services we get in our phone. And this week
Geoffrey is going to be taking us a relatively short trip for him down south, south of the
Texan border to his neighbors in Mexico. Producer James, roll VT.
Hey everyone, from One Route, I'm Geoffrey Ross and this is The World in Your Phone.
Hablemos de Mexico. Let's talk about Mexico. Mexico is an extraordinary country that has
so much to offer across its many cities and remote areas. With a vibrant culture, world-class
food and colorful celebrations, there are so many great things to learn about this North
American gem. But did you know that in late 2022 China United Network Communications Group,
known as China Unicom for short, received a 30-year permit from the Federal Telecommunications
Institute to operate in Mexico, marking a significant milestone in its global expansion.
Now how did this state-owned company, one of the largest telcos in China, secure its
permit and what does this mean for Mexico's telecom industry? Well, be sure to read our
blog about this next month at oneroutegroup.com. Mexico has one of the largest and most vibrant
Dia de los Muertos celebrations. Also, Mexico supports around 10-12% of the world's biodiversity,
making it one of the world's largest natural diverse countries. I found it interesting
that Mexico is home to one of the six cradles of civilization and the Mexican silver peso
was the first global currency. It was used in Spain, the Caribbean and Southeast Asia.
In fact, these silver coins are the famous pieces of eight that you hear in pirate stories.
Be sure to tune in and subscribe to our YouTube channel and catch up on the One Route Roundup,
where we spotlight individuals and companies making a positive difference in the telecom
industry.
One more fun fact, no one knows what Mexico means. No one can agree on the etymology.
Some people say it means the place where the God of War lives, and others say it means
at the navel of the moon. But quite honestly, nobody knows the truth. And on that note,
Eric, back to you and more of the communications risk show. Cheers.
Thank you, Jeffrey. And now let's introduce today's guests. Feng Hao is the professor of
security engineering at the University of Warwick. It's quite likely that you already
own a device which relies upon one of the cryptographic authentication protocols that
Feng has previously developed. Recently, he's been working on an approach to call authentication
that would be simple to implement because it avoids the need for the public key infrastructure
demanded by techniques like stir shaken. His research into a new kind of core authentication
is supported by a million pound public grant here in the UK. Pierce Gorman is a distinguished
member of the technical staff at Numerical, experts in identity management. He spent over
three decades leading network engineering efforts of Sprint and T-Mobile US. So he played
a leading role in the implementation of stir shaken in the USA, and is one of the four
leaders on the topic of core authentication at the Alliance for telecommunications industry
solutions ATIS, the US Association responsible for the shaken standards. And finally, Sathvik
Prasad, research assistant at North Carolina State University, where he was a leading member
of the team that conducted an award-winning study of robo calls. It's a pleasure to have
you on the show. Sathvik, I kept your introduction deliberately short compared to everybody else.
Not because you don't have an impressive bio because your research is really out there
and ahead of everybody else's research in this understanding of robo calls as a result
of the fantastic work you've done with honeypots and with being able to analyze the semantics,
the content of the messages. Let's open the conversation with you sharing your understanding
of the problem of robo calls with the audience based on this amazing research you've done.
Now the audience watching the show already knows there's a lot of illegal robo calls.
So we don't need to reiterate that. But could you please succinctly summarize for the audience
some of the key specific takeaways from your research and how you conducted that research?
Yeah, thanks for having me on the show. I'm Sathvik. I'm a researcher at North Carolina
State University. I'm part of a bigger research group led by Dr. Brad Reeves. But the focus
of my research is developing systems and techniques that can characterize robo calls in the US.
So as part of this research, we run a telephony honeypot, which is a fancy way of saying we
control a bunch of phone numbers. And through this lens, we can see how this robo calling
ecosystem is evolving over time. And we've been collecting a bunch of data over the past
three to four years. So as part of that, we publish our findings in peer reviewed conferences,
mostly security conferences. So the first paper in this line of work was around how
can we aggregate calls, robo call audio recordings that are very similar to each other, using
a language agnostic technique to identify robo calling campaigns. So we were able to
uncover some student loan campaigns and a bunch of social security campaigns and see
how they how they operate. And we labeled a lot of these campaigns by listening to the
audio recording. So I've been listening to a lot of robo calls over time. And in a more
recent work, we have developed systems that can automatically label these campaigns, right,
and be happy to talk more about that. But in that in that work, we were able to see
how the social security scams have evolved over time and how tech support scammers are
moving away from the good old Windows based tech support to, you know, maybe Amazon impersonating
Amazon and other well known companies, and how much do they try to scam some of these
victims. We were also able to see how COVID impacted some of these scammers and some of
these scam operations. And what was the impact of the political landscape, the 2020 presidential
election in on the broader robo calling ecosystem? Yeah, so that's, it's a lot of things, but
that broadly kind of summarizes the work we have done, and maybe it gives you some idea
of the questions that we hope to answer through our work.
Well, yeah, I'm pleased audience do send in your questions, because we've got the experts
really on on on the show right now. Now, it's like you've been a bit modest, because we've
learned some amazing things as a result of your research. So your research was language
neutral. So you learned about the level of the frequency with which people who are resident
in the United States of America are receiving scam calls in other languages. So targeting
people who speak Spanish targeting people who speak Mandarin Chinese, and obviously,
you can't necessarily get that from anecdotal data, because people may not understand the
messages, whereas your technique was able to do that. You also, as I say, I think it
was someone along the lines of 5% of all the robo calls people receive were actually politically
related robo calls. So maybe legal, because in the US, there's an exemption that allows
robo calls from political campaigns to call people, but there was a large portion of calls
there that would be irreducible. Thinking about the distinction between legal and illegal
calls. There's a lot of confusion around that topic, these things get must together in lots
of ways, because it's so hard to distinguish between them. Because what's legal or what's
illegal comes down to what's actually being said a lot of the time, and whether someone
has permission to make the call that's being made. Can you tell us a little bit about how
you would choose to tackle the problem, or what could be done to get better measures
of how many illegal calls they are, as opposed to legal calls?
Absolutely, and I think that's a great question, and an important one. I would like to build
this mental model comparing email spam classification, although this is not apples to apple comparison,
but it's intuitive to think that an email classification system will have access to
the whole email body and a bunch of headers. If you build a technology to a phone call,
you will have a bunch of headers that is the metadata or the signaling information and
then actual audio, which is the voice call. When you're inspecting a call, carriers don't
really have access to the actual audio content to make this distinction between a legal or
an illegal call. So all they have is they're looking at the metadata information. But I
think over the past few years, there are a lot of other stakeholders in this robocalling
ecosystem, mainly building defenses to protect people from illegal robocalls. And some of
them run honeypots, something similar to what we do, which gives us control of a phone number
which we own, and we also have access to call recordings. So typically, if you transcribe
those recordings, you have 30 to 40 seconds or about a minute worth of audio. And sometimes
it's obvious to flag a call if it's illegal, like if it's impersonating a government agency
or a well-known tech company, and they have a very sketchy way of saying something. So
that's obvious. And then there are some useful calls. For example, if you're receiving a
robocall about a weather alert or a missing child notification, right? So those are really
useful robocalls as well. But then there are a bunch of calls that fall in this gray area.
And it's extremely hard to build automated systems that can classify them as either legal
or illegal. So we explored some of, we ran into some of these challenges when we were
doing our research. And yeah, that's one of the biggest challenges. And I think it's also
something that's overlooked that carriers don't have access to the call data, and they're
sometimes expected to make this distinction between legal and illegal calls.
Well, yeah, I think you're not doing yourself all justice, Sadhbir, because we talk about
you doing research work here. And I think you've already developed methods that should
be implemented at scale. So for example, so Lee mentioned layers, okay? Very rarely, but
correct me if I'm wrong, because you mentioned honeypots here, very rarely do I hear about
people actually implementing a honeypot just to understand the scale of the problem. And
surely with the technology you're developing now at North Carolina State University, if
you had a honeypot in place, you'd have a great source of intelligence about the source
of crime, because you'd see what numbers are being used. So if the idea is to trick somebody
to calling back that number, well, you'd see the number that's being used. If the message
though, is what needs to be heard, listened to. So for example, you've developed a technique
where if somebody speaks a phone number in the message with the idea of encouraging someone
to call back that number, you'd be able to extract that phone number. We don't need to
wait for a member of the public to report something here. We don't need to wait for
a trace back to take place. We've got some intelligence that could be implemented. I'm
not hearing, correct me if I'm wrong, I'm not hearing about anybody using these techniques
as part of a layered strategy. And surely there's some potential here for replicating
what you've done at a research level with your very large honeypot and just implementing
this as a strategic form of defense in every country.
Absolutely. And I think it opens up a broader discussion about bringing insights from different
fields, right? So areas of speech processing and transcription have improved so much that
we were able to reliably extract these numbers and the numbers that are spoken during a call
and we call them callback numbers. And if you're running an operation and you're asking
your target victims to call back a particular number, it's very likely that you own those
numbers. So that was the intuition. And yeah, so these are, I think more broadly, we are
exploring these approaches now that there are a bunch of places or a bunch of entities
that are harnessing insights from running honeypots. And that's what I hope we want
to do through our research, like nudge those new ideas and hopefully there'll be adoption.
And we are also working to make some parts of our work open source so that people can
use it and build on top of it.
And yeah, let's hope other countries perhaps emulate your research and implement honeypots
because obviously you've gathered data a lot on the robo calls and nuisance robo calls,
scam calls that Americans are receiving in America. But I want to talk now just a little
bit about the international perspective too, with you Sathvik. Now, a lot has been said by
people working for the FCC and the like saying that the bad calls that are being spoofed,
they look like they originate in the USA, but actually they originate outside of the
USA. A lot of focus on putting the blame on international carriers on telcos elsewhere
in the world. And quite often, let's be frank, although it may not be always said explicitly,
the implication is pointing towards call centres that are full of scammers based in India.
Can you comment on the proportion of unwanted calls that originate outside of the USA versus
inside the USA? Can you also comment on the reasons why the US is seemingly incapable
or unwilling to emulate methods that focus on blocking the inbound international calls
using a more simple principle like knowing the routing information so that if an international
call has come in presented as a US phone number, well, you don't need to do a lot of analysis,
you don't need to listen to the call, you know immediately there's something suspicious.
Any thoughts on that international side of the problem?
Sure. So let me try to answer the question about where these calls are coming from, right?
And to reliably get that data, it's extremely expensive. By expensive, I mean it's resource
intensive, time consuming, and we have seen a lot of progress in how tracebacks work now.
So I was looking at the annual report that the industry traceback group publishes every
year and from December 2020, 2022, the report says about 50% of the carriers that had a
traceback for an illegal call were from the US. And there was a long tail of carriers
from all sorts of countries and a bunch of them were from developing countries. So it's
less about either or, and I think if you think like a person who's trying to protect people
from adversaries, bad folks are everywhere. They're not geographically isolated, right?
So that's, and when we're building defenses, I think having that at the back of my mind,
a back of our mind is also important. Secondly, about handling spoofing and blocking calls
that potentially spoofed. With my limited experience of working with some of the fraud
teams, I think a lot of time and effort goes in within those fraud teams in big telecom
carriers that really care about the traffic that they carry to identify and block obviously
spoofed traffic, right? So that could be through do not originate lists or other means. But
it's also important to remember that these operations are really sophisticated. They
have a lot of time invested in these and they really want to make money and thrive, right?
So once they figure out a way to start getting their calls into the network, and this ties
back to our discussion about it's very hard to determine if the call is legal or not,
right? So it just blends in with all sorts of traffic and as carriers or as other entities,
it's hard to find and flag those calls and selectively block them. Remember we want really
high reliability and we don't want to block useful phone calls and important phone calls.
So I think it's really hard to find that balance.
It is hard. But Feng Hao, who's also on the call, I'm going to bring you into the conversation
now, is a guy who is working on a rather different approach towards addressing this problem.
Now usually, if you do a webcast about this topic, STIR/SHAKENwill get it. We'll be talking
about Sturcation during the show too. But usually, all that happens is you go on to
a certain STIR/SHAKENsolution, a few comments about there's no silver bullets, and then
you're not really exploring enough of the alternatives that are out there. So Feng,
I really think it's important that I bring you into this conversation. I'm very conscious
that we've got an international audience for this show too. And that audience may not be
aware of the work that you're doing. And in fact, the work that, you know, to some extent
other researchers around the world have explored along a similar line of thinking here in terms
of what might be done to authenticate calls. Could you please explain succinctly to this
international audience that are watching now the alternative authentication method that
you have developed and why you believe it's superior to Sturshakin?
Thanks Eric for inviting me. So this call ID authentication is a problem we have been
focusing on for the past two years. There are some technical details, but I want to
explain the intuition. So in the real life, when you receive a phone call with a display
phone number, for example, the phone number may be from a bank, how do you know this number
is genuine? You can't verify it because the number can be spoofed. The best you can do
is to hang up and call back that number. So that guarantees you talk to the real, the
genuine caller. So our solution follows a similar kind of intuition, but instead of
calling back manually, we use software to call back the number and do the challenge
response protocol. So the whole process verification is based on challenge response. We send a
challenge to the displayed phone number. And if that is a genuine phone number or the caller
owns that number, then we should be able to get a response. And by checking the response,
we can conclude whether the caller actually owns that number. So that is, that is intuition
for this, for this, this alternative authentication protocol is based on challenge and response.
So how does this compare with Sturshakin? There are many differences, but the fundamental
difference is actually in the principle of design. So that concerns about the definition
of this trusted third party. What is a trusted third party? To common people, trusted third
party is a party you trust, but in the security community, it has almost the opposite meaning.
The classic definition of a trusted third party, according to professor Ross Anderson
from Cambridge University is a third party who can break your security policy. It may
sound counterintuitive, but that actually captures the essence of a trusted third party.
Whenever you have a security problem and they try to solve this problem by introducing a
trusted third party, a party you fully and unconditionally trust, then you introduce
an even bigger problem. Then how do you manage that trusted third party? In fact, there are
the very big part of this whole security research program is motivated to remove or avoid it
or avoid this trusted third party. So let's also motivate our research by using the challenge
response. We don't involve any trusted third party. So authentication is strictly between
the two users or two providers in the telecommunication system. But for STIR/SHAKENis the design principle
of STIR/SHAKENexactly is based on introducing a trusted third party. So the idea in Sturshakin
just for the benefits of audience, the idea is quite simple. So you use digital signature.
For every phone call, you attach a digital signature to prove authenticity. In this solution,
signing a digital signature is quite easy. The problem is verifying the signature. To
verify the signature, you need an infrastructure because you need to verify the signature against
a chain of certificates. And the loot of that certificate is managed by this certificate
authority or CA. And this CA is a trusted third party. So CA has to be trusted by everyone.
And this is global system. So implies that CA need to be trusted by every telecommunication
provider in the world. Then the question is, who is going to be the CA? Who is going to
be the loot of trust? So in the US, FCC has chosen a few American companies as a loot
of the trust. And they can do that by regulation. The mandate is that every company in the,
every telecommunication company in the US must trust this CA as a loot of the trust.
But this spoofing is an international problem. It's very difficult to enforce this across
borders. Because across borders, you need to have this CA to trust, to be trusted by
other countries. And then you have the problem. So this loot of the trust appointed by FCC,
will that be trusted by the Chinese government? Very unlikely. And similarly, if China going
to implement Stern and Shaken, they choose a few Chinese telecommunication companies
as a loot of the trust. But will that be accepted by FCC? Very, it's not realistic. So that
is where you get stuck. You bring this trust to the party. Everyone want to be the loot
of the trust. But then you have, you stuck with a situation that this doesn't scare.
So this is it in a nutshell, in terms of applying this internationally. It's one thing, we tend
to talk about Stern, Shaken, like it's just a technology you can just drop on the country.
But even if you drop the technology on the country, unless there's some cross border
agreement about trust, so that a call that is signed in one country will be accepted
as trustworthy in another country, you don't have an international solution, even if by
both countries have implemented Stern-Shaken. So we have right now a situation where France,
because of the political manoeuvres above the telecoms industry, will be implementing
Stern-Shaken. But nobody knows whether there'll be any kind of interworking between France
and the USA. And if there's no interworking, then you haven't solved the problem of call
that's gone from France to USA. And of course, that's just one pairing of countries. You
actually need to solve this problem for every pairing of countries. And nobody's really
clear on the way forward for that. Now, correct me if I'm wrong here, please help me to again
understand your approach. If I understand your approach correctly, Feng, if I say had
a friend, and I have the right software on my phone, and my friend has the right software
on their phone, no matter where they went in the world with their phone, because it's
really about the software executing an exchange of keys, if you like, at the start of a call,
this would work internationally, because it doesn't matter what's in between. It doesn't
matter. There's no other third party in the trust relationship. It doesn't matter what
any telco does, because this is something that I can independently choose to do with
my friend. And your model is to develop and make this technology as cost effective and
as efficient as possible, so that this could be then globalized and used globally. Am I
right? Am I understanding of what you're proposing?
Yeah, absolutely. You're right. I mean, the key challenge here is to walk across borders.
So this challenge response is a generic protocol that can walk across borders. But the interesting
thing here is that actually, we don't require cross border agreement for this solution to
work. It's actually sufficient to implement this solution within the country. And why
is that? Just follow up on your previous talk, you mentioned that to address a scamming attack,
we need to understand what scammers do. A lot of scamming phone calls, actually the
scammers call from overseas providers, voice over IP providers, because they can easily
change all the caller ID. But they almost always spoof a number that is local, local
number, local is a low, is a number local to your area or local owned by a local government,
for example, HMRC or police station or important local number in the country. So for the challenge
response, you see this displayed number as a local number, all you need to do is to challenge
that local number to see if you can get a response. So that challenge response can be
implemented within the country. And as that is sufficient, a directed address the main
source of the scamming attack.
That's brilliant. I mean, because it makes me realize that, of course, if you say had
somebody, I mean, this has come up a lot, tax officers, for example, is a great example
that comes up a lot. We see that in Sathvik's research to that, you know, impersonating
government agencies. So if you have the technology in place, well, what you'd be doing is that
you'd be doing the call back to a tax office in the UK or in the USA, wherever, and they'd
be saying, nope, that call isn't from us. So that should be a very efficient way of
replay, you know, removing a lot of the scams from the ecosystem very quickly, if I understand
it correctly.
Yeah, that's precisely true.
Okay, thank you so much. I really thought we'll come back to you in a little bit later
in the conversation and full power to you for the work. Now, Piers, I'm conscious you've
been patiently waiting. You are a very good man to me because you spend many an hour explaining
to me the intricacies of stir-shaken and how it can be approved. So again, I appreciate
your patience. You've been intimately involved in the development and rollout of stir-shaken
in the USA. But you also talk very openly about what it does well and what doesn't work
so well with stir-shaken. If I asked you to pick out two key strengths and two key weaknesses
of stir-shaken, which would you pick on, Piers?
Well, before I answer that, I'm going to make a comment about honeypots and fangs work.
So the honeypots are common in the carrier space. I know that at least two of the three,
probably all three of the major wireless carriers in the US operate honeypots and use them to
gather information to help them improve their anti-robe calling analytics. And there are
other companies outside of that. You may be familiar with David Frankel's at DX. He offers
a thing that he calls R-Raptor. Probably would make a good show if you had him walk through
that honeypot based system. On the work that Fang is doing, I like what he's describing.
I would say that my assumption is that the challenge response is calling that doesn't
necessarily require anybody to answer the phone and talk. So there's going to be a challenge
response application operating on the phones. That means there's got to be signaling. If
it's on your... It could be mobile phones. The mobile phones would have to have the software
loaded. So there is work that would have to be done. And then for wireline originations
or wireline spoof numbers, there would have to be work there, probably done by the carrier
to provide a response instead of the actual person at the call number. Anyway, back to
the strengths and weaknesses. Strengths is easy and fun. Weaknesses, there's too many.
But I'll just say that the two favorite strengths are that STIR/SHAKEN establishes a working
foundation for doing call authentication. And that's a major accomplishment. And to
defend the FCC a little bit, I'll mention that they had a law that was written by Congress
that said, you have to go out and you have to go put this into the network. So they did
it. The work that went on, there was also an FCC Robocall Strike Force, lots of people
invited to talk. There were industry experts. That was in 2016. One of the working groups
was a call authentication working group where we talked about STIR/SHAKEN. And one of the
comments that I made was, if you want the carriers to implement this technology, which
is complex and brittle, you're probably going to need a mandate because I don't obviously
see how we can monetize this. So if we don't have a mandate, I don't know that you'll get
a voluntary implementation. And that might be a problem for Brazil as well. The second
thing, the major strength that I like is the way that, and this is funny because it goes
to Fang's comment about trusted third party, and I agree with everything that he said,
but since STIR/SHAKEN is based on a trusted third party, the way that the certificates
are issued between a policy administrator that registers and vets the service provider,
the service provider themselves, and the certification authority, there are cryptographic tokens
that operate in that environment to make sure that only vetted verified identities get the
certificates they need. And I see we're out of time, so. No, we're not out of time. We've
got another half hour, Piers. Oh, okay, good. Well, then I'll talk for the rest of the half
hour. We're good. The weaknesses, the number one weakness in my mind on STIR/SHAKEN was
the reliance or the dependence on the telephone number as the source of identity. I think
a telephone number is a horrible source of identity. When you go to a customs officer
or a transportation, whatever, the TSA, when you're trying to get onto an airplane, they
don't ever ask you for your telephone number. That's not the source of identity that they're
looking for. They want something that's more reliable, something with a picture, something
that's issued by a government. So trying to use the telephone number as the source of
identity is just miserable, and so that's a major weakness in my mind. The second weakness
that I decided I wanted to tell you about is that using the trusted third parties to
issue those certificates, I don't like the restriction that makes those certificates
only available to direct access to those certificates to service providers and toll-free number
administrators that we call rest boards or responsible organizations. I think that similar
to the Brazil example that the authentication ought to happen from the telemarketers themselves,
both the legal ones so that their calls can be protected and the illegal ones so that
we can see their identity in the call and have that information to understand over time
that you're causing illegal calls and label the calls or perhaps block the calls. I'm
not a big fan of blocking, but at least labeling. And also turn them over into enforcement.
That identity information, the whole idea behind Stursh-Faken was to get identity information
in the call so that you could know where those calls came from and you could address the
issue of originating illegal calls. Yeah. So I'll just say that's the second weakness
is that the certificates are only constrained to service providers and rest boards and it
should not be that way. Now there is a thing called delegate certificates that can be given
to service providers, but that's a whole nother mess. It would take another 30 minutes to
go through why that's got problems. So I'm going to say that that second weakness is
that there isn't direct access to certificates that are on the same level as a service provider
certificate with the exception that enterprises, agencies, people that are not service providers
should not do shaken signatures. They should do, I think, rich call data signatures. And
so I'll, I'll stop there. I think you have more questions. So, Oh, there's, there's so
much we're going to be talking about. That's why we're, that's why we're running the show
extra long today with three great guests. We needed to allow more time to hear all the
opinions here and forgive me when I hear your wonderful insights, Pierce, the word that
comes to my mind more than any other when stir shaken is discussed, it's not the kinds
of things that people tend to want to talk about with stir shaken. I hear the word bureaucracy.
That's the thought in my mind is that we have this, you know, it's not just that it's complex
and so that it is a big drain of resources to oversee this infrastructure. And that's
why I like what, what Frank says in comparison, because I know, I appreciate you're going
to point out technical issues and technical drawbacks, whatever. And that's true, but
what he offers in comparison is so simple in comparison to what stir shaken is. And
I think that's why, and that's why I want to bring Leah here because you've already
started also mentioning the Brazil example of this Brazilian variant that we now have
a digital signature. So Lee, you're a fraud expert. You deal with the anti-scam side of
things in the countries where you work around the world. I think though that there's a fundamental
problem here, and I hope that this show is addressing it. There's a fundamental problem
here, which is that most people in your shoes, working for telcos around the world, they're
not receiving any advice, any guidance, any alternative points of view. Really the only
thing that they're getting read from is the script from the laws that are passed in the
USA. As if, if you put something into law somewhere, then the technology that follows
as a result of that law is the right technology. And it's not just technology. The method is
the right method. Are you surprised? Are you aware of what's going on in places like Brazil,
when Pierce talks about putting the emphasis on the telemarketers applying the signature,
which is a very radically different way, but I find a very attractive way different. Are
you familiar with the possibility of just using the handsets themselves, having a callback
process? To what extent does the fraud managers and specialists in this field even get any
awareness of these topics in other countries? Yeah, I mean, that's a very good question,
Eric. I mean, robocalling isn't a big issue for us in the Middle East. It does go on,
but it's not to the scale of what it is in the US or Brazil. Now, to be honest, I don't
know much about Stershaken because it doesn't impact me, although it's likely to impact
me at some point in the future. So my question to Pierce would be, you know, I'm over in
the Middle East, what would I need to do to get, you know, to get a call into the US,
which has a certain certificate? What are the type of things which I would have to do
to achieve that? Well, it's a good question. And I just want to say that I really liked
a number of things that Fang said, and this I'm going to get to an answer here. One of
them is he said he doesn't like the trusted third party concept. And he mentioned that
the trusted third party that's used for Stershaken call authentication is a certification authority
or in the US we have, I think there's 10 now certification authorities. And he mentioned
that a call into the Mideast, the Mideast service providers would have to have access
to the root level certificates of each of those 10 certification authorities. And they
would have to agree that they were a trusted third party and that they would verify calls
based on a certificate chain, a certificate path that led up to those certification authorities.
And he said that that could be a problem. He gave the example of China and US. And he
is 100% correct. And I'll tell you, Fang, what you said almost word for word was actually
repeated in a working group of the FCC called the Call Authentication Trust Anchor Working
Group. The very first time that group was put together, it's had three iterations, was
to talk about the STI framing, the Secure Telephone Identity Framework, and how that
should be based on a framework of governance authority, policy administrator, certification
authorities. And what you said came up in those series of meetings. And the comment
that I use, because there's a term that was used for it, this was a problem for the web
as well, is they call those untrusted trusted third parties rogue certification authorities.
And so what was built to fix that is what I call a good old boys club. So in the US
at least, we have what's called the CA slash browser form. Sometimes it's just called the
CAB form for short. And that is the major developers of browser application software
getting with the major certification authorities and agreeing on whose root level certificates
will be trusted and loaded into those browsers. And so his problem that he described is exactly
correct. And that is going to be a problem if we continue down this path for international
stir shaken. He's 100% correct. And I'll be talking about both sides of my face when I
say I said the second weakness I wanted to talk about was this lack of certificates being
able to be given to telemarketers, especially so that they could authenticate their own
calls. Ideally, we would find a way to get away from certificates. And so I've been focusing
time at the ATIS, you mentioned ATIS before, their Enterprise Identity Distributed Ledger
Technology Working Group, it's a mouthful, the EIDLT, where the focus there, the chair
Ian Deacon has spent a lot of time going over the work from the World Wide Web Consortium,
the W3C, on how to develop verifiable credentials, verifiable presentations, based on the concepts
of self sovereign identity. And what I liked about Feng's challenge response mechanism
is that fits perfectly with the concept of mutual authentication. And I do think that
that's an eventual... That has to be a goal of the work that we're doing with call authentication,
whether it's based on stir shaken, or it's based on verifiable credentials, however we
go about this. Now, I lean towards verifiable credentials. I would like to get away from
X.509 security certificates, but it's an established entrenched system at this point. And it's
the law in two out of the three countries, Canada adopted it on... The regulator adopted
it on their own, but in France, in the US, there were laws that required the regulators
and the service providers to implement the technology. So to answer Lee's question, what
you would have to do is have a certification authority in the Mideast that was accepted
by the service providers in the US, and they would have to issue certificates to those
service providers. And so when the call came over, they would have the root level certificate
of the Mideast certification authority loaded into the verification server, and they would
be able to verify the call and give it the green check mark.
Sounds implosible. Sorry.
Just one follow up question there. Technically, would we need to do anything technically?
You mentioned work with the certification providers. Is there anything technically that
we would have to do? Ask the question again. I don't think I understood
it.
So you mentioned that it's about this certification process, but actually, is there anything technically
we would have to implement, say, at the signaling level on our side?
Oh, yes, absolutely. There is a whole bunch of standards written by ATIS and by the IETF
STIR working groups, that's why it's called STIR-Shaken, that describe the technical details
associated with applying a call signature. Basically, STIR tells you, here's the format
of a signature, and the signature is a, if you're familiar with the term, JSON web token.
And then the certificates that carry the public key that could verify the signature is the
other part you would need to do. So the standards tell you to develop and deploy
what's called an authentication server, and it's built for SIP. It looks at the SIP invite,
the information within the SIP invite, picks out a few fields, the from, the to. There
are some other fields that get created for the signature. And there are multiple different
kinds of signatures. The one that we normally talk about is the Shaken signature, and that's
for a service provider to service provider call. There are also, I won't go into all
the different kinds of signature types. The signatures, they have a name, it's called
a personal assertion token, and they call it a passport for short. So you'd have to
learn the different passports, decide which ones you wanted to use. If you're really going
to use Shaken, you create the Shaken signature in a passport, you drop it into a SIP identity
header in the SIP invite, and you send it on its way. And within that identity header,
there is a URL that tells you where to go download the X.509 security certificate chain
so that you can verify the signature that's in the passport, in the JSON web token. Did
I answer your question?
Yes, it did, but I've just got one last very quick question. So it's looking like...
Hey, Lee, if you want free consulting, you can do it offline. I think I got to time you
out here, Lee. I'm glad you're enjoying the topic, but I think you're getting some free
consulting here for yourself guys. Look, Piers, I want to jump in here and ask you another
question because I'm getting the impression that you're very interested in what's sometimes
called international Shaken, Piers. An international Shaken for the want of a better description
is how do you get people like Lee signed up to do this in another country to the cause
of being authenticated from country to country? Keep it simple, please. Has progress on international
Shaken gone as expected?
That's a good question. And I'm going to tell you, I think it's actually gone better than
what I personally expected. I did not anticipate that Canada on its own would just decide it
wanted stir shaken. They actually issued their mandate ahead of the US law and the FCC mandates.
So those Canadians were... And they weren't goofing around, right? They just went right
after it. So that was interesting. I also didn't anticipate that France would adopt
stir shaken. So I think from the perspective of not really anticipating anybody else would
look... I kind of assumed that the technologists would look at it and go, I see what you're
doing here. I see that it's an experiment. I think we'll wait and see how your experiment
goes. But that's not how it went. And part of that was because the FCC did take a very
active role in trying to promote international stir shaken. So they did go talk to their
regulatory counterparts in other countries.
Let me jump in there, Pierce. Let me ask a more precise question. Given the years of
effort that's gone into stir shaken, is the number of calls that are occurring between
countries that have a signature that is being authenticated at the termination, is that
number in line with your expectations?
That is a very specific question. France is in the middle of getting it up and going.
So the only other country you can talk about is Canada. And Canada is authenticating calls
that it sends into the United States. I shouldn't say Canada. I'll say Canada service providers
that support stir shaken and use voice over IP, because not all of the communications
is voice over IP. A lot of it is still TDM. They are sending calls into the U.S. that
are signed and that are verified with certificates that were issued by the certification authorities
that have been authorized within Canada. And that's two right now. One of them is Trans
Union, better known as New Star. And then the other one is Sansay. And it was originally
just New Star. When I left T-Mobile a year ago, we were not verifying those calls. And
some of that has to do with for one thing, T-Mobile is methodical about how they implemented
their stir shaken stuff. They didn't just throw it in there and say it should be good
to go. Let's see how things roll. They worked with each of the major service providers to
set up testing ahead of time, tested the technology, got comfortable with it, felt good with it,
and then rolled it out into production. They wanted to follow that same process with Canadian
service providers. And they may have done it in the year in between. But as of last
year, no, those calls were not getting verified. Another part of it, though, was that this
goes back to the complication of all the certification authorities and the agreements between the
governance authorities that control the certification authorities that Feng talked about.
The policy administrator in the U.S. keeps a store of all of the root certificates for
all the approved certification authorities. And the PA is responsible for authorizing
those certification authorities. So the certification authorities have to submit what's called certification
practice statements. Those are looked at by a policy management administrator within the
policy authority. And then it's even passed over in the U.S. anyway to the governance
authority technical committee. So there's a lot of work that goes into whether or not
those certification authorities are okay.
I'm getting a sense of a lot of work. I'm not getting a sense of a lot of clarity on
how many calls are being signed and checked.
Fair enough. I don't know the answer. I no longer have a front row seat. I don't work
for T-Mobile anymore, so I don't know.
Is it a lot? Is it some? Surely, if they're being authenticated, we're now in a situation
where a Canadian business could say, here's bad calls coming from an American telco and
vice versa. Are we in that situation where that's not currently possible?
It's possible. I just don't think it's very common. I assume it is not common.
But this is the future we're heading towards though. That's the point is that we're going
to be in a future where it will be possible for one party in one country to literally
point the finger and say, that country over there, there's a telco and that country's
regulator isn't stopping them. But we're going to be aware that they're pushing bad traffic.
So we're going to pick them out. I think that's the aspect of stir shaking that we sometimes
lose when we talk about the technology and being at the stage of rollout.
But actually, it's about what you do as a result of stir shaking that's going to reduce
the number of spam calls and illegal calls. Feng, I want to bring you in here now. Now
you have a research grant. It's roughly a million pounds for the work that you've been
doing into your research. I know that you have been working as fast and as hard as you
can to develop a rigorous technology that stands up to scrutiny from your peers in the
academic community and also working with telcos to make sure that it works. Are you frustrated
that the UK's communications regulator Ofcom has seemingly ignored your work by issuing
a consultation on how to authenticate calls, which made no mention of your approach at
all, despite the fact that you have been to the British Parliament and told them about
the motives of your work? That's a very interesting question. Do I
feel frustrated? To be honest, no. I'm in the academia long enough that we learn to
be patient. The research takes time and this is quite a complex problem. We started looking
at this problem about two years ago. You need to have a good understanding of the problem
but also looking at the existing solutions to convince ourselves that we need a better
solution or the existing solutions don't work as expected. When you have a solution or intuition,
but also you need to make sure that your solution is actually feasible and to do that you need
to do implementation or prototyping. We have done that on the existing telecommunication
systems, SIP system, SS7 system. We also implemented prototypes on mobile phones, nanoline phones
and SIP phones to do all the experiments and get the performance measurement. Then we write
a paper and we still hope that this paper is going to pass the peer review process.
That is a standard practice in our community because you never know that you got everything
right or you missed something. That peer review process is really important but also takes
time. I'm happy to say that our paper has got favorable comments from our peer researchers
in the community. The paper is going to be published soon and we are going to make a
free copy of the paper available in the next few days. All this takes time and this off-com
consultation is quite recent. I think the timing is perfect. Currently, the off-com
they propose Stern-Shaken as only solution. However, based on our research, up two years
research now we are more comfortable to say Stern-Shaken is not the only solution. We
actually have alternatives, alternatives that potentially are far more cost effective than
Stern-Shaken, an alternative that doesn't really introduce a trusted third party. Of
course, as academic researcher, we work the research under our own constraints. So in
our research, we do prototyping by updating software on the end user's phones because
we don't have access to the telecommunication system. But as Piers very rightly pointed
out that the best way to implement this is actually in the telecommunication cloud. Actually,
we have recently done that in collaboration with UK based company called Chucor. The company
is specialized on nuisance cause. So they have access to the telecommunication cloud
and we have done a prototype between two mobile phones to the challenge response between the
two gateways in the cloud. So challenge response is actually performed in the cloud. That is
a lot faster than doing on the end phones. Still, we have a few seconds delay, but that
is only because this is a preliminary implementation and we are working on reducing the delay because
for challenge response, all you need to send the challenge is only four digit number. So
in principle, this can be done at the speed of light when you send this across IP network.
So potentially, this challenge response can be completed in a very fast manner, so potentially
under one second. And then if that is the case, then the whole solution can be practical.
So this is work we are working on. And yeah, we show that actually alternatives do exist
and we want to urge Ofcom to consider alternatives because there's not just one stone shaken.
And you don't have to introduce a trusted set of party to solve this problem.
I think you make a case very well. I think I'm frustrated on your behalf, even if you're
not frustrated, perhaps being an academic, you're used to the vicissitudes of having
your research examined by others and the pace of progress. For me, I'm frustrated because
of the thought that a lot of money could be spent on implementing one approach. And then
it's very hard to go backtrack and then implement a second approach. So if your approach is
as beneficial, as successful, as efficient as you think it is, but maybe needs a little
bit more time to come to realisation, it will be a shame to be down one path and not be
able to reverse back and look at your approach again. So for me, my worry is that because
as Piers has pointed out, progress has been made with stir shaken in the USA, Canada even
across international cause, there might be a more elegant solution we might ignore. But
I'll finish up with a question for Sattvic, if that's okay with everybody, I'm conscious
of time, we're very near the end of the show now. So Sattvic, just a couple of minutes
for you. But I think this is a vital question that kind of like caps off everything we've
said today. Again, thinking about regulators here, their tendency to look at the big picture
of harm that they're addressing, and not always break out the detail of the benefits of the
solutions that they mandate on the industry. And going back to the problem of distinguishing
between a legal call and an illegal call and all the rest of it. If I was to give you,
as one of the foremost researchers in this area, an unlimited budget, don't go crazy,
but on a limited budget, okay. And I said to you, how would you measure, measure with
a degree of confidence and accuracy, the amount of harm being caused by illegal robo calls
in the USA or another country, and then could measure whether that harm was going up or
down over time? How would you go about doing that?
Great question. I think more broadly, we constantly see changes in these ecosystems, right? And
especially when there are good and bad actors, that's common. And when you talk about measuring,
something we observed in our own research was how some of these really bad operations
are extremely targeted now, because the barrier to entry, even to clone voice or synthesize
voice is becoming so low, that it makes sense to be more targeted instead of targeting a
broad range of population, right? So if I have a lot of budget, I think, you know, what,
what I would focus on is building better techniques and systems that will empower the stakeholders
that are on the good side of things, right? Because there are so many things that are
happening that enables cameras to continue operating, and we don't have those resources
to keep up with them. So this is what are the other elements of that silver bullet that,
you know, that doesn't exist, right? So it could be tapping into the advances in applied
machine learning or natural language processing, and bringing that diverse views into the telco
ecosystem, right? How can we build tools that are reliable, practical, and have high accuracy?
And how can we deploy that and share the things that we can extract with other stakeholders?
So these are like broad visions, I would say. And I think some of the work that we are exploring
is in that direction, where we distill insights from audio recordings and do that reliably.
And that can be shared with other entities, right? And you can analyze millions of robocalls
using some of the work that we have done. So I hope, as a community, trying to protect
phone users from these really bad and annoying robocalls, we inch more towards that direction.
Well, I think we're going to continue the conversation after this show has ended, Satvit,
because I can certainly see ways that we might work together in future on that particular
point. But we're running out of time. I'm very, very sorry. Thank you so much, all three
of my guests. I would have loved to have given you more time to talk to this audience. But
I think you've certainly given the audience that we have for this show plenty of food
for thought. And I hope that that is some sense of pleasure that you've been able to
engage the interest of the audience around the world. I'm sure there'll be lots of follow-up
calls. And if not, Lee Scargall will be wanting free consulting from all of you in the immediate
future. There's a bottomless pit of work that he'll give you for free if nobody else. So
thank you, everybody, for being on the show. We're out of time. Ed, Lee and I will return
next Wednesday for the final episode in the current season when there will be interviews
with two separate guests, Sarah Delphey, Vice President for Trust Solutions at Numerical
and previously Director of Abuse and Risk Operations at Bandwidth. Sarah's going to
talk to us about Know Your Customer Checks and the Challenge of Managing Identity. And
Andrew Wong, COO of fintech business, SORAMITSU, will be discussing sharing intelligence
relating to scams. He'll be live on Wednesday, 7th June at 4pm UK, 6pm Saudi, 10am US Central.
Why not save the show to your diary by clicking on the link in the Communications Risk Show
webpage. Our next Wednesday's episode will be the last stream of this season, but not
the last of the Communications Risk Show, as we are already lining up guests for our
next season, which begins on Wednesday, August 23rd. We'll be back at the same time, back
on consecutive Wednesdays, 15 consecutive Wednesdays starting Wednesday, August 23rd.
So now would be a great time to subscribe to our schedule of upcoming broadcasts. So
when you have your holidays and you come back from your holidays, you're not wondering to
yourself when is the show back on or who the guests are. They'll be uploaded to your diary
automatically. Thanks again to today's guests, Professor Feng Hao of the University of Warwick,
Pierce Gorman, distinguished member of the Technical Staff at Numerical and Sathvik Prasad,
researcher at North Carolina State University. Thanks also to my co-presenters, Ed Finegold
and Lee Scargall for putting up with my obviously leading questions and deflecting them as best
as they can. And to the hardworking producers of this show, James Greenley and Matthew Carter.
That's all for episode 12 of the Communications Risk Show. I'm Eric Priezkalns. Remember to
visit the Communications Risk Show website, tv.commsrisk.com for recordings of every past show.
Keep reading commsrisk.com for the latest news and opinion about risks in the commerce industry.
And go to the Risk and Assurance Group, riskandassurancegroup.org for access to RAGs free services and content,
including the RAG Fraud blockchain and RAGs risk catalogs. Thanks for watching today.
We'll see you next Wednesday.