ITU Workshop on “Caller ID Spoofing”
(Geneva, Switzerland, 2 June 2014)
The UK experience and approach to
damage mitigation
Huw Saunders,
Director, Network Infrastructure,
Ofcom
Huw.Saunders@Ofcom.gov.uk
Geneva, Switzerland, 2 June 2014
Outline
Nuisance calls and spoofed CLI –
metrics, motives and policy actions
Mitigating the risk through regulatory
and industry initiatives
The role of international collaboration
Longer term technical solutions and
implementation challenges
Geneva, Switzerland, 2 June 2014
2
CLI spoofing and nuisance calls in the
UK – the size of the problem
80%+ of UK consumers report regularly
receiving “nuisance calls” with some
getting 20+ weekly
Most such calls have spoofed CLI – either
deliberately malformed or using a genuine
CLI unconnected with the caller to
disguise their identity and location
Network traffic sampling suggests that
overall call attempts from such sources
may be of the order of 1 – 2 billion per
annum across all networks in the UK
Geneva, Switzerland, 2 June 2014
3
Motives, impact and policy responses
Most calls are unsolicited live marketing calls or
automated messages from “lead generators” –
little evidence to date of “Voice DDOS” problems
seen in North America
Calls create significant consumer concern and
undermine trust – some cases of exploitation for
fraud through “social engineering”
Clear breaches of regulation and law –
coordinated action being taken by Ofcom and
ICO, and a UK Government Action Plan was
announced by DCMS in March, 2014 https://www.gov.uk/government/news/nuisancecalls-action-plan-unveiled
Geneva, Switzerland, 2 June 2014
4
Short term mitigation
Aim to stop Nuisance Calls at source
Requires an agreed call tracing process
and appropriate action when the source has been
identified – NICC ND1437 –
http://www.niccstandards.org.uk/files/current/ND1437
V1.1.1.pdf - now in use by Ofcom
Use clear regulatory guidelines on CLI to
identify calls which are problematic
NICC producing revised rules dealing with VoIP and
VoIP to SS7 transition
Should allow national regulatory, commercial
interconnect and network based mitigation actions
Geneva, Switzerland, 2 June 2014
5
ND1437 tracing process
Stage 0
Basic data to trace call is assembled
• Ofcom obtains information required for a call trace from the terminating CP, e.g.
- Time of call, CLI of calling/called parties, presentation number, incoming route id,
CP contact number
Stage 1
Contact the CP hosting the calling CLI (i.e. the originating CP) for caller
information
• If CLI is missing/inaccurate, this step will definitely/probably fail
• Even with valid CLI, it may be international, subcontracted to a reseller, ported out,
misallocated – all of which may lead to failure of this step
Stage 2
Trace the call through the upstream networks
• This step occurs if Step 1 fails
Ofcom
8. Trace
Response
(identity of
caller)
Originating
CP
Stage 3
6
7. Trace
request
6. Trace
Response
(speak to
OCP)
Transit CP1
5. Trace
request
4. Trace
Response
(speak to
CP1)
1. Trace
request
3. Trace
request
Transit CP2
2. Trace
Response
(speak to
CP2)
Transit CP3
Obtain caller information from originating CP
• If this network CP is also retail CP, then customer identity = caller identity
• If there is a reseller then a further request(s) may be needed to obtain caller
identity
A sample trace
Example 2: 128
complaints about calls
using 039393939
CP1 asked to trace
Calls routed through CP2
via CP3 in UK who routed
calls
from CP4 in Vancouver
via a VoIP call centre in
Kolkota, India
who have been unwilling or
unable to say on whose
behalf the calls were being
made or why they were
made.
Geneva, Switzerland, 2 June 2014
7
The need for international
collaboration
Call tracing often requires international co-operation to be
successful – need for regulatory/administrative Code of
Practice?
Existing MoU between USA, Canada, Australia, UK etc
regulators complemented by London Action Plan and
M3AAWG initiatives to share best practice and take
effective action could form template
Standards bodies need to ensure they are responsive to
emerging problems and provide appropriate technical
framework
Problems may get worse as transition from legacy SS7
based “PSTN” to VoIP future through SIP, VoLTE and other
technologies is completed
Geneva, Switzerland, 2 June 2014
8
Longer term solutions?
Key enabler of the problem is the lack of control
over CLI in VoIP, particularly SIP, and the much
lower cost of call generation these technologies
have delivered.
Whilst greater regulatory clarity over acceptable
practice and effective enforcement will help, a
more systemic means of providing caller identity
assurance is needed
IETF STIR project seems to offer a promising
route to providing such assurance but many
issues need to be resolved both in the technical
domain and in ensuring rapid and effective
adoption
Geneva, Switzerland, 2 June 2014
9
Implementation issues
The existing E164 administration and allocation
processes will need to be integrated with any
identity certification methodology adopted
Such certification, RPKI based or otherwise, will
need to be encouraged if not mandated on an
international basis to have significant effect
Regulators and administrations have key roles in
ensuring and policing adoption but, ultimately,
wider telco and Internet “communications
community” needs to take collective ownership
Key test of governance over next 5 years+
Geneva, Switzerland, 2 June 2014
10
Conclusions and Recommendations
CLI spoofing
problem is growing
Current mitigations
unlikely to be fully
effective
Longer term
solutions will take
time
Implementation
will be complex
Geneva, Switzerland, 2 June 2014
International
cooperation and
collaboration must
be made more
effective
Implementation of
longer term
solutions needs to
be considered in
parallel to technical
work
11