Werner's Blog — Opinion, Analysis, Commentary
Stopping caller ID spoofing and phone scams

‘Phone scams defraud hundreds of Canadians every year. If it involves bitcoins, it's always an extortion scam.’

Most of us have experienced caller ID spoofing by scammers. A phone number or even a caller name shows up on your phone that looks like a local area call or a government agency but is in fact a scammer who uses caller ID spoofing technology. Such calls range from nuisance to fraud, and the illegitimate spoofing of government agencies such as CRA is becoming a nightmare for many unsuspecting victims of such fraud. When someone tries to intimidate you on the phone to deposit money in a bitcoin machine, you know it's fraud. Unfortunately, many people still fall for these scams, which have been improving in sophistication. Rahul Kalvapalle on Global News reported on Here's how to tell between a genuine CRA phone call and a scammer, citing a recent RCMP report that 4,000 victims have reported losses over $15.2 million over scams that impersonate representatives of the Canada Revenue Agency (CRA). In fact, the scammers sit outside Canada in call centres that are out of reach of Canadian law enforcement. The CRA is not the only government department being spoofed. As the CBC's Elizabeth Thompson reports today Scammers [are] spoofing more than a dozen federal government departments to defraud Canadians. A CBC Marketplace investigation tracked the scammers to a phone centre in Mumbai, India.

Stop Phone Scams

Will we see improvements after new CRTC rules go into effect that require telecom companies to switch to a new caller ID system by December 19, 2019? Calls with caller ID information that either exceeds 15 digits or do not conform to a number that can be dialed will be blocked before reaching your phone. The CRTC determined that calls where the caller ID presented to end-users does not conform with the North American Numbering Plan can be assumed to be nuisance calls because the non-conforming displayed number would be nonsensical and non-dialable in nature. The use of universal network-level call blocking for non-conforming numbers will ensure that all Canadians benefit from at least a minimal level of protection against nuisance calls.

Telephone subscribers in Canada and the United States have been fighting against robocalls increasingly with various anti-spam third-party apps such as Hiya and RoboKiller, which rely on real-time updates of databases of suspected robocallers. However, these apps typically require a subscription, and similar protection services from telecom companies require monthly fees. Why should subscribers have to pay for such apps and "premium services"?

‘STIR/SHAKEN could shake up the telecoms industry and finally provide strong caller authentication.’

Technology may provide a partial answer to the problem with a set of paired standards known as STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted Information Using toKENs), which provide validation and accountability at the same time. How do they work?. Essentially, quite similar how your web browser handles secure communication using SSL certificates that can be validated by trust authorities. STIR/SHAKEN provides for three different methods of attestation where the originating service provide checks the call source and calling number to validate the calling number, then attaches an identity header that contains the calling number, called number, current timestamp, attestation level, and origination identifiers. This header (or "token") is passed to the verification service by the receiving phone service provider, which is validated through an independent verification service. There are three levels of attestation, ranging from full attestation for phone calls originating with a registered subscriber, to partial attestation for telephone numbers behind an enterprise phone exchange, to gateway attestation from an international gateway. A more detailed description can be found in the TransNexus blog Understanding STIR/SHAKEN.

Will STIR/SHAKEN come to Canada? The CRTC 2018-32 decision from 25 January 2018 asked Canadian TSPs to develop a call traceback process, and whether to mandate TSPs' participation in a call traceback process. However, phone companies expressed the view (as mentioned in the decision) that it is premature to deploy the STIR/SHAKEN technology, or to provide detailed comments on its operation and effectiveness, given that STIR/SHAKEN and the subordinate standards have yet to be finalized and incorporated into other industry organizations' standards. A more important caveat is that broad implementation of STIR/SHAKEN requires deployment worldwide, not just in Canada, in order to be effective. Inconsistent implementation could erode the benefit of deploying this technology. Yet, many of the objections also amount to heel-dragging by TSPs that don't like the extra cost associated with STIR/SHAKEN. Close cooperation with the United States FCC and the International Telecommunication Union on standardization should see rapid progress, if TSPs put their full weight behind advancing this agenda. Progress is reported by some TSPs. Telus is working with Neustar to develop STIR/SHAKEN software. While progress is being made, there is no clear path yet to implementing STIR/SHAKEN and no timeline has been announced by the CRTC.

While technology is still catching up and regulators are engaging telecom companies to improve caller identification technology, the best and cheapest defense is to turn your phone to "do not disturb" and let most calls go to voicemail. If it's a robocall, you've also trapped it and can report it more easily. And when no human responds, many robocallers simply hang up. Important callers—those on your contact list—still get through. Apple's latest iOS13, for example, has an enhanced do-not-disturb feature that mutes all calls except those from "Favorites".

And for every phone call that you receive that sounds "officious", a healthy amount of skepticism and incredulity is always advised. If a CRA agent ever calls you, it is easy to verify that agent's identity by calling back CRA on their official inquiry line. And no government agency will ever ask you to make payments via bitcoins! If it involves bitcoins, it's an extortion scam.

Posted on Thursday, November 7, 2019 at 08:30 — #General | #Technology | #Canada
[print]
© 2019  Prof. Werner Antweiler, University of British Columbia. Contact me at: werner.antweiler@ubc.ca | valid HTML | Home
[Sauder School of Business] [The University of British Columbia]