Why can't mobile networks stop spoofed calls?

by @edent | 4 comments | Read ~152 times.

(Usual disclaimer - I used to work for Vodafone UK and Telefonica UK & maintain commercial interests in both. This is intended as a general discussion, not an in-depth investigation.)

I just received a scam call - you've probably had a few. A monotonic robot voice told me it was calling from HMRC - the UK tax authority - and there would soon be a warrant out for my arrest.

The phone number is suspiciously similar to the real HMRC number but, of course, it has been faked.

There are two main reasons why phone networks are so easily spoofed.

Firstly, there are legitimate reasons for spoofing a number. A large outbound-calls centre may want to display the phone number of their main office. Or a fleet of travelling sales reps may want any calls they make to look like they've come from a regional office. I'm sure you can add dozens of examples.

Being able to say "Please present a different number on my outbound calls" is a value-added feature which phone networks are keen to offer their paying customers.

The second, and slightly more depressing reason, is that phone networks were originally designed on "gentlemen's agreements". Phone companies were all large, professional organisations. They were trustworthy players in a market. At least, that's what they thought.

If Network A routed a call to Network B's customer - A told B what phone number to display. A knew their customers and had a billing relationship with them. B would charge A for the call, but didn't really care who actually placed the call.

This is similar to how the early Internet was designed. Anyone could advertise a faster interconnect route, anyone could send email with any headers they liked, anyone could look up your name from your web address.

Needless to say, the system was taken advantage of.

With the complex interconnect of national, international, and virtual telecoms providers, your phone company may not even know they're passing a spoofed call. Nor will they know the original number which is calling you.

There are all sorts of technical fixes for this. HMRC could publish a document saying "We own this phone number. The only networks allowed to spoof it are X and Y." Your telco would see an incoming call from network Z and refuse to deliver it.

(If you're familiar with Email, think SPF and DMARC.)

This technical fix exists! It is called, amusingly, STIR/SHAKEN.

There are several main problems with this.

The first is that phone networks are big and old. Trying to co-ordinate literally thousands of systems to make this work is hard. Especially when all those networks are competing with each other. It looks like the US networks might be regulated into implementing this - but no sign of anything in the UK.

Secondly, the risk of false positives is high. Do you want a call not to connect to you just because your phone provider thinks it is spam?

Thirdly, who is going to pay for it? Would you, as a customer, pay £3/month more for a "no spam" phone line? Or are network operators just expected to bear the cost?

Fourthly, does this place undue restriction on who can set up a call? Do I need to set up an expensive certificate just to place a call onto the network? Is that fair or reasonably priced?

Finally, are telcos responsible for the content they carry? Most countries treat them as common carriers and they are immune from prosecution for the messages they deliver. If someone calls you up and threatens to kill you, it is the caller who is criminally responsible - not the phone line provider.

All of this adds up to one big, international mess. And I don't see it being fixed any time soon.

4 thoughts on “Why can't mobile networks stop spoofed calls?

  1. dusoft says:

    ...and SMS as well. Many SMS gateways allow number customization (some even recently allowed characters instead numbers, so you could spoof contacts in contact list easily).

  2. Neil says:

    Although we don't have STIR/SHAKEN in the UK, when Ofcom most recently revised the rulebook governing the operation of communications services in the UK — the General Conditions of Entitlement — they changed the rules around the presentation of calling line identification, to impose tougher obligations on communications providers in an attempt to cut down on "spoof calls".

    Personally, I'm sceptical that this will achieve much, especially in the short term, but it is definitely something which is being looked at.

  3. sikander says:

    This is a big problem in Canada with calls originating from India pretending to be Canada Revenue Agency and tricking the elderly or immigrant families into thinking their account is delinquent and an arrest warrant will be issued against them: https://www.cbc.ca/news/world/national-cra-india-rcmp-scam-1.4883796


    Tech workers have fallen victim as well: https://www.cbc.ca/news/canada/british-columbia/vancouver-gift-card-scam-1.5400368

    Thankfully the government is finally getting involved: https://www.cbc.ca/news/technology/crtc-call-blocking-1.5401057

  4. Simon Hicks says:

    You can see the Ofcom proposals for the UK here https://www.ofcom.org.uk/__data/assets/pdf_file/0022/144265/first-consultation-promoting-trust-in-telephone-numbers.pdf
    No, it will not happen next week, but something is happening

Leave a Reply

Your email address will not be published. Required fields are marked *