Making a difference when it comes to fraud prevention

Where Communication Professionals Go to Know

Why Digital Signatures Won’t Stop Call Spoofing

by | Jan 25, 2022 | News | 0 comments

By AB Handshake

A well-established school of thought in the telecommunications industry holds that signature-driven technology is necessary for stopping CLI Spoofing. The US federal government even recently adopted the STIR/SHAKEN protocol as a mandate for domestic networks, which is based on this technology.  

However, the telecommunications industry will risk spending immense time and resources by following this path forward. While signature-driven technology is complex and lacks effectiveness, the out-of-band alternative based on cross-validation of call details is lean, 100% effective and cost-efficient. 

To understand this situation, we first must clarify the key shortcomings of signature-driven technology. 

Shortcomings of Linking Calls to Digital Signatures

To better understand how digital signatures come up short in preventing CLI Spoofing, we need to understand its shortcomings, inefficiencies and costs. We’ll then look at how technology based on call–validation has already solved each of these problems.

The first problem isn’t a shortcoming, but an inaccurate belief that is propelling the development of signature-driven technology.

Problem #1 – Belief that digital signatures are a necessity

The first and most important issue is a belief that some fraud experts uphold – that all anti-spoofing solutions must link every call to a digital signature, as happens with STIR/SHAKEN. 

Using a signature is a design decision, so there are technical reasons for using this technology, but creating and managing unique signatures greatly increases the cost and complexity of the technology. 

Call Validation – No signatures, more effective

The lightness and efficiency of the technology behind call validation is the most essential advantage of this solution. Call–validation avoids the complex headaches of using digital signatures by using a direct real-time out-of-band confirmation. As a result, the A and B networks validate the origin and destination of each call as it is being set up. It’s overall a much simpler, and effective system.

Networks that implement call validation use commodity servers as call registries that record basic information about every call the network makes and receives. There is a real-time comparison between A-party and B-party registries when each new record is written. Any discrepancy is obvious, revealing a 100% accurate detection of fraud, without needing to link signatures to calls. 

The second problem is similar to the first. This is the inaccurate belief that SIP signaling (or SIP headers), through which signature-driven technology communicates, are necessary.

Problem #2 – Communicating via SIP signaling is necessary

The second problem is the belief that communicating the signatures in-band within SIP headers is less complex than the out-of-band method for communicating signatures. 

However, carrying the signature within SIP headers does, in fact, entail greater complications than the out-of-band approach. Before we expand on this point, it’s important to point out the second problem with using SIP signaling. 

The exchange of signatures within SIP headers is not only more complicated, but it guarantees that any current solution based on this technology will not be 100% accurate.

Even the supporters of STIR/SHAKEN acknowledge that spoofing won’t be stopped by a solution that only works on IP networks. Fraudulent calls can originate anywhere and there are a lot of non-IP networks in the world. The USA still has many. A large portion of fraudulent calls can’t be mitigated with in-band technology around the world. 

These two issues essentially have left the telecommunications industry in the same place it’s been in since this industry first came into existence – in a game of cat and mouse with fraudsters.

A Game of Cat and Mouse

Experts behind STIR/SHAKEN and other signature-driven technologies are forward-thinking – they understand the necessity of addressing the assumed shortcomings of this technology and theorizing on potential solutions. 

In fact, experts understand the benefits, and even the necessity, of out-of-band technology in the fight against CLI Spoofing. Today, they are developing out-of-band versions to STIR/SHAKEN. 

More specifically, they are working on ensuring the interoperability of signatures between in-band and out-of-band solutions because they don’t want to undermine the large investment that vendors and networks have already made in STIR/SHAKEN.

The result will be a costly, complex fraud management solution that may be more effective than its current version, though this remains to be seen. In any case, this technology and its future innovations will lack the efficiency, scalability and cost-effectiveness of call validation technology. 

Moreover, fraud management remains in practically the same state it’s been in since the beginning of telecommunications – in an endless game of cat and mouse. Due to the inaccuracy and complexities of signature-driven technology, experts are continuously devoting resources, budgets and time into advancing the solution, while the criminals continue penetrating the call chain via existing gaps and stealing profits.

Approaching telecom fraud in this way will cost the telecommunications industry great time, money and resources.

Call Validation – Fewer resources, greater efficiency

The great amount of time and resources being poured into signature-driven technology is based on the belief that it’s necessary. However, there would be no need to expend such effort if this wasn’t the case.

It turns out, this isn’t the case. The out-of-band technology of call validation does not rely on signatures, eliminates all of the above complexities and can be integrated with the default settings of any operator’s system around the world.

While some believe that developing such a solution isn’t possible, the experts behind call validation technology differ on this point. Cross-validation of call details (“call validation”) is that solution. 

Call validation has already been adopted by hundreds of operators in different countries around the world, validating traffic and detecting spoofed calls around-the-clock on their networks with 100% accuracy.

This situation begs the question: if an already suitable alternative exists, why did the USA adopt the STIR/SHAKEN protocol and mandate it across US networks? Unfortunately, as the US set out to establish a solution for stopping spoofed calls, various political motives, a sense of urgency and misinformation put signature-driven technology in focus. 

This brings us to the third drawback with signature-driven technology.

Problem #3 – Using digital signatures doesn’t address the global aspect of CLI Spoofing

The primary reason the US adopted STIR/SHAKEN is that the federal government was under the impression they had a national problem that could be addressed without securing international cooperation. 

However, many recognized this was wrong. Even during the US election, American voters received robocalls instructing them to stay home, with the USTelecom Industry Traceback Group revealing that they originated in Europe

While the FCC, the US telecommunications regulator, was right to take action, it was misinformed in terms of the sector of the industry. The US took a path that reflects the strong emotions of politicians and voters upset by robocalls.

Cost and International Cooperation Are Key to Stopping CLI Spoofing

Any solution for mitigating CLI Spoofing, or any other fraud scheme, must address the international aspect. This is because CLI Spoofers abuse call chains that involve multiple international operators over call chains, regardless of where the calls are terminated.

Focusing on the specific priorities of the USA meant overlooking the needs of other parties who are vital to the global telecommunications ecosystem, such as international wholesale carriers. These parties play a key role in the call chain and a fraud management solution that doesn’t consider their role will leave ‘gaps’ in the chain through which criminals can strike.

It also meant they gave too little consideration to developing a solution that would be affordable for every operator. The upfront investment in STIR/SHAKEN is high, even before consideration is given to the cost of upgrading from TDM to IP networks. A universal solution has a chance to succeed if it meets everyone’s requirements at a price they can all afford.

Call Validation Conveniently Integrates at a Low Cost

Call validation technology does not require any updates to the network and does not change any existing protocols. Integration is simple, fast and affordable. Operators choose to implement the call validation solution because it’s in their own interests to do so. This is why it’s being adopted at such an exponential rate. 

Additionally, nothing stops networks from also implementing STIR/SHAKEN if they would like, or if their government mandates it, but given the relative cost and speed of implementation, any operator with the choice is implementing the call validation solution. 

Final Words

The support for signature-driven solutions places emphasis on interoperability with STIR/SHAKEN and not enough emphasis on solving all the real problems that networks and consumers face in today’s world.

The internet has changed many aspects of our lives, and it is because of the internet that spoofing of phone numbers is now so common. It’s understandable that people would attempt to use internet technologies to fix problems created by internet technologies. 

However, voice networks have one feature that makes them special when compared to the way the internet works in general. All voice networks were designed with the knowledge that an operator would actively handle the call at each end, at the same time. 

Digital signatures are a good security solution if the recipient of a message wants to be able to authenticate it long after it was sent. They are less effective for stopping voice fraud because voice communications must be two-way and real-time. Call validation technology has the A-party and B-party networks performing their authentication process in parallel to the set-up of the voice call. 

This direct communication means there is no need to create, transmit or store signatures. 

Furthermore, call validation technology mirrors the long-established technology of voice networks, including the use of the E164 standard to look up the servers used for each network’s call registry. This makes call validation safe and effective without needing to be so complicated.

Call validation is not only cheaper and more effective, it also takes into account the global nature of CLI Spoofing and can stop it, completely. In turn, it not only effectively eliminates spoofed calls within one country, it makes it possible to do so on a global level.

Call Validation – An end to CLI Spoofing and all voice fraud

The technology around call validation, proposed by AB Handshake, was designed to solve the problem of CLI manipulation as well as prevent the worst kinds of voice frauds. 

The benefits of call validation not only apply to CLI Spoofing, it puts an end to Short Stopping, Call Stretching, Interconnect Bypass, PBX hacking and a variety of other fraud schemes that hurt operators. This makes it attractive to networks across every country around the world.

It solves a real problem in the lightest, most elegant way possible and is already in use by hundreds of operators in every country around the world. 

The technology is straightforward, robust and proven. Call validation is real. It’s working with real voice calls as we speak. The only thing that may prevent its success is confusion about how it works and what makes it the simplest way to prevent CLI Spoofing. 

Education and advocacy for call validation can save the telecommunications industry unnecessary costs and time and help end the nuisance of CLI spoofing, once and for all.

ABHandshake Logo

0 Comments

Submit a Comment

w

Contact Us

If you are interested in knowing more about membership, are a possible strategic partner wishing to collaborate, are looking at possible sponsorship opportunities or wanting to attend one of our events.  Please use a legitimate business email address when enquiring. Thank you.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.