110 likes | 192 Views
ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014). The UK experience and approach to damage mitigation. Huw Saunders, Director, Network Infrastructure, Ofcom Huw.Saunders@Ofcom.gov.uk. Outline. Nuisance calls and spoofed CLI – metrics, motives and policy actions
E N D
ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014) The UK experience and approach to damage mitigation Huw Saunders, Director, Network Infrastructure, Ofcom Huw.Saunders@Ofcom.gov.uk
Outline • Nuisance calls and spoofed CLI – metrics, motives and policy actions • Mitigating the risk through regulatory and industry initiatives • The role of international collaboration • Longer term technical solutions and implementation challenges
CLI spoofing and nuisance calls in the UK – the size of the problem 80%+ of UK consumers report regularly receiving “nuisance calls” with some getting 20+ weekly Most such calls have spoofed CLI – either deliberately malformed or using a genuine CLI unconnected with the caller to disguise their identity and location Network traffic sampling suggests that overall call attempts from such sources may be of the order of 1 – 2 billion per annum across all networks in the UK
Motives, impact and policy responses Most calls are unsolicited live marketing calls or automated messages from “lead generators” – little evidence to date of “Voice DDOS” problems seen in North America Calls create significant consumer concern and undermine trust – some cases of exploitation for fraud through “social engineering” Clear breaches of regulation and law – coordinated action being taken by Ofcom and ICO, and a UK Government Action Plan was announced by DCMS in March, 2014 - https://www.gov.uk/government/news/nuisance-calls-action-plan-unveiled
Short term mitigation Aim to stop Nuisance Calls at sourceRequires an agreed call tracing process and appropriate action when the source has been identified – NICC ND1437 – http://www.niccstandards.org.uk/files/current/ND1437 V1.1.1.pdf - now in use by Ofcom Use clear regulatory guidelines on CLI to identify calls which are problematicNICC producing revised rules dealing with VoIP and VoIP to SS7 transition Should allow national regulatory, commercial interconnect and network based mitigation actions
Ofcom 1. Trace request 8. Trace Response (identity of caller) 7. Trace request 5. Trace request 3. Trace request 4. Trace Response (speak to CP1) 6. Trace Response (speak to OCP) 2. Trace Response (speak to CP2) Originating CP Transit CP1 Transit CP2 Transit CP3 ND1437 tracing process Basic data to trace call is assembled • Ofcom obtains information required for a call trace from the terminating CP, e.g. • Time of call, CLI of calling/called parties, presentation number, incoming route id, CP contact number Stage 0 Contact the CP hosting the calling CLI (i.e. the originating CP) for caller information • If CLI is missing/inaccurate, this step will definitely/probably fail • Even with valid CLI, it may be international, subcontracted to a reseller, ported out, misallocated – all of which may lead to failure of this step Stage 1 Trace the call through the upstream networks • This step occurs if Step 1 fails Stage 2 Stage 3 Obtain caller information from originating CP • If this network CP is also retail CP, then customer identity = caller identity • If there is a reseller then a further request(s) may be needed to obtain caller identity
The need for international collaboration Call tracing often requires international co-operation to be successful – need for regulatory/administrative Code of Practice? Existing MoU between USA, Canada, Australia, UK etc regulators complemented by London Action Plan and M3AAWG initiatives to share best practice and take effective action could form template Standards bodies need to ensure they are responsive to emerging problems and provide appropriate technical framework Problems may get worse as transition from legacy SS7 based “PSTN” to VoIP future through SIP, VoLTE and other technologies is completed
Longer term solutions? Key enabler of the problem is the lack of control over CLI in VoIP, particularly SIP, and the much lower cost of call generation these technologies have delivered. Whilst greater regulatory clarity over acceptable practice and effective enforcement will help, a more systemic means of providing caller identity assurance is needed IETF STIR project seems to offer a promising route to providing such assurance but many issues need to be resolved both in the technical domain and in ensuring rapid and effective adoption
Implementation issues The existing E164 administration and allocation processes will need to be integrated with any identity certification methodology adopted Such certification, RPKI based or otherwise, will need to be encouraged if not mandated on an international basis to have significant effect Regulators and administrations have key roles in ensuring and policing adoption but, ultimately, wider telco and Internet “communications community” needs to take collective ownership Key test of governance over next 5 years+
Conclusions and Recommendations • CLI spoofing problem is growing • Current mitigations unlikely to be fully effective • Longer term solutions will take time • Implementation will be complex • International cooperation and collaboration must be made more effective • Implementation of longer term solutions needs to be considered in parallel to technical work