150 likes | 165 Views
External presentation – for information and discussion. Nuisance calls – addressing consumer harm through network technology Huw Saunders Director, Network Infrastructure. 10 Nov 2016. Agenda. 01. 02. 03. 04. The problem – where are we now?. UK and International initiatives.
E N D
External presentation – for information and discussion Nuisance calls – addressing consumer harm through network technologyHuw SaundersDirector, Network Infrastructure 10 Nov 2016
Agenda 01 02 03 04 The problem – where are we now? UK and International initiatives What do we need from you? Questions and discussion
Nuisance calls have grown in volume…… • 80% of UK consumers report receiving nuisance calls and volumes are again increasing • Many have spoofed CLI – deliberately malformed or a legitimate, but incorrect, CLI, so as to disguise the callers identity and location • Network traffic sampling suggests that overall call attempts from such sources may be of the order of 4 billion per annum across all networks in the UK • Most such calls are unsolicited live marketing calls or automated messages from “lead generators” • Little evidence to date of “Voice Denial of Service” attacks seen in North America • Calls create significant consumer concern and undermine trust
Nature of some calls is becoming moreovertly criminal…. • The majority of nuisance calls are relatively innocuous focussing on “lead generation” and, increasingly, stimulation of call back revenue • However, in an increasing number of cases there is an clear aim to de-fraud through “social engineering” (using faked CLI, for example for the consumers bank, to gain trust). Such “vishing” techniques have replaced “courier fraud” as a focus of criminal activity as a result of co-ordinated industry action to reduce the “Called Party Held” duration that is necessary for that scam to work • Both general “nuisance” and “vishing” calls represent clear breaches of regulation and law and coordinated action is being taken by Ofcom and ICO. We are restricted to our regulatory remit so law enforcement have to take the lead in the case of fraud (Project Falcon etc) but we are liaising with them and the anti-fraud organisations • The problem is international in scope, both in terms of impact and sources of problem traffic – cooperation with US FTC/FCC, Canadian CRTC, Australian and Indian authorities is already in place
Current mitigation approaches • NICC were asked to aid our regulatory actions through the agreement of cross industry processes and revised CLI technical guidelines • Aim to stop Nuisance Calls at source: Requires an agreed call tracing process and appropriate action when the source has been identified – NICC ND1437 delivered, tested and now in BAU use by Ofcom and the ICO, with a number of successful outcomes in nuisance calls cases but seems unlikely to be effective against most fraudsters • Use clear regulatory guidelines on CLI to identify calls which are problematic: NICC have produced revised rules dealing with VoIP and VoIP to SS7 transition (ND1016) • Reviewing our CLI Guidelines (ND1016 + Ofcom policy) are fit for purpose in the VoIP age and that CPs police best practice through commercial agreements, potentially allowing the most egregious originators of spoofed CLI nuisance calls traffic to be discouraged. We will be consulting shortly.
Ofcom Industry Working Group • Building on work that started in 2014, we wrote to the “top 10” consumer facing CP CEOs in early 2015 seeking support for a collaborative approach to addressing the nuisance calls problem. We received a very positive response with all CPs committing resource to a Working Group that continues to meet monthly. • Following a lot of discussion on options and priorities, in February we agreed and published an MoU: https://www.ofcom.org.uk/__data/assets/pdf_file/0026/31859/nuisance_calls-tech-mou.pdfon the areas of collaboration and future deliverables to further mitigate the harm caused to consumers • CPs are now delivering on a number of key initiatives and we expect more action from them over the next few months • Ofcom continues to explore other ways to address the issue including seeking to exert further control of number allocations by, for example, withdrawing numbers in the event of misuse
MoU scope • Measurement and monitoring of problematic traffic • A monthly exercise which has enabled us to estimate the total volume of potential nuisance calls on those networks – 22 million calls each day. • Measurement data informing Ofcom’s enforcement programme. 2. Operational measures for Stopping calls and/or Technical measures for Blocking calls • Stopping calls: Ofcom is working with BT on amendments to the Standard Interconnect Agreement (SIA), to dis-incentivise and, ultimately, disconnect other CPs passing large amounts of “unlawful” nuisance calls traffic, following which other CPs aim to amend their own interconnect agreements. • Blocking calls: Based on agreed technical criteria CPs to block on a call-by-call basis. Unlawful traffic will need to be defined by CPs and could include some of the technical characteristics used for the monthly measurement exercise. These are malformed CLIs, PRS CLIs, very short calls (<1s), short calls (1s to 3s), ratio of unanswered calls and calls with no CLI digits. • Best Practise Guidance for CPs on Stopping/Blocking calls • A document that sets out the criteria and steps for: • Blocking/Stopping calls with PRS CLI (090, 091 & 098). • Blocking/Stopping calls with malformed CLI • Blocking calls as a result of GC20.3 notice from Ofcom
Nuisance Calls - Technical Measures - CPs Roadmap – Overview CPs:BT, Sky, Gamma, EE, Talk Talk, Virgin Media, KCom, Vodafone, Three and Telefonica/O2 Long term measures Short to Medium term measures 2020 Onwards 2018 2017 2016 2019 Monthly technical measurement CPs of potential nuisance calls CPs commenced in June 2015 - Ongoing Review Implementing call blocking measures e.g. Call from malformed CLIs CP already have such measures in operation CPs looking intofeasibility on legacy systems CPs building technical capability into new IP networks. Implementing call stopping measures: (1) Calls from PRS numbers (090, 091 & 098). (2) very short calls < 1s (3) malformed CLIs Assurance – creating the “zone of trust” CPs reviewing their existing inter-connect agreements with an intent to incorporate such conditions by 2017 Customer nuisance call management CPs exploring CPE solutions Improving intelligence on suspected nuisance calls and types of nuisance calls CPs continue to monitor their customer complaints & network for bad traffic to improve their intelligence and take action. Improving CLI Accuracy – Review of Ofcom’s CLI Guidelines Ofcom to consult and publish Statement • CLI authentication – Network Standards programme • Early UK implementation • IETF/STIR Global implementation Potential implementation Monitor IETF and other standards bodies progress to inform development of work programme to deliver early UK implementation Authentication
What next? • Blocking is only a mitigation, not a solution – determined “bad actors” can switch to other, legitimate number ranges too easily at the moment, although this is something Ofcom is seeking to address • Policing nuisance call traffic via interconnect agreement based “stopping” may be more successful in the longer term against the high volume call originators but, given the large numbers of CPs active in the transit space, may prove difficult to apply effectively and is also unlikely to be successful against low volume/high impact fraud vector calls • More fundamentally, CLI spoofing is so technically trivial that it allows a practically unlimited opportunity to obfuscate the origin of calls • The key task in the longer terms must be to re-establish “trust” in CLI – the called party must be able to rely on the asserted identity and that it can be used to trace the caller if any harm is caused • This needs to happen in parallel with the “PSTN switch-off” and move to an “All IP” world of SIP, VoLTEetc
Technical standards are being developed to verify CLIs but implementation will be protracted • This problem is international in scope and requires international resolution on a technical level – key leadership being given by former (and future!) US FCC CTO, Henning Schulzrinne, one of the original authors of SIP • The IETF has picked up the gauntlet: • Its STIR Working Group has been seeking to apply existing internet authentication/authorisationprinciples to phone numbers • This is possible because the assignment of E.164 phone numbers by national authorities is hierarchical, allowing the creation of definitive number allocation databases by regional or national bodies • STIR standardisation is now just about complete and we now need to address how and when it could be implemented in the UK and what other “standards” are needed to support and enable this • HOWEVER….STIR is only directly applicable to SIP and it is hard to see how anything can be done to improve the position for legacy PSTN users during the likely protracted period of transition over the next 5 to 7 years
We may be able to implement a national solution that could deliver real benefits • If Ofcom were successful in getting most or all UK network operators, including smaller “VoIP only” operators, on board with a validation scheme, it might be possible to validate at least UK numbers with moderate confidence • A UK-only solution might have substantial effect if supported not only by networks but also by consumer education and perhaps by intelligent handset or network screening software • Conversely contractual mechanisms could be used to enforce a more prescriptive regulatory position on trusted CLI • Failure to use STIR based authentication or provide equivalent assurance could lead to refusal to carry traffic or termination of interconnect • Ofcom could encourage support for a collaborative industry approach on adoption, but may need to consider intervention if progress is slow – wenow need to assess feasibility and timetable and are likely to consult during early 2017, but we think it could take 3 years+ for implementation. • Clearly major UK CPs, the NICC and key systems vendors will have a critical role in this process.
What else should we do? • The ultimate aim is to re-create the old PSTN “Zone of Trust” – consumers can trust CLI because the CPs trust each other and “control” who callers claim they are • STIR addresses this issue for SIP but how do we deal with legacy TDM systems and traffic from non UK networks? • How do we go about signalling CLI status (“trusted”, “untrusted”, etc) to the consumer in an easily understood way? • Is there anything in the US FCC Robocall Strike Force programme and output published on the 26th October that’s relevant in the UK? It does address both STIR implementation and the issues noted above. Rich Shockey should be able to give us some guidance into how we can tap into this work:https://transition.fcc.gov/cgb/Robocall-Strike-Force-Final-Report.pdf
Key questions: What do we need from you? • How do we go about implementing STIR? • What else can we do to help re-establish CLI as a reliable indicator of caller identity? • How do we get effective insight/involvement in the US work in ATIS etc? Key requests:: • Can NICC put STIR into the existing SIP work programme? • Can the existing CLI Study Group pick up the other “CLI Trust” activities?