Transcript Huw Saunders - NICC Standards

External presentation – for information and discussion
Nuisance calls – addressing consumer
harm through network technology
Huw Saunders
Director, Network Infrastructure
10 Nov 2016
Agenda
01
02
03
04
The problem –
where are we now?
UK and
International
initiatives
What do we need
from you?
Questions and
discussion
1
Nuisance calls have grown in volume……
• 80% of UK consumers report receiving nuisance calls and volumes are again
increasing
• Many have spoofed CLI – deliberately malformed or a legitimate, but incorrect,
CLI, so as to disguise the callers identity and location
• Network traffic sampling suggests that overall call attempts from such sources
may be of the order of 4 billion per annum across all networks in the UK
• Most such calls are unsolicited live marketing calls or automated messages from
“lead generators”
– Little evidence to date of “Voice Denial of Service” attacks seen in North
America
• Calls create significant consumer concern and undermine trust
2
Nature of some calls is becoming more
overtly criminal….
• The majority of nuisance calls are relatively innocuous focussing on “lead
generation” and, increasingly, stimulation of call back revenue
• However, in an increasing number of cases there is an clear aim to de-fraud
through “social engineering” (using faked CLI, for example for the consumers
bank, to gain trust). Such “vishing” techniques have replaced “courier fraud”
as a focus of criminal activity as a result of co-ordinated industry action to
reduce the “Called Party Held” duration that is necessary for that scam to work
• Both general “nuisance” and “vishing” calls represent clear breaches of
regulation and law and coordinated action is being taken by Ofcom and ICO.
We are restricted to our regulatory remit so law enforcement have to take the
lead in the case of fraud (Project Falcon etc) but we are liaising with them and
the anti-fraud organisations
• The problem is international in scope, both in terms of impact and sources of
problem traffic – cooperation with US FTC/FCC, Canadian CRTC, Australian
and Indian authorities is already in place
3
Current mitigation approaches
• NICC were asked to aid our regulatory actions through the agreement of cross
industry processes and revised CLI technical guidelines
• Aim to stop Nuisance Calls at source: Requires an agreed call tracing
process and appropriate action when the source has been identified – NICC
ND1437 delivered, tested and now in BAU use by Ofcom and the ICO, with a
number of successful outcomes in nuisance calls cases but seems unlikely to
be effective against most fraudsters
• Use clear regulatory guidelines on CLI to identify calls which are
problematic: NICC have produced revised rules dealing with VoIP and VoIP
to SS7 transition (ND1016)
• Reviewing our CLI Guidelines (ND1016 + Ofcom policy) are fit for purpose
in the VoIP age and that CPs police best practice through commercial
agreements, potentially allowing the most egregious originators of spoofed CLI
nuisance calls traffic to be discouraged. We will be consulting shortly.
4
Ofcom Industry Working Group
• Building on work that started in 2014, we wrote to the “top 10” consumer facing CP
CEOs in early 2015 seeking support for a collaborative approach to addressing the
nuisance calls problem. We received a very positive response with all CPs committing
resource to a Working Group that continues to meet monthly.
• Following a lot of discussion on options and priorities, in February we agreed and
published an MoU:
https://www.ofcom.org.uk/__data/assets/pdf_file/0026/31859/nuisance_calls-techmou.pdf
on the areas of collaboration and future deliverables to further mitigate the harm caused
to consumers
• CPs are now delivering on a number of key initiatives and we expect more action from
them over the next few months
• Ofcom continues to explore other ways to address the issue including seeking to exert
further control of number allocations by, for example, withdrawing numbers in the event
of misuse
5
MoU scope
1.
Measurement and monitoring of problematic traffic
 A monthly exercise which has enabled us to estimate the total volume of potential nuisance calls
on those networks – 22 million calls each day.
 Measurement data informing Ofcom’s enforcement programme.
2.
Operational measures for Stopping calls and/or Technical measures for Blocking calls
 Stopping calls: Ofcom is working with BT on amendments to the Standard Interconnect
Agreement (SIA), to dis-incentivise and, ultimately, disconnect other CPs passing large amounts
of “unlawful” nuisance calls traffic, following which other CPs aim to amend their own interconnect
agreements.
 Blocking calls: Based on agreed technical criteria CPs to block on a call-by-call basis. Unlawful
traffic will need to be defined by CPs and could include some of the technical characteristics used
for the monthly measurement exercise. These are malformed CLIs, PRS CLIs, very short calls
(<1s), short calls (1s to 3s), ratio of unanswered calls and calls with no CLI digits.
3.
Best Practise Guidance for CPs on Stopping/Blocking calls
 A document that sets out the criteria and steps for:
• Blocking/Stopping calls with PRS CLI (090, 091 & 098).
• Blocking/Stopping calls with malformed CLI
• Blocking calls as a result of GC20.3 notice from Ofcom
6
Nuisance Calls - Technical Measures - CPs Roadmap – Overview
CPs: BT, Sky, Gamma, EE, Talk Talk, Virgin Media, KCom, Vodafone, Three and Telefonica/O2
Long term measures
Short to Medium term measures
2016
Monthly technical measurement CPs of potential
nuisance calls
CPs commenced in June 2015 - Ongoing
2017
2018
2019
2020 Onwards
Review
Authentication
Assurance – creating the “zone of trust”
CP already have such measures in operation
Implementing call blocking measures e.g. Call from
malformed CLIs
CPs looking into feasibility on legacy systems
CPs building technical capability into new IP
networks.
Implementing call stopping measures: (1) Calls from
PRS numbers (090, 091 & 098).
(2) very short calls < 1s (3) malformed CLIs
CPs reviewing their existing inter-connect agreements with an
intent to incorporate such conditions by 2017
Customer nuisance call management
CPs exploring CPE solutions
Improving intelligence on suspected nuisance calls and
types of nuisance calls
CPs continue to monitor their customer complaints & network
for bad traffic to improve their intelligence and take action.
Improving CLI Accuracy – Review of Ofcom’s CLI
Guidelines
Ofcom to consult and publish
Statement
CLI authentication – Network Standards programme
- Early UK implementation
- IETF/STIR Global implementation
Monitor IETF and other standards bodies progress to inform
development of work programme to deliver early UK
implementation
Potential implementation
What next?
• Blocking is only a mitigation, not a solution – determined “bad actors” can switch to
other, legitimate number ranges too easily at the moment, although this is something
Ofcom is seeking to address
• Policing nuisance call traffic via interconnect agreement based “stopping” may be more
successful in the longer term against the high volume call originators but, given the large
numbers of CPs active in the transit space, may prove difficult to apply effectively and is
also unlikely to be successful against low volume/high impact fraud vector calls
• More fundamentally, CLI spoofing is so technically trivial that it allows a practically
unlimited opportunity to obfuscate the origin of calls
• The key task in the longer terms must be to re-establish “trust” in CLI – the called party
must be able to rely on the asserted identity and that it can be used to trace the caller if
any harm is caused
• This needs to happen in parallel with the “PSTN switch-off” and move to an “All IP” world
of SIP, VoLTE etc
8
Technical standards are being developed to
verify CLIs but implementation will be protracted
• This problem is international in scope and requires international resolution on a technical
level – key leadership being given by former (and future!) US FCC CTO, Henning
Schulzrinne, one of the original authors of SIP
• The IETF has picked up the gauntlet:
– Its STIR Working Group has been seeking to apply existing internet
authentication/authorisation principles to phone numbers
– This is possible because the assignment of E.164 phone numbers by national
authorities is hierarchical, allowing the creation of definitive number allocation
databases by regional or national bodies
• STIR standardisation is now just about complete and we now need to address how and
when it could be implemented in the UK and what other “standards” are needed to
support and enable this
• HOWEVER….STIR is only directly applicable to SIP and it is hard to see how anything
can be done to improve the position for legacy PSTN users during the likely protracted
period of transition over the next 5 to 7 years
Securing VoIP: STIR and RPKI in practice
We may be able to implement a national
solution that could deliver real benefits
• If Ofcom were successful in getting most or all UK network operators, including smaller
“VoIP only” operators, on board with a validation scheme, it might be possible to
validate at least UK numbers with moderate confidence
• A UK-only solution might have substantial effect if supported not only by networks but
also by consumer education and perhaps by intelligent handset or network screening
software
• Conversely contractual mechanisms could be used to enforce a more prescriptive
regulatory position on trusted CLI
– Failure to use STIR based authentication or provide equivalent assurance could
lead to refusal to carry traffic or termination of interconnect
• Ofcom could encourage support for a collaborative industry approach on adoption, but
may need to consider intervention if progress is slow – we now need to assess
feasibility and timetable and are likely to consult during early 2017, but we think
it could take 3 years+ for implementation.
• Clearly major UK CPs, the NICC and key systems vendors will have a critical role in
this process.
What else should we do?
• The ultimate aim is to re-create the old PSTN “Zone of Trust” – consumers can
trust CLI because the CPs trust each other and “control” who callers claim they
are
• STIR addresses this issue for SIP but how do we deal with legacy TDM
systems and traffic from non UK networks?
• How do we go about signalling CLI status (“trusted”, “untrusted”, etc) to the
consumer in an easily understood way?
• Is there anything in the US FCC Robocall Strike Force programme and output
published on the 26th October that’s relevant in the UK? It does address both
STIR implementation and the issues noted above. Rich Shockey should be
able to give us some guidance into how we can tap into this work:
https://transition.fcc.gov/cgb/Robocall-Strike-Force-Final-Report.pdf
12
What do we need from you?
Key questions:
• How do we go about implementing STIR?
• What else can we do to help re-establish CLI as a reliable indicator of
caller identity?
• How do we get effective insight/involvement in the US work in ATIS
etc?
Key requests:
:
• Can NICC put STIR into the existing SIP work programme?
• Can the existing CLI Study Group pick up the other “CLI Trust”
activities?
13
Questions and Discussion
14