Security
Headlines
HeadlinesLatestCVEs

Headline

Here’s Why You’re Still Stuck in Robocall Hell

Despite major progress fighting spam and scams, the roots of the problem go far deeper than your phone company’s defenses.

Wired
#mac#cisco#git#intel#auth

There’s a good reason you’re still afraid to answer your phone when an unknown number pops up.

For years, the telecommunications industry has been trying to curb robocalls, the frustrating and potentially dangerous spam calls that try to scam anyone who picks up the phone. But even after significant milestones in defense—including the introduction of two telecom protocols that cryptographically authenticate the source of calls—you’re probably still getting spammy calls that drive you nuts. In spite of the setbacks, though, researchers say they’ve seen real progress on reducing spam calls in the United States, and there’s potential for even more improvement.

At the RSA Conference in San Francisco last week, Josh Bercu of the trade association USTelecom and Gary Warner, director of intelligence at the security firm DarkTower, presented findings on progress squashing robocalls and the illegal call centers they emanate from, which are predominantly located in India. And they dug into the frustrating reality that the issue is far from solved.

“I think it’s not going well at all!” Warner tells WIRED. “And people understandably wonder why the carriers don’t just block spam calls. But if you’re AT&T or Verizon or T-Mobile or whoever, it’s not in your purview to decide which conversations people are allowed to have. I don’t think people want to be in that surveillance state where carriers are in a position of deciding what is an acceptable conversation for Americans to have.”

That doesn’t mean the carriers haven’t stepped up their blocking when they see enough evidence that a call has a suspicious provenance. But USTelecom’s Bercu notes that deciding how bold to be about blocking is a delicate issue that each phone company handles differently.

“As providers have gotten more aggressive blocking or labeling suspicious calls, they’ve taken on more risk that they’ll mis-block or mislabel a legitimate call,” he says. “Maybe it really was a call from the bank or the pharmacy. There is some delicate balancing that providers have to do, and some are more aggressive than others.”

Bercu adds, too, that different carriers work with different analytics services to identify suspicious call activity. This can create situations where, as trends in robocalling techniques evolve and spammers use different strategies to bounce calls around international networks, some analytics services may be better at catching certain behavior than others.

Bercu is also executive director of the Industry Traceback Group, a neutral entity under USTelecom designated by the Federal Communications Commission to promote intelligence-sharing to trace the source of illegal robocalls and promote collaboration between carriers. The idea is to look at how robocalls circumvent existing technical defenses, identify networks where these protections haven’t been fully implemented, and work with providers to adopt stronger safeguards.

Ultimately, though, DarkTower’s Warner says that as with other digital criminal industries like email spam, business email compromise, and even ransomware, the key to limiting robocalling is to make it more difficult for scammers to operate at every level of their business. This means making it harder for them to route their calls, but also harder to recruit call agents and purchase lead lists—curated collections that claim to contain the phone numbers of targets like elderly people or people with medical issues.

It also means targeting spammers’ methods for laundering money. The financial sector has already done work in this area by putting flags on potentially suspicious gift cards, but scammers have found ways around this simply by requiring that victims send them a photo of their receipt for the gift card along with the card number itself. This way they can file claims that seem to show that they legitimately purchased and own the gift card. This takes time, though, and scammers have also developed laundering techniques in which they lean on money mule networks in the US or wherever they are operating and have mules open checking accounts where victims can wire money. They then quickly move the money out of the accounts using apps like Zelle, Venmo, or Cash App.

“The key is getting more people to understand the problem who can deny infrastructure to these actors, like communication platforms, financial institutions, telecoms, everyone together,” Warner says. "Denying the ability for criminals to communicate and coordinate—I think that is probably our most actionable path forward.”

He adds, too, that while the Indian government has struggled to meaningfully address the issue, Indian law enforcement has significantly ramped up arrests related to illegal call centers. But even arresting more than a dozen people a week won’t curb the problem when there are estimated to be tens of thousands of people working on illegal robocalling scams in India alone.

YouMail, the blocking company that has reported estimated robocall volumes in the US for years, found that Americans received just under 4 billion robocalls in May, down from 4.74 billion in May 2019. In general, the company’s stats underscore both improvement in the total volume of robocalls and the reality that numbers are still extremely high.

“The only way we could ensure that we never get any robocalls ever would be that we don’t have phone calls at all,” USTelecom’s Bercu says. “When you can receive calls, you’re opening up your network to someone else. So that’s why I increasingly like to think about the problem the same way you would think about other cybersecurity issues. Every provider needs to do due diligence, and we need accountability—but also collaboration.”

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist