Editor’s Note: Adam Doupé is an assistant professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. The opinions expressed in this commentary are his own.
Despite all the recent advances telecom companies have made to detect and block spam calls and authenticate callers, we are still several years away from a robocall-free future.
Without technology that can authenticate who a caller is, a spammer can change their caller ID to any number they want without being caught. Scammers often use something called neighbor spoofing, where they make it look like they’re calling from a phone number that has the same first five or six digits as your own. And, thanks to auto-dialers — which are incredibly easy to use — a spammer can automatically call a list of hundreds of numbers and deliver any voice content at the push of a single button. This can get sophisticated and employ modern AI techniques to make the call sound like a real human voice with the ability to adapt and respond to conversation. Or, it can be a pre-recorded message that eventually transfers the call to a human scammer once the victim has shown interest in whatever the caller is trying to interest them in.
Luckily, recent technological and legislative efforts to address the robocall scourge are promising. New technology, such as the SHAKEN/STIR protocols, promise to finally add authentication to caller ID, closing the technical loophole that enables spoofing.
SHAKEN/STIR allows the calling party’s telecom provider to attach a digital certificate to the call message so that the receiving party can verify that the caller is who the caller ID says it is.
Once authenticated caller ID is a reality, then anti-robocall apps that use caller ID will be much more effective. Furthermore, authenticated caller ID may finally put the trust back in the telephone system, so that when you receive a phone call from your bank’s phone number, you can be assured that it is actually your bank calling you.
The Federal Communications Commission wants all telecom companies to start using SHAKEN/STIR by the end of the year. AT&T and Comcast are among the first to adopt the technology for authenticated caller ID. While this represents an important first step, we will not realize the full potential of this technology until all carriers embrace it. That’s because there can only be an authenticated caller ID if the calling carrier and receiving carrier both support SHAKEN/STIR.
Efforts to increase the FCC’s power to combat robocalls and encourage authenticated caller ID will also help. A good example of this is the TRACED Act, which would give the FCC more time to investigate robocalls. In addition, the bill would require all telecom companies to start using SHAKEN/STIR within 18 months of the bill’s passing. The combined efforts will hopefully stem the robocall tide.
Though these efforts are likely to reduce the number of robocalls bombarding our phones every day, it’s unlikely they’ll be a cure-all. We just don’t know enough about the entire robocall ecosystem yet: where scammers collect the phone numbers, who the scammers are, where the calls are coming from, how scammers are making money, and who is falling victim to these scams. Without this basic roadmap, we cannot evaluate the effectiveness of our anti-robocall efforts. For instance, increasing legislative penalties might not be as effective if the bulk of scammers are operating outside US jurisdiction. Or, authenticated caller ID might not be as effective if victims are falling for scams without caller ID spoofing.
More Tech & Innovation Perspectives
To help address these issues, there should be a concerted effort by public agencies such as the National Science Foundation to fund research into combating robocalls. With scientific study, we can better understand what makes for an effective phone scam and what causes victims to fall for them. We can look to the area of cybercrime in the mid to late 2000s to see the success of this strategy. Through funded projects, researchers were able to better understand many different areas of cybercrime: email spam, phishing, clickfraud, identify theft, botnets and many more. The public and private sectors were then able to work together to address the root causes of these types of cybercrime.
Botnets, a network of bots that can hack and steal your information, offer a great example. The academic research community, after a number of studies, developed a taxonomy of botnets in 2007 and took over a botnet in 2009 without disabling it. This knowledge of botnet functionality eventually allowed the FBI to take down the GameOver Zeus Botnet in 2014 by targeting the command-and-control infrastructure, which the FBI says was responsible for more than $100 million in damages. The same strategy should be encouraged in combating robocalls: We lack a detailed map of the players involved, so we cannot target a similar “command-and-control” infrastructure to take down robocalling operations.
We must continue to pursue solutions to stop robocalls, and we must continue this momentum by funding research into this area so we can address the root causes and stop robocalls once and for all.