Shaken and Stirred
Hacks and scams often depend on gaining the trust of the mark. This is easier if the scammer can appear to be someone or something that they are not. Within telecoms (including mobile and SMS) the initial means of identification is the caller’s number. First corporate switchboards and now many private phones operate through VoIP telephony. At some point these Internet messages enter the public phone networks and must be assigned a ‘regular’ phone number.
Scammers will exploit the existing technology to give their telephone and SMS messages a believable source. A call would then be seen as a legitimate company number tempting the mark to give out confidential information. Simply appearing as a local number rather than international or ‘caller id withheld’ will improve the chance of the mark picking up the call or message.
Without trust in the origin of a phone call or SMS message there is little that the recipient can do. Messages can be blocked from all automatic dialling sources but this will include sources such as health appointments or from a legitimate employer. Numbers can be blocked or reported to BT but the scammer can change all their numbers to new unblocked numbers with relative ease. Many potential recipients simply refuse to answer a call unless one is expected. With fake calls often originating from overseas centres local authorities are unable to shut them down.
OFCOM has ordered UK telecoms providers to implement methods to block spoof calls originating from abroad. STIR/SHAKEN is a set of protocols adopted by the USA’s FCC in June 2021 to limit the use of spoof phone calls. The acronyms had been deliberately chosen to reflect on James Bond’s preferred Vodka Martini; shaken not stirred. STIR (Secure Telephony Identity Revisited) is used on VoIP networks adding a digital certificate to call data enabling the call’s origin to be verified. SHAKEN (Secure Handling of Asserted information using Tokens) describes how STIR can be implemented within telecom networks.
Unfortunately the UK telecoms infrastructure is not yet developed enough to implement STIR/SHAKEN. The UK cabled phone network is not expected to be fully digital and IP based before 2025. Within the existing digital telecom systems the UK (amongst other countries) relies on the SS7 protocol to identify where a call comes from and to route it to its destination. The latest revision of SS7 dates to 1993 and is not sophisticated enough to cope with current number spoofing systems. There have even been reports of SS7 exploitation to spoof the destination phone number and use that to intercept and confirm to 2 factor authentication messages.