Shaken And Stirred

Shaken and Stirred

The plan to block scam phone calls

Hacks and scams often depend on gaining the trust of the mark. This is easier if the scammer can appear to be someone or something that they are not. Within telecoms (including mobile and SMS) the initial means of identification is the caller’s number. First corporate switchboards and now many private phones operate through VoIP telephony. At some point these Internet messages enter the public phone networks and must be assigned a ‘regular’ phone number.

Scammers will exploit the existing technology to give their telephone and SMS messages a believable source. A call would then be seen as a legitimate company number tempting the mark to give out confidential information. Simply appearing as a local number rather than international or ‘caller id withheld’ will improve the chance of the mark picking up the call or message.

Without trust in the origin of a phone call or SMS message there is little that the recipient can do. Messages can be blocked from all automatic dialling sources but this will include sources such as health appointments or from a legitimate employer. Numbers can be blocked or reported to BT but the scammer can change all their numbers to new unblocked numbers with relative ease. Many potential recipients simply refuse to answer a call unless one is expected. With fake calls often originating from overseas centres local authorities are unable to shut them down.

OFCOM has ordered UK telecoms providers to implement methods to block spoof calls originating from abroad. STIR/SHAKEN is a set of protocols adopted by the USA’s FCC in June 2021 to limit the use of spoof phone calls. The acronyms had been deliberately chosen to reflect on James Bond’s preferred Vodka Martini; shaken not stirred.  STIR (Secure Telephony Identity Revisited) is used on VoIP networks adding a digital certificate to call data enabling the call’s origin to be verified.  SHAKEN (Secure Handling of Asserted information using Tokens) describes how STIR can be implemented within telecom networks.

Unfortunately the UK telecoms infrastructure is not yet developed enough to implement STIR/SHAKEN. The UK cabled phone network is not expected to be fully digital and IP based before 2025. Within the existing digital telecom systems the UK (amongst other countries) relies on the SS7 protocol to identify where a call comes from and to route it to its destination. The latest revision of SS7 dates to 1993 and is not sophisticated enough to cope with current number spoofing systems. There have even been reports of SS7 exploitation to spoof the destination phone number and use that to intercept and confirm to 2 factor authentication messages.

More from Privacy & Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

18/11/2024

Data Privacy in Job Recruitment

The online job-market business model involves building up a bank of CVs and matching those with possible job vacancies.  Unlike an old school recruitment …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories