A Spy vs Spy Approach to Protecting our Telecommunications

by Alan Percy, CMO @TelcoBridges

If you are old enough to remember the Spy vs. Spy comics in Mad Magazine, you’ll also remember a time when the phone rang, you just answered it.  No robocalls to worry about. With the advent of VoIP, we inadvertently created the robocall. The TRACED Act mandated STIR/SHAKEN, and you’d think the aggressive illegal robocallers would be a thing of the past.   Instead, it has become a game of Spy vs. Spy.

Thanks to monthly reports from our partner TransNexus, we can see a troubling trend where robocalls continue to be passed, with the majority of the robocalls getting SHAKEN attestation. So how can this be?

An anecdotal story came to us recently from the Cloud Communications Alliance, showing how illegal calling gets into the North America network, and worse, does so without paying.

Here’s how the scam works:

    1. A retail VoIP service provider, accepts a new customer, urgently asking for multiple new DIDs. A credit check on the company comes back clean.  The DIDs were provisioned, and the customer could start making calls on the numbers with “A” attestation.
    2. The first tip that something wasn’t right: The address of the customer doesn’t match the DIDs they are requesting.  And, no physical phones are needed, they are using softphones.
    3. Sure enough, within a week, the retail service provider gets “Theft of Service” and “Fast Traffic Pumping” from their wholesale provider, who began blocking the numbers.
    4. After some investigation, it seems the bad actor had stolen the identity of a reputable company, assuming their credit rating, address, and other details.
    5. The payments made to create the account all bounced. The retail service provider got stiffed for the calls made by the bad actor.
    6. Even more incredible, the bad actor tried ordering new DIDs on the same retail service provider, assuming a new stolen identity. If the scam worked once, it will likely work again.

What can we learn from this?

    • As painful and time-consuming as it is, vetting new customers is an absolute must. The whole STIR/SHAKEN infrastructure depends on service providers knowing their customers. Any customer that can’t wait a week for a background check should set off alarm bells.
    • New customers should have their calling behavior monitored during the first few weeks. Bad actors are not going to have the patience for a period of supervision.
    • The bad actors will find any vulnerability, and we need to take a Spy-vs-Spy approach to protecting access to our telephone network.