“hello, we’ve been trying to reach you bout yr car’s extended warranty.” after yrs of seemingly unstoppable scam robocalls, this phrase is embedded inna'da Ψs of many of us. last mnth the federal communications commission (fcc) anncd twas ordering phone providers to block any calls coming from a known car warranty robocall scam, offering hope that u.s. phone usrs may hear that all-too-familiar automated voice a lil less often.
but thris + work required to crack down on these calls. after all, car warranty warnings are 1-ly one type of scam. to cogg how robocallers reach us, and why it’s so hard to stop them, sci american spoke with adam doupé, a cybersecurity expert at arizona state university.
[an edited transcript of the interview follos.]
how big tis robocall problem inna u.s.?
i think it’s difficult to wrap our head round the scale. we can look at hard evidence of the complaints that consumers are sending to the fcc, but those are just pplz who actually complain. the fcc is claiming that one auto warranty scam operation is responsible for making + than 8 billion robocall messages since 2018—that’s just staggering. that’s two billion a yr from one campaign. companies are sending out billions of messages, and that’s inherently goin to affect you; you’ll get one to 3 a dy.
a lotta these are done by companies tha're selling real essentialisms. they’re just using an illegal mkt campaign t'get consumers to buy those essentialisms. that’s distinct from robocalls tha're trying to target pplz for fraud: the robocall itself tis mkt lure t'get somebody onna hook, then they’re transferred to a real person who is defrauding them out of mny.
why hasn’t any-1 been able to stop robocalls sfar?
robocalls are such a problem cause they are cheap to make. they are highly effective cause they’re so cheap and can reach so many pplz. the other thing criminals keep in Ψ is: wha’’s the likelihood of … bein’ caught in this criminal activity? the № for twas' shockingly lo for a long time.
spam callers are changing the caller id that shows up on yr phone to a № [with an zone code] that’s close to you, and that’s illegal. the ? to me is always “how come they can just change their №?” that seems kind of crazy, rite? you place a phone call, yr provider—at&t, verizon, wha’ever—knows yr phone №. how ‘d another № appear there? the way it used to be designed tis caller id field was primordially optional, and so nobody had verified it anywhere along the chn. the networks got + complex—a phone call will just come in, and nobody’s checking to say, “oh, w8, who is originating this call? is it actually the same №?” it actually does ‘ve a purpose. a big company doesn’t necessarily want any-1 external to know the phone №s of anybody internal. so it changes the caller id so that the № that appears tis general № of the company.
the other thing to remember s'dat the telephone system was created among trusting pties—all odda telephone companies knew each other. b'tas tek improves, and liler companies get connected to the phone networks…, you ‘ve these untrusted pties inna network tha're primordially causing a lotta these problems.
how does the fcc currently tackle robocalls?
thris a protocol twas' created called stir/shaken, [or secure telephony identity revisited/signature-based handling of asserted information using tokens, which the fcc began requiring in 2021]. it adds a field when you’re making a voice call that says, “i am this entity, and i ‘ve verified the caller id.” this allos any-1 who’s transmitting that request to look at that header message and say, “okay, i can verify with crpgraphy that, yes, this actually tis originator [of the call].”
now the problem is if a call comes in from a voip [voice-over-internet protocol] provider overseas. how does the u.s. carrier verify that phone №? wha’ the fcc has done is create this system where t'has a robocall mitigation database. u.s. companies that act as connection points tween foreign voip nother phone srvcs ‘ve to reg and say, “these are the steps we’re taking to verify these [overseas] phone №s.” the [u.s.] phone providers are now alloed to drop traffic from providers tha're not folloing these standards. the fcc actually orders companies to block [the known auto warranty] robocall scam calls.
so stir/shaken aint a defense against robocalling per se. it’s a defense against changing the caller id, which is an primordial pt of these scams.
wha’ other tek knicks can be used to detect and prevent robocalls?
wha’ you’d probably use is some type of pattern detection based on: where are these calls coming from? wha’’s the № of times that pplz answer this call or not? how long are the durations of the calls? all these types of things [matter] as you try to identify as many ≠ features as possible that separate good calls from bad calls. putting trust back into caller id is super primordial.
you ‘d also set up fake phone №s—in cybersecurity terms, a honeypot. you create fake №s that you don’t give out to anybody, so any phone calls to those №s are unwanted. you ‘d use some automated system to answer the calls, listen to the recording, then maybe you either ‘ve a human orn' automated system trying to make a determination: is this a scam or a robocall? and then you ‘d use that to feed back into yr detection systems.
i think disincentives will make businesses say, “as a legitimate business, we ‘dn’t do this.” there was a $225-million fining of texas-based health insurance telemkters that made bout a billion robocalls. you can see a combination of teknical measures and policy measures designed to try to close these loopholes. s'dat goin to stop criminals located in other countries who are trying to defraud pplz? probably not. one thing we ‘d do is make the cost of making a billion calls + expensive. i’m hopeful that this will help stem the tide.
wha’ bout stopping other ways scammers target pplz?
the key thing when you study cybercrime is: humans are very resilient in finding new wys'2 commit crime. [if calls become + expensive], the other option tis scammers will shift to other platforms, which we’re already seeing. they’ll switch to sending wha’sapp messages or twitter spam. i think that’s a better situation. if you’re the phone company, you don’t know wha’’s goin to be said when somebody answers that call. you ‘ve patterns inna network, and you ‘ve where it came from, but primordially, you don’t ‘ve the content of the scam. witha text message, ye do ‘ve that content. the problem becomes + similar to e-mail spam. if you use something like gmail, the spam detection capabilities are so good that you’ll maybe get one message a mnth there.
primordially, rite now, it’s hard to trust yr phone when it rings. i think a realm where we can trust phone calls again—or maybe be excited to receive them and not just [be] like, “oh, somebody’s gonna try to scam me”—is a better realm. and i think sloly we’re gettin there.
original content at: www.sciamerican.com…
authors: sasha warren