With commonly available VoIP software, a caller can fabricate an arbitrary phone number for the display of the incoming call on the receiver’s phone – and fraudsters frequently exploit this by pretending to call from a trusted source, such as the Home Office, HMRC, the DVLA, and banks.
From today, however, a £1.1m grant from the EPSRC will enable researchers at the University of Warwick to tackle the caller ID spoofing problem without requiring trusted authorities or modifying the existing telecommunication infrastructure.
Fraudsters regularly use a fabricated caller ID to look like they are calling from a trusted source to convince people over the phone to hand over money. The current solution, which the Federal Communications Commission is urging telecom providers in the US to adopt, requires a globally trusted authority, but such authority is difficult to manage.
Researchers at the University of Warwick will find new ways to tackle this problem without requiring trusted authorities or modifying the existing telecommunication infrastructure, thanks to a grant from the EPSRC.
Caller ID spoofing is when the caller intentionally represents a false number to hide their identity or to deceive the receiver. Freely available smartphone apps or Voice over IP (VoIP) programs allow a caller to fabricate an arbitrary phone number for the display of the incoming call on the receiver’s phone.
In the current telecommunication system, a fabricated caller ID will be transmitted across telephone networks without validation and eventually shown on the receiver’s phone. The ease of spoofing a phone number has led to fraudsters frequently exploiting this to pretend to call from trusted sources.
According to a survey conducted by the Which? magazine in April 2019, 10% of the people surveyed said they had been targeted by phone number spoofers. In fact, the UK police (Action Fraud 2018), reports scammers have been targeting users of the Home Office, HMRC, DVLA, and UK banks. Ofcom, the regulatory authority for UK’s communications, estimates that UK consumers receive 5 billion nuisance calls each year. Caller ID spoofing is a key enabling technique used by scammers and fraudsters to avoid detection.
In the telecommunication industry, the ability to authenticate the caller ID is globally recognized as a major unsolved problem, which becomes more of a challenge as the telecommunication networks (3G, 4G, 5G, PSTN and VoIP) have evolved to be incredibly complex.
Current solutions include the Internet Engineering Task Force’s STIR/SHAKEN proposal. The Federal Communications Commission (FCC) in the US is urging telecom providers to implement STIR/SHAKEN, but the process has been slow and limited, as evidenced by the carriers’ responses to the FCC call.
The STIR/SHAKEN proposal tries to adapt SSL/TLS, the technology that underpins the HTTPS communication in web browsers, to telecommunication systems for caller ID authentication. However, it requires a globally trusted authority sitting at the root of the trust chain for the worldwide telecom industry. It remains an open question who should take on that role. As an example, a trusted authority appointed by the US government will unlikely be trusted by the Chinese government, and vice versa. Furthermore, the STIR/SHAKEN proposal requires changing the existing telecommunication infrastructure, which would be very costly to implement.
While the IETF’s STIR/SHAKEN proposal is a top-down approach, the researchers at Warwick University will investigate new ways to tackle this problem using a bottom-up approach – without introducing any globally trusted authority, or changing the existing telecommunication infrastructure. This investigation will be supported by a £1.1m grant from the EPSRC in collaboration with the telecommunication industry, in particular, trueCall, Huawei and RedTone.
The Principal Investigator, Professor Feng Hao from the Department of Computer Science at the University of Warwick explains: “Caller ID spoofing is a real problem that has been affecting billions of telephone and mobile phone users. We have a track record of building secure systems without involving any trusted third parties, for example, in key agreement, e-voting, and e-auction.”
Has continues: “Here we aim to do the same for telecommunication systems. Our preliminary research has shown this is possible, but further work is needed to confirm the feasibility. We are thrilled by the EPSRC funding for supporting us in this investigation. I am pleased to be able to collaborate with Dr. Adrian von Mühlenen from the Psychology Department on this inter-disciplinary project. The problem we want to tackle is more than a technical challenge; understanding human factors will prove crucial as well.”
Dr Adrian von Mühlenen, from the Department of Psychology at the University of Warwick explains: “We aim to develop a system that shows the trust level of the displayed caller ID from an incoming call. The success of this project will depend on technical as well as human factors, such as usability, acceptance, and trust. I will bring to the project my expertise in user experience and experimental research more widely. Those will be crucial for designing a user-centred phone interface that is both user-friendly and can be trusted.”