2020 The year of VOIP assisted on-line fraud

The Internet as we know began with a DARPA three way trial of Voice over IP using a Packet Radio Van to simulate the needs of the military for secure mobile communications. The wheel has come full circle. VOIP has not only taken over from analogue telephony it is also at the heart of digital impersonation to defraud those who think they are using the latter.

Yesterday Jim Prideaux, recently retired from a lifetime in what is now called cyber-security, received three calls from little old ladies ‘calling his family back’. If it were just a variant of the current Amazon Prime scam which appears to be using a CLI of random 7 digits after plausible dialling code he would not have been surprised, but one of them gave names that were not a plausible guess from a phone book. The police response (incident logged with local police – Jim can get through where others cannot) was they can’t do anything on a report from Jim because he is not the victim, it’s just someone posing as him. The old ladies did not know it was a scam, BT will say the number is not one of theirs yet Jim’s VOIP provider, Vonage, rightly pointed out that they have no record of any such call from the real number so can’t do anything.

Who will help follow up the providers for the numbers and not dribble/mumble GDPR?

Action fraud – NAH
Ofcom – NAH
BT – NAH [unless they claim to be from BT in which case you can and should report

I had been planning a blog on the vulnerability of the Internet to well-targeted attacks by Iran on some of its many single points of failure (current practice is very different to original theory) and the way ICANN’s request for details of the sale of the Pubic Interest Registry, in order to look at the security implications, could provide a precedent for unravelling the way the current Internet addressing “industry” facilitates digital impersonation. But Jim presented me with a text on the VOIP and CLI enabled plague facilitating Internet-assisted fraud against those who think they are safe because they are responding to a phone call, not an e-mail.

“Last year the callers claimed to be from the Microsoft Technical Department, then it was BT, this month …

This month it seems to be the turn of those pretending to be from Amazon Prime to make nuisance calls. Last month it was BT technical department, and before that the Microsoft technical department. On dull days one can play along: which of my Microsoft computers, isn’t it illegal/implausible for BT to monitor my service provider…etc. As a result of the system for Calling Line identifiers being screwed, a new level of unpleasantness is happening: call-backs from confused elderly people when your number has been used or just recorded as a missed call.

Buck-passing is endemic:

• Police – we can’t do anything because you were not the target, call your provider.
• Provider – (correctly) we can’t do anything because we have no record of the calls. (Less helpfully) Inform ‘the legal department’: Ofcom. (Showing lack of understanding of the details.) Would you like me to block these numbers?
• BT: the number you are calling about is not our customer; we can’t discuss or take action when you have no idea whose numbers you are talking about. (What perversion of ‘privacy’ is this?) [Jim said this – not me].
• Ofcom: see Action fraud, and give your date of birth, physical address, ethnicity, full details of victim…

Once upon a time, the GPO identified the originating telex machine, and considerable effort in the early days of calling line identification was made to enable presentational CLI – the number that should be shown, so organisations with multiple outgoing lines could be consistently identified by the same number.

Now anyone in the world can easily get the display to show whatever they want – a usurped number or just one chosen at random to look like a local call 44145… followed by 7 random numbers makes it look at first glance as if it’s from Gloucester, although the lack of care of scammers is noteworthy; 7 digits smells of North American dialling. Why was anyone pretending to be BT be offering a +1709 number from Labrador?

Scam levels were much lower when the cost of making calls was higher. Now an all-you-can-eat tariff reduces the cost of making malicious calls to zero.

So why is the cost of preventive action so high

In a similar way, it is interesting to see that the US-EU Privacy Shield says:

“An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive.”

when the position in Europe changed with GDPR from permitting a limited fee to

“Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.”

Given the apparent unbounded liability

It is to be hoped that this unbounded liability for business, community groups and charities to respond to non-customers, not just those with some connection, will revert to the pre-GDPR position in the UK, given the European Commission was prepared to sign off as OK for US players.

For telephony, regulators could/should mandate a simple way to flag calls as suspect such as dialling a short number (maybe 168), but there needa to be someone they can report issues to for investigation.

Until there’s a coherent approach to telephone scams, what hope is there for internet policing?

Unimpressed?

Use the Action fraud Survey, which, after adjusting cookie settings, tells you it’s closed.

= = =

Jim stops short, as so often, when it comes to what he really thinks could/should be done – and, more importantly, by whom. I personally regard this a great opportunity for the UK to provide a neutral, post-Brexit platform for bringing players together, across the ITU – IETF, East West and North South divides to agree practical solutions. If nothing else, the last IETF meeting in London earned more for the hotel trade than the recent IGF earned for Berlin hoteliers. An ITU – IETF summit would be a real money spinner. It might even do some good in concentrating minds on the need to implement practical solutions – especially if HMG were to fund NPL to host an ongoing neutral secretariat (and hospitality budget) for the necessary multi-national working parties – and Ofcom were to mandate UK implementation of any “solutions”.

He is also equivocal, as you would expect from some-one of his pedigree, when it comes to anonymity versus provenance, investigation,  enforcement and/or policing. We agree, however, on the need for intellectual honesty when debating the governance of corporate and law enforcement behaviour, while reserving the right to total duplicity in the national interest when it comes to cyberwarfare.

CIO
Security
Networking
Data Center
Data Management
Close