Molly Weis: Hello everyone and welcome to Tuesday Talks, a live discussion series where we shed light and bring truth to emerging topics in the communications industry. I’m Molly Weis, the VP of Marketing and Communications at Numeracle and today I’ll be co-hosting today’s session session with Gerry Christensen, VP of Business Development and Strategic Partnerships at YouMail. It’s great to have you here today, Gerry, welcome!
Gerry Christensen: Thanks, Molly, it’s great to be here!
Molly Weis: So for today’s session, which will be focusing on spoofing: what it is, what's being done about it, and how this relates to Know Your Customer (KYC) efforts, traceback, and Robocall Mitigation Plans, Gerry was our obvious choice. He has over 30 years of information and communications technology experience. At YouMail, he's responsible for leading strategic initiatives to leverage communications analytics capabilities to address critical industry needs for consumers and enterprises.
Talking about critical industry needs, one of the largest of today’s landscape is the ongoing fight against illegal calls. So, we've all been more than aware of the June 30th deadline to implement STIR/SHAKEN to prevent illegally spoofed calls. A quick shoutout to YouMail, who was featured in a piece by The New York Times yesterday on this very subject. So, I thought a great starter question for Gerry today would be: What is call spoofing?
Gerry Christensen: So, let’s go ahead and move over to that slide I sent you. Call spoofing, in the traditional sense, is what I referred to as the narrow definition of call spoofing. I’ve actually experienced this myself where I have had my own number spoofed and it actually called myself. That would be, arguably, the most egregious form of call spoofing. It’s a legitimately allocated number to my carrier, and it's assigned for use by Gerry Christensen and used or abused by somebody else. That's the narrow definition of spoofing.
There are other forms of spoofing, of course. This is also a good time to make it clear that spoofing in and of itself is not illegal. There are legal forms of spoofing, like a battered women's shelter, for example, they spoof the number so you can’t track them down and do bad things. A police officer might spoof their number as well because they don't want you to have their personal number. Oftentimes that legal spoofing is not used in conjunction with robocalls though. It's also important to note that not all robocalls are bad; some robocalls are used by public safety and other legitimate agencies for purposes of broadcast messages.
The broad definition of spoofing, what I'm asserting here is that that would be an instance in which the number may or may not be allocated to a carrier but it is not assigned for use by anybody. The typical example there would be a number that is either rented or leased from a carrier or some service provider and then used in conjunction with some unwanted robocall campaign. The key point here is that whoever is leasing these numbers doesn't want to use them to receive calls because they want to try to act with impunity to conduct their illegal campaigns.
Molly Weis: That sets us up with a really good baseline. Now that we’ve built a little bit of a foundation around what spoofing is, can you tell us how this is related to STIR/SHAKEN? And let's talk specifically about the infamous June 30th STIR/SHAKEN deadline. Now that we’re past this deadline, what’s actually happened, from your perspective?
Gerry Christensen: Absolutely. So, STIR/SHAKEN is a really good starting point, I think I should say first and foremost. It’s kind of like table stakes, everybody has to do it eventually, even if you haven’t done it yet you ultimately have to do it, and it really is a good thing to do. It does stop certain types of spoofing, but not all types of spoofing. So it's really good at that narrow definition of spoofing. Gerry Christensen does not call himself anymore, that stopped a long time ago.
If you step back and think about this, STIR/SHAKEN fits part and parcel with the Know Your Customer process, the KYC process. KYC has been around for a long time, it's part of OSS/BSS (operations support system and business support system) and it's really nothing new. Carriers have to vet their customers, and they've been doing that for a while, but now you've got this extra thing called STIR/SHAKEN where not only do you have to apply your KYC process to it but you have to have some new network procedures associated with it. Again, STIR/SHAKEN is really good at stopping certain types of spoofing.
I think it’s important to note that with any KYC process, you can know certain things about your customer. You know who they are, you know how to reach them, you may even have a robust KYC process where you ask them to produce certain information like declarations, perhaps through a TCPA compliance statement. But what you can never know with 100% assurance is their behaviors. So, the one thing that is lacking from any KYC process is the ability to predict in advance how somebody is going to behave.
So now with STIR/SHAKEN in place there are also some interesting things to consider beyond just a new procedure at the network level, there are policy decisions. With STIR/SHAKEN there's what's referred to as attestation levels A, B, and C, respectively. A means that you know the network and you can associate the number with the network. B means you know the network but you cannot associate the number with the network. And C means that you know neither one; C would be like a global gateway, for example, where you're just not sure of anything.
So not only do we have the new procedures in place where you’re authenticating calls and but you also have a decision in terms of assigning policy level, which in some ways is pretty clear if you are, for example, a traffic aggregator and you sign some numbers, like that example I gave you in that broad spoofing case: you know the network is yours and you know the numbers are yours so you might attest those as A. But what you don't know is what's going to happen downstream. Maybe a terminating carrier will accept that A. Maybe if you have another call that is attested as C, maybe they will block that, maybe they will not allow that to go through.
So, these policy decisions are not only at the front-end in terms of how an originator is going to attest a call, but at the terminating end in terms of when they look at the attestation level, determining what they do with it. There are some new things in place and they have been making a really good impact [so far] but it is certainly not solving all the problems that are out there.
Molly Weis: It's true, and you brought up an excellent point which is Know Your Customer. We’re all about Know Your Customer and when we start to get into some of this, how much do you feel a service provider really could or should know about a customer? Building off of that, can you describe how you feel about analytics can help service providers to strengthen their KYC framework and tighten up their monitoring for fraudulent activities?
Gerry Christensen: Exactly. I would say regardless of how robust their process is and how well they feel that they know their customer, every carrier should have some form of behavioral monitoring capability. Because, again, no matter how well you know your customer you can't predict their behaviors in advance. There could be potentially some best practices in place from a KYC perspective, I alluded to some of them earlier. Maybe you asked for a TCPA compliance statement, but as we know, anytime you ask for things like that it's additional sales friction. When you're selling something and getting somebody onboarded you don't want to have additional friction, you want to lease them their numbers and do whatever it takes to get them up and running. You don't want to have to worry about too much friction. That is exactly why there's a need to have some behavioral monitoring.
I advocate that the best way to do that is a content-based descriptive analytics approach. What I mean by that is looking at the actual content of a call and seeing what's actually happening to be able to determine what is happening with the call. By that way, you would know, for example, the example I like to use is the car warranty scam. Some people think it's nuisance, some people think it's spam, some people think it's a scam, some people think it’s outright fraud. But if you have the actual payload of what has transpired, the content, and you're running some descriptive analytics against it then you can make some decisions as to what to do about that.
Molly Weis: That's a good point. When it comes to monitoring and assessing any of the subjective nature of any of these things too when you’re sometimes in a gray area.
Going off of that, we know that the commission has been very clear about the ongoing responsibilities for service providers to continuously monitor for illegal traffic originating on the network so we can find and stop these bad actors or investigate these things that require a little more insight before we can really determine if it’s good or bad. What happens if a service provider's verification process seems to fall short? What happens if or when a call rings through as verified that actually is a bad actor? Can this happen? What’s driving some of this?
Gerry Christensen: You asked a great question there, which is very open-ended; there are a lot of things to address. So first, I’m going to address the very last thing. One of the implications of STIR/SHAKEN is that there's this thing called the verstat parameter, which stands for verification status. All that means is that STIR/SHAKEN has occurred successfully, meaning that the call has been authenticated, but again, it could be at the A-Level, B-Level, or C-Level. Conceivably, for anybody that may see the little green checkmark and maybe even “Verified Call” on their phone, what that means is that that verstat parameter was passed to the phone. In advance of that happening, the handset manufacturer has done what they needed to do to get something to display on the phone but what that does not necessarily mean is that is (1) A-Level attested, (2) it also doesn’t mean that the behavior of a caller is pure or good or not doing anything bad.
At the consumer level, there can certainly be a lot of confusion and ambiguity when they see that type of thing. What do you do when you get those kinds of calls? It’s a fair question. As a matter of fact, we're probably going to do a survey or some kind of poll to see what people would do. So that’s one thing to consider.
If you could quickly restate the question, I know there is another part that I wanted to answer.
Molly Weis: It was really what happens if the service provider’s verification seems to fall short and how we can help service providers to fulfill some of these requirements to continuously monitor for this illegal traffic that's originating on their networks so we can facilitate the traceback efforts to find and stop these people.
Gerry Christensen: Right, that was the other aspect that I wanted to answer.
So, there’s the consumer level which I’ve already covered, but at the B2B (business to business) level, the FCC has an order that essentially says “Thou shalt not originate an unwanted robocall.” Depending on the carrier and what they've submitted with their RMPs, the Robocall Mitigation Plan to give for the FCC, some of them are saying that they will engage in self-governance and some have redacted what they’ve submitted so it's not clear what they're doing.
One of the things that I would advocate is to have some form of monitoring to let themselves know what's going on. The reason I say that is, I could distill it down very easily to say: you want to be the first one to know, you don't want the FCC to be calling you, you don't want the Industry Traceback Group to be contacting you. You want to be the first one to know, if possible, when there's somebody on your network doing less than favorable things or that you might want to consider taking off your network. It’s a tough decision. You sign a customer up, you go to them and tell them your data is indicating that they’re doing things that are not good and you need to suspend their campaigns for now.
It's a tough decision but it's even tougher, I would argue, if the FCC calls you and they say there's a pattern of you originating a high percentage of traffic that is deemed as an unwanted robocall. So that's what I would advocate for, for traffic originators and even transit network providers, is that they have some way of keeping track of what's going on in their network from a behavioral perspective.
Molly Weis: What kind of data points are particularly and very interestingly useful to some of the Industry Traceback Group's (ITG) efforts? What are you finding to be really awesome or kind of almost like “the murder weapon” if you say you’ve got the proof now? What’s some of the data that you’re seeing that's really helpful?
Gerry Christensen: It’s funny you should bring up that example of “the murder weapon,” I know that's kind of a harsh example, but the analogy I like to use is that STIR/SHAKEN is kind of like registering something. You know that it belongs to Gerry. You know that Gerry has the right to use it. And you have a way of tracking Gerry down. That’s why STIR/SHAKEN is very part and parcel to the KYC process.
Then you've got tools like content-based analytics, or event-based content that use predictive analytics, I should say. Event-based content would be things like SIP messages and things like that. You have something that's indicative of a pattern of something and then you use your predictive analytics to determine whether you think that it's Spam or whether you think that is a Scam.
Then you have content-based and descriptive analytics where you are actually looking at what transpired by looking at the actual audio. That would allow you to be able to say that not only do you know who this person is or who this entity is who is initiating these calls but have evidential proof that they've done something that's less than favorable. Getting back to your earlier question about the ITG, you can use that as the impetus to work with the ITG to perhaps initiate a traceback if it’s warranted. It’s a relatively big hurdle to do that because the ITG usually has a queue of tracebacks that they need to do and there is a cost associated with it. You want to be pretty darn sure that when you're initiating tracebacks to do this warranted so having evidential proof is really helpful to be able to do that.
Molly Weis: So we’ve talked about Robocall Mitigation Plans and the Traceback group but let’s try and put some scale around some of this. Numeracle has been tracking the implementation numbers from the FCC’s Robocall Mitigation Database and it’s been growing and growing. As of this morning, we have 360 service providers who have fully implemented STIR/SHAKEN, 756 have partially implemented, and another 1,500 or so have not implemented STIR/SHAKEN and are executing an alternative Robocall Mitigation Plan.
For the 2,600 or so service providers who are out there that are now in the execution phase of their Robocall Mitigation Plans or their STIR/SHAKEN roll out, what would you say, Gerry, would be the top three recommendations you'd want to pass along to these providers who are right in the thick of it trying to figure out the best way through all of this? They want to make sure they’re doing everything to monitor to identify and facilitate these traceback efforts and make sure they can hone in on this bad actor traffic. What would you say?
- I would say first and foremost, revisit your KYC process. Take a look at what you already have in place, see what you've got documented, and perhaps ask third parties what they think. KYC has been around for a long time. It’s in the financial industry and it’s in the telecom industry. Take a look at it and see what types of questions you ask and see how that might be applied in a worst-case scenario where you actually need to follow through with some kind of action. So that’s the first thing I’d say.
- The next thing I would say is to consider your KYC governance as it relates to behaviors because again, no matter how well you think you know your customer, you can’t predict their behavior with 100% assurance. That’s why I like to refer to it as a “KYCB,” to have that additional behavioral monitoring element.
- Finally, the third one I would say is to consider supplementing your KYC with analytics, and more specifically, content-based descriptive analytics. Not that the event-based analytics is not useful at all, it certainly is better than no analytics but when you want to get to the ground truth of what’s actually happening you have to look at the actual payload and audio of what the robocallers are using to be able to determine if it’s something that warrants maybe kicking them out of your network or maybe just giving them a warning, whatever you think is appropriate based on your governance.
Molly Weis: I'm going to tee off of that one real quick because you made me think of something. When you're scanning and monitoring are you looking for certain things, certain keywords, certain actions, certain behaviors that trip this threshold? Or could you be looking for something like any specific keyword that anybody, in particular, is looking for something that is very unique? Is there an ability to look for that too?
Gerry Christensen: It kind of depends on the service that we’re talking about. If we're talking about a solution or a service that's looking for things like brand imposters and looking at impersonation of a brand, like Marriott for example, then we would very clearly look for a single keyword. Then we branch off from there and see is it Marriott making a legitimate call or is it maybe Gerry's wife calling about the Marriott reservation?
In fact, I’ll use YouMail an example here: with our artificial intelligence machine learning, the very first thing we do is parse out the database so that we can set aside the legitimate good calls that from a privacy perspective, a PII perspective, that we should not be looking at so we don't look at those and separate those out. Then we look at those that definitely are robocalls. We, in particular, use machine learning and AI and look at the waveform specifically. We can look at the waveform and get a sense of if it’s a robocall and we can then determine if it’s a valid or good robocall, like public safety making a call, or if it’s a bad guy.
Then we create a digital fingerprint and that's really important because then you can track that across different telephone numbers regardless of what telephone numbers are used. One of the tactics that the bad guys like to use is the so-called “Snowshoe Spamming” where they place just a few calls across a lot of numbers rather than a lot of calls on a few numbers. It's really hard to identify unwanted robocalls just by using event-based predictive analytics so that's why a content-based approach, like what I’m referring to here, is really useful.
Getting back to your question, sure, you can look for keywords but it's more, contextually speaking, how those words fit together does it look like fraud? Then also looking at things like a pattern; is this particular waveform a digital fingerprint or is this used on a whole bunch of different numbers? That would be indicative of some type of campaign that's nefarious in nature.
Molly Weis: Thanks, Gerry. What I think we should do now is start shifting since we've got about 10 minutes left. I want to thank you so much for your awesome summary so far and I want to also clue everybody in here who's listening to us live that we've just published a blog this afternoon that goes into even more depth on this topic (“Spoof Protection with the Help of YouMail). It’s hot off the presses and we're going to be posting a link into the chat window to get the first glimpse. And I know that Gerry and the YouMail team are working on a brand new white paper so I want to give you, Gerry, the opportunity to tell everyone about that too, which is also hot off the presses.
Gerry Christensen: The white paper will be available probably in about a week or so and we’ll make that available through our partner, Numeracle. If anybody has questions as a result of this webinar/podcast or the blog and they want to get more details about some of the things that I’ve touched on, let us know and we can get that to you through Numeracle unless you contact us directly. But we’ll provide it to Numeracle so we can send that to you.
Molly Weis: Thanks, Gerry. We also have some questions that have been coming in so I want to ask those to Gerry as well. We have a few good ones lined up. The first one is: What are some of the common behavioral patterns that you’re watching for that raise the first flag that it’s a bad actor versus a good actor on the line?
Gerry Christensen: To be honest, that is a much better question for an analytics engine that is using event-based and predictive analytics so I’ll give a real generalized answer. You look at calling patterns and the velocity of the call like how many calls they made. I think it's safe to say that pretty much all the analytics engines have at least some basis on crowdsourcing feedback. Keep in mind, these are not all outright fraud, some are abusive telemarketers, some are debt collectors. There’s a lot of potential inputs that go into an algorithm. There are some probabilistic aspects, some of which I just mentioned, and then there are also some deterministic methods. That would be things like, is it a malformed number? Is it a non-NANPA number?
I know I’m giving a long-winded answer here but actually, it would be a much better question for somebody to answer that is with event-based predictive analytics. The bottom line is with predictive analytics you’re using an educated guess as to what you think is happening. That's why it’s referred to as predictive analytics, but you can’t be absolutely sure of something and that's why a lot of times it's a good idea to do a check of what’s actually happening.
One of the things we’ve chatted about in the past, Molly, is if you call some of these numbers you get a fast ‘Busy,’ or you get some kind of a switch-based announcement, or maybe you get an IVR, this is a common one on the car warranty scam, that says ‘If you want to be removed from our list, press 1.’ You know when you call those numbers that you’re never going to reach a live person. That's why, especially with predictive analytics, you need to sometimes do some fact-checking and use your human brain to try to determine if it seems right or not and then use the safe harbor cover that the FCC gives you with reasonable analytics in the redress process to take action as appropriate.
Molly Weis: I think that's fair, it was a pretty complicated question. I'm going to totally shift gears on this next one now. Question 2 is: What's your number one tip to improve traceback efforts?
Gerry Christensen: I touched on this earlier, but I would say the #1 thing is to have at least some form of analytics because traceback, in the strictest sense, can be initiated at any time. If you have a lead on somebody who you think may be doing something wrong, you can initiate the traceback. But (1) there is a cost associated with it and (2) it might not get done right away. If you go to the ITG with evidence or proof of wrongdoing then it’s going to get closer to the top of the queue and you’ll save money because they’re going to charge you for every time you request a traceback and if you ask for some tracebacks that don’t result in wrongdoing, then you’ve wasted your time and money. So I would say that the best thing to do is to have that.
It also relates back to something else I’ve said. You want to be the first one to know that you’ve got a problem. You want to be initiating the traceback yourself or, if necessary, picking up the phone if you know the carrier it came from already and tell them to look into this. You don’t want the FCC or the ITG themselves to be contacting you.
Molly Weis: That’s a good point, where does this normally start in terms of the beginning of the investigation? Is it at the consumer level, like me getting a call like this and reaching out to you to say, ‘I don’t know what’s going on here?’ Is it the brand itself? Is it one of the authorities? Is it the ITG? How does it get started?
Gerry Christensen: Well, it could really start in any number of ways. The one thing that you mentioned, you as a consumer complaining, as I mentioned earlier, crowdsourced feedback is a component of most analytics engines to one degree or another with their algorithm. I guess you could say, in one sense, that could be the initial thing but by and large, it’s the analytics engine itself identifying the problem. Whether that’s event-based predictive or whether that’s content-based descriptive. The AE is saying there is something wrong here and we need to take action. Now, that action could be talking to the carrier directly and saying that there is something going on here that they might want to investigate but the carrier says they can’t investigate any further so they initiate a traceback. The point of origination of some of these calls could be a foreign entity and you can only trace it back so far and you only get to the point where they come onto the network and then you have to talk to them and say, ‘This traffic is coming from you, you need to track it down and stop it.’
Molly Weis: That’s true. So you’ve reminded me of something else. This is our very first Tuesday Talks episode since the STIR/SHAKEN deadline has passed. We have one more question here for you that relates back to all of this. We’re into STIR/SHAKEN for about 13 days now, do you have a perspective on whether or not it's successful so far or going to be successful in stopping the bad actors that we all desperately want to stop calling us?
Gerry Christensen: I do, and I'm going to caveat that by saying it's an anecdotal perspective. I'd like to get some hard data and we're seeking hard data on this, but what I believe is happening is for all those carriers who have already implemented STIR/SHAKEN, it does take a while to implement, it’s not like a light switch that they flip on June 30th and all of a sudden, it’s working. So, anybody that has been working on it or already has things in place, remember there’s the policy aspect of it.
What I believe is happening, upon reasonable belief, I think from a policy perspective some carriers are making some decisions like maybe blocking everything that is C attested. Or maybe they’ll send it to an IVR, CAPCHA, or something like that. We’re already starting to see some evidence of some falloff immediately and I suspect that’s due to more policy decisions that happened all of a sudden on June 30th and not that everybody turns their STIR/SHAKEN on altogether.
What is most likely going to happen is because the bad guys are smarter, the ones that you’re actually talking to on the phone English is a second language and they may not know what's going on, but the ringleaders behind it are pretty smart. They will change their behaviors and even though there have been some gains initially, ultimately the bad guys go find some other path of least resistance. One of my concerns, again referring back to this broad definition of spoofing, is that they may go legitimately get some numbers from a legitimate carrier and abuse those numbers, and if you’re looking at it just from an event-based perspective, it looks okay, it looks like a normal number, it looks like a power user or maybe an SMP line. But if you’re actually looking at the content, or the payload of the audio, then you can discern that this is problematic.
I think we're going to see a shift in the behavior of the bad guys that are going to require a shift of the white hats to have a different approach than just relying on STIR/SHAKEN alone. So far it's made a difference, it’s already making a positive impact. As I said, it’s a good thing for the industry, it’s table stakes, but it’s definitely not enough.
Molly Weis: Well, Gerry, we would love to have you back for another episode when we've got a little bit more empirical data to start going through, so mark your calendars, you're coming back. At this time, we're right at the end of the half-hour so I’d like to thank everyone so much for joining us today on another episode of Tuesday Talks. We hope to see you all again on Tuesday, July 27th, where we will be joined by Frank Pettinato of Avantive Solutions to talk about RCD (rich call data), branded calling, and how all of that technology is rolling out so far. Thank you very much.