FCC Addresses Robocalling – But Questions Remain

Robocalls and text spam – often in the service of widespread fraud campaigns – continue to persist, dogging consumers despite the existence of the national Do Not Call registry and efforts like the Truth in Caller ID Act. In an effort to alleviate the situation, Federal Communications Commission Chairman Ajit Pai has issued a proposal to limit where and how spammers can get in touch.

Some researchers, however, would like more details.

The proposal includes a recommendation for a reassigned-number database, which will let legitimate businesses check whether a number they thought they had permission to use has been reassigned to a new wireless customer.

Calls to reassigned numbers can be a significant problem for those receiving the unwanted calls, those missing the calls they asked for, and for legitimate businesses making calls for which they have prior consent. Millions of phone numbers are reassigned each year and often, consumers don’t tell their contacts of the change.

To prevent mistaken calls, the draft order would establish a single, comprehensive database of reassigned numbers based on information provided by phone companies that obtain North American Numbering Plan U.S. geographic numbers.

“This database would help legitimate callers know whether telephone numbers have been reassigned to somebody else before calling those numbers, so they can direct their calls to parties who asked for them rather than individuals who have subsequently obtained those reassigned numbers,” the FCC noted in its statement on the effort.

The second part of the scheme is to ensure that wireless providers are authorized to take measures to stop unwanted text messaging. This would be done by formally ruling that text-messaging services are information services, not telecommunications services, thus allowing carriers to implement robotext-blocking, anti-spoofing measures and other anti-spam features.

“Combating robocalls is our top consumer protection priority, and these proposals are a significant step forward in that effort,” Pai said. “I am calling on the FCC to take additional measures to combat these calls and also to prevent a flood of spam robotexts from clogging Americans’ phones.”

He added, “Americans rely on and trust text messaging. That’s why we need to act to prevent a deluge of spam texts and scam messages.”

The FCC will consider the proposal at its next Open Commission Meeting on December 12.

The concern isn’t simply theoretical. For instance, YouMail, which tracks robocalls, recently said that phony calls targeting consumers shopping for health insurance are at an all-time high: The firm counted 500 million such calls in October alone. Overall, robocalls surpassed the 5 billion mark last month, most since YouMail started tracking them in 2015.

The scam tries to convince people that they need to shop healthcare plans – all in a quest to either harvest personal information that can be used for identity theft or sell sham plans that offer little to no protection.

“Open enrollment window is here. Insurance policies have all been reduced nationwide,” says one scam call, logged by YouMail. “You can now get a great insurance plans at the price you can afford. We make it hassle free to sign up with the policies from Signa Blue Cross Etna United and many more. Press one now to get a hassle-free assessment or press two to be placed on our do not call list. Thank you and it’s always be happy blessed.”

Meanwhile, Truecaller, a spam-blocking app software company, found in a study this spring that consumers receive an average of 23 spam calls per month, up from 18.8 in 2017. Overall, it detects over 2 billion spam calls per month.

Anthony James, vice president of CipherCloud, told Threatpost that he characterizes the robocall menace as “unmanageable and growing in scale on an annual basis.”

“The Federal Trade Commission receives over 375,000 complaints per month about automated robocalls,” he said. “This is up from over 60,000 calls per month received in 2009. Numbers entered in the registry that should not be called are ignored by unscrupulous parties and solicited continually from variety of changing phone numbers, both blocked and unblocked. These calls are sometimes used to support fraudulent activities. The proposal addresses the problem head-on. This is the right step forward and we need to make sure this happens in a timely way.”

The text-spam issue is no less concerning, he added.

“New SMS targeted malware, such as ExpensiveWall, has created a growing cascade of fraudulent SMS messages designed to defraud consumers,” he told Threatpost. “Once an infected or fake application is loaded onto the mobile phone, the device then sends messages to fake fee-based services without the knowledge of the users. The new FCC proposals will support and assist the carriers in taking action against the fake fee-based services and then shutting down the fraudulent message traffic.”

While the FCC’s efforts are welcomed, the short website notice offers few details and thus gives rise to a few unanswered questions, according to researchers.

For instance, Sam Cook, a privacy advocate with Comparitech.com, said that the proposal leaves out whether the FCC plans to address what he considers to be the biggest problem: number spoofing.

“The FCC’s proposal is a step in the right direction, but re-assigned numbers are not the biggest part of the problem. Spoofed numbers are a bigger concern,” he told Threatpost. “Many of the phone numbers are spoofed, and some are even currently assigned to legitimate individuals but are still spoofed using VoIP and other methods.”

When Cook evaluated his own phone spam problem using a year’s worth of data, he found that the vast majority of it was from NPA-NXX spoofing, also known as neighbor spoofing. In other words, the number shown on Caller ID looks like a local number from one’s own area code and local exchange.

“Fraudsters have turned to spoofing local numbers because individuals are more likely to pick up the phone if it’s coming from a local number,” Cook explained.

Over a 365-day period for which he recorded data from his phone’s call history (August 23, 2017, through August 22, 2018), he received 876 phone calls, or an average of about 2.4 phone calls per day. Of those, over 82 percent were either identifiable or suspected spam. A third of them came from neighbor-spoofed numbers.

In addition to more work needing to be done on the caller ID front, there are other considerations that still need to be taken into account.

Ray Pompon, principle threat research evangelist at F5 Networks, told us that the language the FCC is using is a bit vague.

Regarding the database, “what’s a legitimate business and how can we tell? I pretty much guarantee the list of suspicious numbers will instantly be available for the fraudsters to check if they’ve been blacklisted first,” he said. “It’s just like how malware writers check their software with all available anti-virus packages first before releasing them on victims. It’ll raise the bar, but not by much.”

He added that there could be unintended consequences when it comes to false positives.

“It’s going to be an interesting push-pull of false negatives (we let a real spam text message through) versus false positives (how do legitimate text messages get out of spam jail?),” he told Threatpost. “Here’s hoping it sparks innovation in the private sector to create new mechanisms to manage this in a way that’s not more trouble than it’s worth.”

As for cybersecurity implications, Cook also noted a potential privacy concern with the proposed database.

“The biggest question is how those reassigned numbers are going to be identified in the database,” he said. “Will they come with identifying information? There are still a lot of unknowns from a cybersecurity standpoint. From the way Mr. Pai describes it, the cybersecurity implications would be hard to assess until we have more information regarding how it works.”