Ofcom UK Test New Way to Detect and Block Spoofed Numbers
Ofcom has today begun seeking feedback from the industry on the potential future adoption of Calling Line Identification (CLI) authentication, which – once the UK has fully transitioned to digital landlines – could be adopted as a new approach to detecting and blocking “spoofed” (fake) phone numbers.
The regulator has already taken some big steps to tackle the problem of fake phone numbers and spoofed calls, which often fuel nuisance and scam calls. At the end of last year, they began requiring all telephone networks involved in transmitting calls – either to mobiles or landlines – to identify and block spoofed calls, albeit only “where technically feasible” to do so (here). The move was designed to improve the accuracy of Calling Line Identification (CLI) data.
Ofcom gave providers six months to implement their changes (until 15th May 2023), which they believe should be “sufficient time to make the necessary technical changes.” Some broadband ISPs, such as TalkTalk, had already implemented this voluntarily and the changes were delivering positive results (i.e. a 65% reduction in complaints about scam calls). BT also saw positive results.
Advertisement
The difficult with all this stems from the inherent problem of implementing such changes, without also over-blocking legitimate voice calls, which is easier said than done. However, there are limitations to what can be done here, particularly while the UK is still in the middle of a transition from analogue to IP-based (digital) phone services, which is due to complete on Openreach’s network by the end of 2025.
However, the UK’s transition to digital phone services also opens up the possibility of adopting an approach similar to the suit of STIR / SHAKEN protocols used in the USA and Canada (i.e. STIR = Secure Telephony Identity Revisited / SHAKEN = Signature-based Handling of Asserted information using tokens), which can help operators to authenticate that all calls and text messages come from a real number.
Ofcom’s proposed approach to CLI authentication (CLIa) essentially follows a similar mould to STIR / SHAKEN, albeit while learning a few things from its implementation in other countries.
Advertisement
Ofcom’s Proposal
We already have initiatives in place to reduce scam calls and texts. These are being implemented now and offer some immediate benefits to consumers. However, although these interventions will hinder specific scam methodologies, scammers can and do change their methods in order to circumvent them.
Industry initiatives such as call filters, phone apps and blocklists help to address the challenge to some extent, but these are likely to be insufficient in tackling the problem of number spoofing. For example, some solutions may rely on consumer adoption and are unlikely to become ubiquitous. Even when used, technical limitations can make them less effective in preventing scams. While other initiatives to combat scam calls are planned or in early stages of implementation by individual providers, it is unclear at this stage how successful they will be. Scammers may also seek to bypass any measures introduced, requiring a more comprehensive solution. We therefore foresee that further regulatory intervention might be needed.
In 2019, as part of our consultation on promoting trust in telephone numbers1, we considered CLI authentication, although having taken account of the consultation responses, we decided not to pursue CLI authentication at that time. Since then, we have observed the experiences of other countries which have started to introduce approaches to CLI authentication, and the NICC (an industry group) has further considered how CLI authentication might be introduced in the UK. We also note that UK providers are moving to using Voice over IP to carry calls, a significant system change which allows for new approaches to countering scam and nuisance calls. As a result, now is the right time to look again at the potential role of CLI authentication in tackling spoofed calls.
Our suggested approach to how CLI authentication might operate in the UK would lead to originating providers attesting that the numbers used by their customers (for almost all +44 calls) are legitimate in order to ensure that the terminating provider accepts the call and passes it to their customer. In the absence of this attestation, terminating providers would not be expected to accept and connect the call by default.
We recognise that there will be certain circumstances where, although attestation would be desirable, it may not be possible, and there will be a need to connect legitimate calls which may not have attestation. However, connecting calls without attestation creates the risk of loopholes that could be exploited by scammers. Therefore, our view of how CLI authentication could work seeks to balance the need to connect legitimate calls with the need to minimise any gaps in the system. We have also considered how the attestation regime might be policed to ensure compliance with the rules. We seek stakeholders’ views on the completeness, workability and potential effectiveness of these suggestions.
Finally, if introduced, CLI authentication may lead to easier detection of regulatory breaches and scam callers through more rapid identification of the originating provider of a call. This may make it easier for Ofcom, other regulators and law enforcement to pursue those responsible for making scam calls.
Ofcom are not, at present, making any specific proposals for the introduction of CLIa. But they are clearly moving in that direction of travel and seeking views on how such a system might work in the UK, and the extent to which actions providers are already taking are likely to address the problem of number spoofing.
At this stage, it’s not clear if the regulator will find a case for requiring the implementation of CLIa, but we wouldn’t be surprised if they do. The consultation can be found here, and Ofcom is seeking feedback until 23rd June 2023. But we suspect that a change like this, assuming it moves forward, will probably take several years to reach full implementation.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Netomnia Add 5 New Locations to UK FTTP Broadband Rollout
About bl**dy time.
Ofcom, the Rip van Winkle of regulators.
Are they that awake?
The issue is mostly how technically difficult it is to do it because of the way telephone exchanges work. Ofcom can set any rule they like but if it can’t be implemented it’s whistling in the wind.
The signalling system used – C7 or SS7 – was designed at a time of national monopolies and telcos all knowing and trusting each other. All your telco knows is who gave the call to them, not where it originated. An international call will pass through multiple telcos before reaching your one. If your incoming international call is passed to your telco from another UK one, all they know is that it came from a UK telco and has a UK CLI. Nothing else. No indication of the route it took to get there, how many telcos have passed it on or where it actually originated from.
Changing that requires a global redesign of the telephone network and with two years left before the UK PSTN is turned off there’s not enough time to do the design, let alone implement it.
New protocols like STIR/SHAKEN will work for IP voice traffic, but for the existing telephone network I don’t believe there’s anything that could prevent these calls from being made.
Hopefully whatever system gets introduced it will be better than what they have in the US and Canada as they both have far more scam calls getting through daily than the UK currently does per person.
What I have noticed for about the last two months now is all of these scammers based out of India etc are seemingly all phoning from mobile numbers now. So I am not sure if this plan will even fix that.
Don’t worry, Ofcom will develop a plan to fix that. In 2050.
Just keep them on the phone as long as you can, by running rings around them. Let them think you are stupid, when their phone bills become that heavy they will fade away.
Probably just a spoofed mobile number and the phone call costs nothing but their time.
I sometimes try to wind scammers up. If it is a woman, suggesting she should be ashamed of what she is doing and that her mother would be ashamed of her sometimes seems to be quite effective. One scammer even rang me back to try to convince me she was not a scammer, I think I really got to her 🙂 I could hear a bloke prompting her in the background.
I have also tried to convince one or two scammers that their call had been intercepted by Action Fraud and they were due to be raided by their regional police, I think one even looked action fraud up on the net.
“Just keep them on the phone as long as you can, by running rings around them. Let them think you are stupid, when their phone bills become that heavy they will fade away.”
Amusing fun if you’ve got the time and I have done it myself (best I could manage was stringing them along for 21 minutes, acting the part of a slightly dim, technically inept pensioner), but a real risk is that they will then spoof YOUR mobile number for future scam calls, and then you’re open to people who don’t understand spoofing phoning you back, or making nuisance calls to you. I’ve had this happen, although fortunately the blow-back was very small and didn’t go on for more than a couple of days, probably as they’d moved on to spoof somebody else.
There should just be no UK CLIs allowed from offshore callcentres.
Yes, large businesses will not like this, but they can onshore their call centres or lump it.
There should just be no UK CLIs allowed from offshore callcentres.
Yes, large businesses will not like this, but they can onshore their call centres or lump it.
hi may name is Mr Charles Griffiths and I keep getting scam calls and virgin media won’t block them we have asked for the spam calls to stop and they won’t put a block on so is ther any way of stopping this on my home fone
Others may chip in with better advice with dealing with Virgin, however, I purchased a call screening landline phone for my grandmother, and it works very well. You need to have caller ID active on your line, but when an incoming call comes in, the phone answers, and prompts the caller to state their name, then the landline rings, and you can accept or decline the call based on the name stated. If you accept, that number gets stored as “safe” in the phone, and lets that call through next time. In the two years she’s had it, she’s not received a single spam call. Best £50 I’ve spent for 3 handsets.