The UK telecommunications regulator, Ofcom, has reportedly taken radical action to curb the plague of scam calls, which it is attempting to achieve by “ordering” major phone operators to automatically block any “suspicious” Voice-over-Internet (VoIP) calls that come from abroad if they pretend to come from numbers in the UK.
Most of the major UK broadband, phone and mobile network operators have already implemented technical measures to tackle Nuisance Calls, but these aren’t always 100% effective and there are still plenty of operators – particularly smaller providers and some VoIP firms – that don’t do enough.
Last week, Ofcom reported that an estimated 44.6 million UK people may have received scam calls and text messages during the past three months alone (here). Sadly, around 2% of those who received such a message or call (roughly 1 million people) reported following the scammers’ instructions.
However, stopping such abuses – without a strong degree of international cooperation and coordination – is technically very difficult to achieve and often risks catching masses of legitimate calls. But according to the BBC, the regulator is attempting to block “suspicious international calls” at source, where they are masked by a UK number.
Lindsey Fussell, Ofcom’s Networks and Comms Group Director, said:
“We’ve been working with telecoms companies to implement technical solutions, including blocking at source, suspicious international calls that are masked by a UK number. We expect these measures to be introduced as a priority, and at pace, to ensure customers are better protected.”
At this point we haven’t seen any useful technical details on the approach being taken here or precisely what Ofcom has requested operators to do, which makes for somewhat of a guessing game. But much may well depend upon how Ofcom and the operators decide that such calls should be deemed “suspicious,” prior to any block being introduced.
Presently, unless a particular number has already been identified as causing abuse (e.g. following consumer complaints and other threat intelligence) or is being monitored for lawful security reasons, then operators tend not to inspect such traffic and will allow it to pass through their networks unabated. Spoofing UK numbers is also fairly easy to achieve, which helps to make scam calls look more credible to consumers.
According to Matthew Gribben, a former consultant to the UK government’s intelligence agency (GCHQ): “It’s fundamentally the foreign VoIP providers that are technologically enabling these gangs to operate, so [Ofcom’s move] will make a huge dent in this. It doesn’t fix everything, but it’s an excellent step in the right direction.”
One other way of tackling this issue would be a new telephone identification protocol, which can help operators to authenticate that all calls and text messages come from a real number. The Engineering Task Force (IETF) has been attempting to do this via their suit of STIR/SHAKEN protocols (i.e. STIR = Secure Telephony Identity Revisited / SHAKEN = Signature-based Handling of Asserted information using toKENs), but so far it’s been mostly focused upon the USA and Canada.
The EU are also tentatively investigating adoption of STIR/SHAKEN, while Ofcom has already said that this might not be possible in the UK until after December 2025, which is the date by which all of Openreach’s traditional phone (voice) services are supposed to have been migrated over to a modern all-IP (Internet Protocol) based network.
Meanwhile, the biggest question mark over Ofcom’s new approach is currently centred around whether they’ve done enough to avoid the new measure obstructing legitimate voice calls. Easier said than done. Many VoIP networks are international in nature and so it’s not always as simple as highlighting “foreign calls“, since many legitimate businesses and individual VoIP customers may still be UK based, even if the traffic appears to be external.
In short, some degree of overblocking could be inevitable. But once again, we haven’t seen any details of how they’re doing this, yet.
UPDATE 5:06pm
We’ve had a comment from broadband ISP TalkTalk, which confirms that they’re the first provider to implement the aforementioned change.
Mark Johnson, Head of Customer Security at TalkTalk, said:
“This is a major step towards protecting UK consumers from foreign fraud and scams. TalkTalk implemented technology to block suspicious international calls masked by a UK number in 2019 and we immediately saw a 65% decrease in the number of complaints about scam calls.
In early 2020 we began discussions with Ofcom for this to become a requirement in the industry, so we are delighted to see the regulator encouraging providers to follow our lead and implement more effective blocking solutions. Keeping our customers safe is our number one priority at TalkTalk and we’re proud to be the first communications provider to implement these measures.”
The most obvious thing to have done in the last 20 years but its unbelievable its took 20 years to do it. But why do this “block any “suspicious” Voice-over-Internet (VoIP) calls that come from abroad if they pretend to come from numbers in the UK.”
Why not just block all VOIP from outside of Europe? And you can manually enable it on your line if you want to. Everytime it will be a scammer.
“Why not just block all VOIP from outside of Europe?”
So you’d want to ban legitimate Skype, Microsoft Teams etc calls from overseas?
“Why not just block all VOIP from outside of Europe? And you can manually enable it on your line if you want to. Everytime it will be a scammer.”
Precisely because such statements are completely wrong. Why do you think all non EU/UK calls will be from scammers? How about holidaymakers trying to contact families, UK outsourced call centres, all sorts of international SIP trunking / VoIP setups for normal calling and the list goes on… and on..
*block
Unfortunately it is not that simple. For example Sipgate have servers abroad, so if I make a call from my home phone in the UK and that ends up routed via Sipgate services outside of the UK, when the call comes back into the UK PSTN network, it will immediately look suspicious. This is true of many VoIP suppliers, calls get routed via the Internet and can leave the UK then arrive back in the UK from almost anywhere, and so will be a UK caller ID that appears to have arrived from a foreign destination.
If I had the option I’d happily bar all incoming calls from non-uk numbers, no matter if they were VoIP or fixed, CLI of a UK number or not.
I have nobody abroad I want to talk to, and if companies want to call me I guess they will have to use their UK staff. I can’t think of many scenarios I *want* to talk to foreign call centres that call me, it’s generally for their benefit not mine.
My thoughts are exactly the same as Richs. And the claim of what about outside UK call centres. How many times do they call you legitimately? It is a never for me. My two Banks no longer want to call landlines now and wants to only deal with you though your mobile.
The only inbound calls I get are from relatives, GPs/Dentists/DWP when out of work and scammers. If I was allowed an option to block incoming calls from abroad I would be happy. But I have a Truecall call blocker that I needed to pay £100 and £20 a year subscription to do it.
Stir/Shaken offers Europe a chance to learn and implement from the US networks. I think a variation of that model will be implemented with “validation” services becoming a new product in the Wholesale market.
Unless fines are handed out we’ll see some UK smaller carriers continue to pass calls on (into the PSTN) because it makes them some money. It’s (in theory) the last days (Ok maybe not days but 2-3yrs) of unchecked calls so they will just milk that final opportunity.
It’s ridiculous how many scam calls and e-mails you get in this country.
This relates to VoIP but again this morning received a Hermes scam on my mobile using the +44 7305 range originally allocated to Vodafone (now dispersed due to number mobility) despite all the assumed mobile authentication. CLI is clearly useless and VoIP can only get worse as as a good percentage of people (9m?) transfer from PSTN or VoBB (fixed location VoIP) to other voice options.
Surely it is technically possible to verify using the same verification for the outgoing routing of calls to identify the current owning network of the number and display or filter if the originating provider/country of origin on an incoming call is different. In addition customer controlled blanket filters that inhibit calls say from outside the UK, outside Europe with specific allow lists. e.g I go on holiday to Greece , enable roaming and calls to and from Greece.
My view is that initiatives need to be technology independent whether GSM, VoLTE, VoIP, VoBB and better “Truecall” etc is required on PSTN whilst it remains.
“Surely it is technically possible to verify using the same verification for the outgoing routing of calls to identify the current owning network of the number and display or filter if the originating provider/country of origin on an incoming call is different.”
Nope. We’re a carrier and have interconnects with 3 other carriers (lets call them A B and C). We get an inbound call from carrier Z. It could arrive via A B or C, and outbound we could send via A B or C. There is nothing useful here to validate with. We can validate the customer’s CLI (as we have direct connections to them) but that’s it.
Thanks I’ll bow to your expertise but I was not referring to what is there in the current international signalling and CLI standards but rather what could be and that we need a number of innovative steps taken to minimise the issue.
As an example my understanding is that if you have an outgoing call from your network to say +44 7305297500 you have to determine the outgoing routing either direct to say Vodafone, Sky or possibly to BT IP exchange or equivalent. You will determine the CLI to apply which will include the Network Number segment of the CLI.
As a customer I would like “the systems” to check the Network Number on the CLI and if it is invalid against +44 or coming in from an inappropriate network (say abroad) to be blocked. Now that may catch the guy in a Motorhome touring Europe etc but my view is that I as a customer should determine whether I want to receive a +44 call that is not originating from it’s home provider servers (VoIP or VoLTE), those missing a CLI altogether or re-written to 08979 but allow specific numbers through on an exception lists.
This should go into the too hard box.
This should NOT go into the too hard box
I think we need a system of authentication and white listing. An analogy would be HTTP/HTTPS, where HTTP is now untrusted and a massive red flag.
For instance, let’s say all calls within the UK from authenticated providers (who can be legally obligated to do this under the laws here) are permitted, and everything else would be dropped by default. Now let’s say HSBC wants to call their customers from India, which is entirely legitimate. HSBC can be authenticated and whitelisted, effectively digitally signing the call as a legitimate HSBC call.
Some random Indian scammer pretending to be HSBC wouldn’t pass the checks, so the call would be automatically rejected.
Obviously the exact implementation would be far more complicated, but for someone like me I should have the option of blocking any call not originating from the UK, except for a small handful of organisations where it would legitimately originate elsewhere.
Good. 100% of them come from India. The Indian cyberpolice don’t give two hoots in fact I think they’re probably complicit in it.
Instantly ban Indian VOIP numbers presenting as real UK numbers.
Not quite true. Indian police are and have been taking an aggressive stance on scammers.
Also, VoIP in India is fairly regulated and strict. Most use VPNs to use US/Canadian services like “Text Now”, Twilio etc. Worth watching some of the scam baiter videos to get a deeper insight.
Blocking VoIP that comes from India wouldn’t have the greatest impact, if any at all which is why blocking all non-UK transits from presenting a UK number would help massively but then also capture legitimate traffic too.
I have read stories that the same call centres in India that offer support for your bank and mobile company are the exact same centres/buildings also hiring staff to pretend to be Microsoft and BT saying you have a virus. It just shows you how much banks/phone providers could care less about data protection if they know they are paying criminals.
The proposal to block all calls coming in to the UK from abroad that have a UK CLI sends the shivers down my spine.
I am using FreeVoipDeal for all my outbound calls, at a fraction of the price what I would pay if they went out on my Plusnet landline. The called party can see my genuine UK landline number, so they can see who’s calling and ring back if desired. On signing up with FreeVoipDeal, the CLI gets verified through an automated return call to the number you supply. So, no chance to spoof a number.
Now, FreeVoipDeal SIP servers are located abroad (Netherlands, Switzerland etc.), so if these measures are implemented, I fear that I will no longer be able to make VoIP calls to UK numbers. Even switching to Sipgate won’t help – their servers are in Germany.
If one believed in conspiracy theories, then one would think that blocking scams is just being used as an excuse to cut cheap VoIP providers out and get people to use UK based Telcos (and pay through the nose).
VoIP spam is not a new problem, RFC5039 was published in January 2008 and discusses different approaches to tackling the problem. Have those who are calling for these draconian measures done their homework and researched alternatives?
There is nothing stoping someone using AWS ie(eu-west-2) set up server as an outpoint VPN. There you are it looks like your now in UK. Then connect to an VoIP provider, to that VoIP provider you seam to them making connection to them within UK.
Signing the SIP call setup is the only way to verify authenticity of its origin.
Knowing what to do is the easy part.
The issue is the geopolitical management of the trust mechanism to verify it and the administration and costs to operate it.
Much like SSL certificates in browsers were originally envisaged that you pay a fee to undergoe a vetting process (know your customer, identity check) to be issued a certificate for a year for your website. The issuing Certificate Authority was meant to act as a trusted middleman.
The problem with then web browser model is that all CAs were created equal and have equal trust. Which is a problem when a nation state can force a CA inside their jurisdiction to issue an arbitrary certificate to fake an identity. This was done for Gmail.com during the middle east unrest, google has since taken action to protect chrome.
However there needs to be a trust anchor per country, one that falls inside the jurisdiction of the appropriate telecoms regulation entity for that country.
I believe the once up on a time functional NominetUK maybe have once been considered an authority upto such a job. Indeed they have an ENUM initiative from almost 20y ago that might be helpful to update to modern time, that could use the existing DNS systems to map E.164 telephone numbers to domain names.
I assume having a reverse registry is a small step, their have identity management processes already, most transactions and management done online, call centre, etc…
Given we have DNSSEC now operational to secure data distributed via DNS.
Given it maybe a small step for a SIP handset to support all that is needed on the device, the verification and lookup process are relatively lightweight and use protocols already implemented on device.
The only thing that is missing would be some kind of downvote button. That is the ability of a call receiver to mark that call just received as SPAM with an interested overwatch system.
Which would then lead into multiple trust bureau’s popping up that attempt to manage the grey area, trustworthiness of calls originating from other counties.
The receiver can describe their own personal policy.
In this day and age it maybe most people will have a simple policy to only trust identity verification from the body responsible for it within their own respective country issued to an entity within their own respective country.
The problem as always is there is a vested interest in getting as many billable call minutes as possible. That is how telecoms money is made. So don’t expect telecoms operators to solve this concern.
Looks as if BT/Plusnet have implemented something already:
Calls from my foreign hosted VoIP account now show up as INTERNATIONAL 01268xxxxxx, rather than 01268xxxxxx.
On my mobile (1p/EE), the number still shows correctly in national number format.
I just had one now, claiming to be from BT OpenReach and that ‘they have noticed problems on my ADSL line’.
They seem to be calling from witheld numbers now. Is this a workaround?
1. instead of spying on our own citizens, gchq prioritises tracing scam call centres.
2. sign agreement with india that unless the sas have freedom to raid scam call centres, NO indian call centres will be allowed to do outsourcing from uk companies.
3. sas breach, bang, and bag the scammers.
4. if india does not cooperate, we stop all commercial relations and cut internet and telecoms connections to them completely. we also repatriate our indian guests.
5. either way, we profit