Fixing Call Spoofing

Uncategorized No Comments

The past few years I’ve received fewer spam phone calls on my cellphone than in the past, but I’ve noticed an uptick recently. It’s an irritant for me, but a severe problem for others – most of those calls are scams rather than ads, and vulnerable people do fall for them. Do Not Call registries only help to a certain extent, particularly as it is hard to enforce illicit calls when the call is done via VOIP and is coming from another country.

A potential solution to this could look something like SSL for websites. SSL (secure socket layers) is used when you access a website via “https” rather than “http”. Most modern browsers show an indicator next to the url that lets you know whether or not the website is “secure” (at least in the sense that there’s some verification of who owns the site, as well as an encrypted connection between your browser and the web server that is difficult for a third party to read).

Implementing a certificate system on phones would require a bit of coordination between various parties: the providers of cellphone software (i.e. Google and Apple), potentially the manufacturers of the phones, as well as the telcos themselves. It could be done though, in the same way that there now are global standards for how phones operate.

The way it would work would be relatively simple. When a telco rents/sells somebody a phone number, they would also issue an encrypted certificate that validates that that number actually is valid (more specifically, there would need to be some form of trusted signing chain, just like with SSL).

For cellphones, the new certificate would be installed on the device. For a call center, it would be attached to the call software. For landlines, the phone service provider would likely have to attach the certificate to the call at their end; alternatively, this could be installed inside of a VOIP modem (few people still use plain old telephone service in North America).

When somebody makes a call, the certificate would be inserted as metadata, just as the caller identity is now. This might require a modification to standards.

When the phone at the other end rings, a “lock” icon would then appear to indicate whether or not the person or entity at the other end actually has a valid right to use that particular phone number.

Possibly, phone companies could even allow people to automatically block any spoofed incoming call that does not have a valid certificate.

All of the above will not entirely eliminate call spoofing or scams (just as SSL doesn’t prevent numerous web-related issues), but it would almost certainly cut the rate down.

Thoughts?