AT&T and T-Mobile team up to fight scam robocalls

Two major U.S. carriers, AT&T and T-Mobile, announced this morning a plan to team up to protect their respective customer bases from the scourge of scam robocalls. The two companies will today begin to roll out new cross-network call authentication technology based on the SHAKEN/STIR standards — a sort of universal caller ID system designed to stop illegal caller ID spoofing.

Robocalls have become a national epidemic. In 2018, U.S. mobile users received nearly 48 million robocalls — or more than 150 calls per adult, the carriers noted.

A huge part of the problem is that these calls now often come in with a spoofed phone number, making it hard for consumers to screen out unwanted calls on their own. That’s led to a rise in robocall blocking and screening apps. Even technology companies have gotten involved, with Google introducing a new A.I. call screener in Android and Apple rolling out Siri-powered spam call detection with iOS 13.

To help fight the call spoofing problem, the industry put together a set of standards called SHAKEN/STIR (Secure Telephony Identity Revisited / Secure Handling of Asserted information using toKENs), which effectively signs calls as “legitimate” as they travel through the interconnected phone networks.

However, the industry has been slow to roll out the system, which prompted the FCC to finally step in.

In November 2018, FCC Chairman Ajit Pai wrote to U.S. mobile operators, asking them to outline their plans around the implementation of the SHAKEN/STIR standards. The regulator also said that it would step in to mandate the implementation if the carriers didn’t meet an end-of-2019 deadline to get their call authentication systems in place.

Today’s news from AT&T and T-Mobile explains how the two will work together to authenticate calls across their networks. By implementing SHAKEN/STIR, calls will have their Called ID signed as legitimate by the originating carrier, then validated by other carriers before they reach the consumer. Spoofed calls would fail this authentication process, and not be marked as “verified.”

As more carriers participate in this sort of authentication, more calls can be authenticated.

However, this system alone won’t actually block the spam calls — it just gives the recipient more information. In addition, devices will have to support the technology, as well, in order to display the new “verification” information.

T-Mobile earlier this year was first to launch a caller verification system on the Samsung Galaxy Note9, and today it still only works with select Android handsets from Samsung and LG. AT&T meanwhile, announced in March it was working with Comcast to exchange authenticated calls between two separate networks — a milestone in terms of cooperation between two carriers. T-Mobile and Comcast announced their own agreement in April.

 

 

FTC, Justice Dept. takes coordinated action against robocallers

Federal authorities have announced its latest crackdown on illegal robocallers — taking close to a hundred actions against several companies and individuals blamed for the recent barrage of spam calls.

In the so-called “Operation Call It Quits,” the Federal Trade Commission brought four cases — two filed on its behalf by the Justice Department — and three settlements in cases said to be responsible for making more than a billion illegal robocalls.

Several state and local authorities also brought actions as part of the operation, officials said.

Each year, billions of automatically dialed or spoofed phone calls trick millions into picking up the phone. An annoyance at least, at worse it tricks unsuspecting victims into turning over cash or buying fake or misleading products. So far, the FTC has fined companies more than $200 million but only collected less than 0.01% of the fines because of the agency’s limited enforcement powers.

In this new wave of action, the FTC said it will send a strong signal to the robocalling industry.

Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said Americans are “fed up” with the billions of robocalls received every year. “Today’s joint effort shows that combatting this scourge remains a top priority for law enforcement agencies around the nation,” he said.

It’s the second time the FTC has acted in as many months. In May, the agency also took action against four companies accused of making “billions” of robocalls.

The FTC said its latest action brings the number of robocall violators up to 145.

Several of the cases involved shuttering operations that offer consumers “bogus” credit card interest rate reduction services, which the FTC said specifically targeted seniors. Other cases involved the use of illegal robocalls to promote money-making schemes.

Another cases included actions against Lifewatch, a company pitching medical alert systems, which the FTC contended uses spoofed caller ID information to trick victims into picking up the phone. The company settled for $25.3 million. Meanwhile, Redwood Scientific settled for $18.2 million, suspended due to the inability for defendant Danielle Cadiz to pay, for “deceptively” marketing dentistry products, according to the FTC’s complaint.

The robocalling epidemic has caught the attention of the Federal Communications Commission, which regulates the telecoms and internet industries. Last month, its commissioners proposed a new rule that would make it easier for carriers to block robocalls.

Robocaller firm Stratics Networks exposed millions of call recordings

If you’ve ever had a voicemail appear out of nowhere, there’s a good chance Stratics Networks was involved.

The Toronto-based company is the self-proclaimed inventor of “ringless voicemails,” providing its customers a way of auto-dialing a list of phone numbers and dropping voicemails without leaving a missed call. The system uses a backdoor voicemail number typically reserved by the carrier to leave a voicemail directly in a person’s mailbox. The company once claimed it can process up to 10,000 ringless voicemails per minute — if you pay for it.

But the company left its back-end storage server open without a password, exposing thousands of outgoing and incoming recordings.

Security researcher John Wethington found the exposed server and asked TechCrunch to contact Stratics to secure the data. The server, hosted on Amazon Web Services, contained at least 100,000 recordings from more than 4,000 folders, each representing a single customer campaign.

According to BinaryEdge data, the exposed server was first detected on April 5, but may have been exposed for longer.

“This data was open to anyone with a browser and required no special access or privileges,” Wethington told TechCrunch. “I genuinely hope we were the first to identify it and responsibly disclose it because if that data is in unethical or criminal hands it’s going to be abused.”

“Organizations must consider the privacy ethics and not just the regulations when offering services,” he said. “The potential for abuse and privacy violations is every corporation and executives responsibility.”

Customers use the company’s offering to leave voicemails without needing someone to call each person — from debt collectors to doctor’s offices reminding patients about upcoming appointments. Not only does the company allow customers to record outgoing voicemails to ensure a voicemail actually dropped, it also records incoming calls when someone picks up.

It was those recordings that were exposed, said Wethington. TechCrunch reviewed several folders of recordings.

In one case, we found several counties in Florida used Stratics to inform citizens that their election postal ballots were set to expire. One folder contained more than 5,200 audio recordings on callers responding to voicemail drops sent by Broward County and Hillsborough County. Of the several recordings we heard, many provided sensitive information over the phone — including their names, addresses, dates of birth and, in some cases, their voter ID numbers.

Other folders in the exposed data contained dozens of incoming call recordings from those who had been sent a voicemail drop. One of those was a law firm, which call center workers identified as Key Tax Group. Of the calls we reviewed, none knew why they were left an unsolicited voicemail but were all asked by the call center worker if they needed help with their taxes. At no point were the callers told that the calls were being recorded, despite laws in several states — like California and Maryland — mandating everyone on the same call agrees that the call can be recorded. Each recording had the unsuspected caller’s phone number in the filename. When contacted by TechCrunch, several of the victims of the cold-call scam confirmed they lived in states with two-party laws.

And, one other company, which the call center worker identified as Michigan Comfort, received more than a hundred calls as recently as this month from people who had been dropped an unsolicited voicemail. Much to the same pattern as the law firm, those callers were asked if they were interested in “a duct inspection or a furnace rebate.”

“You shouldn’t call people out of the blue and neither should your company,” said one angry victim in a recording.

Although Stratics’ website says it “does not tolerate spam in any form,” the company puts the onus of compliance with the customers. “You are 100% liable for compliance when making calls originating under your account,” says its website.

Shortly after contacting the company Thursday about the data exposure, the leaking server had been secured.

“We take compliance and data security very seriously, and we are currently investigating to determine to what extent, if any, information has been exposed to unauthorized access,” said Chris Collins, a spokesperson for Stratics. “We have currently engaged an outside legal firm to guide us in our investigation. We are also engaging a third party cyber security firm to perform a full internal security audit.”

TechCrunch sent Stratics several questions about spam and call recording. Collins said Stratics would “block” users found in violation of its policies, and that its customers bore the responsibility to follow all local, state and federal call recording laws.

Following our disclosure, the company had pulled its “discover” section from the site. When asked, Collins said this was “to avoid our website from being overloaded” in response to this article.

We also asked how long the data was exposed, if the company will notify customers and regulators per state data breach notification laws or if anyone else had accessed the storage server.

Stratics declined to comment further.

How to stop robocalls spamming your phone

No matter what your politics, beliefs, or even your sports team, we can all agree on one thing: robocalls are the scourge of modern times.

These unsolicited auto-dialed spam calls bug you dozens of times a week — sometimes more — demanding you “pay the IRS” or pretend to be “Apple technical support.” Even the now-infamous Chinese embassy scam, recently warned about by the FBI, has gained notoriety. These robocallers spoof their phone number to peddle scams and tricks — but the calls are real. Some 26 billion calls in 2018 were robocalls — up by close to half on the previous year. And yet there’s little the government agency in charge — the Federal Communications Commission — can do to deter robocallers, even though it’s illegal. Although the FCC has fined robocallers more than $200 million in recent years but collected just $6,790 because the agency lacks the authority to enforce the fines.

So, tough luck — it’s up to you to battle the robocallers — but it doesn’t have to be a losing battle. These are the best solutions to help keep the spammers at bay.

YOUR CARRIER IS YOUR FIRST CALL

Any winds of change will come from the big four cell giants: AT&T, Sprint, T-Mobile, and Verizon (which owns TechCrunch).

Spoofing happens because the carriers don’t verify that a phone number is real before a call crosses their networks. While the networks are figuring out how to fix the problem — more on that later — each carrier has an offering to help prevent spam calls.

Here are what they have:

AT&T‘s Call Protect app, which requires AT&T postpaid service, provides fraud warnings, and spam call screening and blocking. Call Protect is free for iOS and Android. AT&T also offers Call Protect Plus for $3.99 a month which offers enhanced caller ID services and reverse number lookups.

Sprint lets customers block or restrict calls through its Premium Caller ID service. It costs $2.99 per month and can be added to your Sprint account. You can then download the app for iOS. A Sprint spokesperson told TechCrunch that Android users should have an app preinstalled on their devices.

T-Mobile doesn’t offer an app, but provides a call screening to alert customers to potentially scammy or robocalled incoming calls. (Image: Farknot_Architect/Getty Images)

T-Mobile already lets you know when an incoming call is fishy by displaying “scam likely” as the caller ID. Better yet, you can ask T-Mobile to block those calls before your phone even rings using Scam Block. Customers can get it for free by dialing #632# from your device.

Verizon‘s Call Filter is an app that works on both iOS — though most Android devices sold through the carrier already have the app preinstalled. The free version detect and filter spam calls, while its $2.99 a month version gives you a few additional features like its proprietary “risk meter” to help you know more about the caller.

There are a few caveats you should consider:

  • These apps and services won’t be a death blow to spam calls, but they’re meant to help more than they hurt. Your mileage may vary.
  • Many of the premium app features — such as call blocking — are already options on your mobile device. (You can read more about that later.) You may not need to pay even more money on top of your already expensive cellular bill if you don’t need those features.
  • You may get false positives. These apps and services won’t affect your ability to make outbound or emergency calls, but there’s a risk that by using a screening app or service you may miss important phone calls.

WHAT YOU CAN DO TO HELP

You don’t have to just rely on your carrier. There’s a lot you can do to help yourself.

There are some semi-obvious things like signing up for free to the National Do Not Call Register, but robocallers are not marketers and do not follow the same rules. You should forget about changing your phone number — it won’t help. Within days of setting up my work phone — nobody had my number — it was barraged with spam calls. The robocallers aren’t dialing you from a preexisting list; they’re dialing phones at random using computer-generated numbers. Often the spammers will reel off a list of numbers based off your own area code to make the number look more local and convincing. Sometimes the spoofing is done so badly that there are extra digits in the phone numbers.

Another option for the most annoying of robocalls is to use a third-party app, one that screens and manages your calls on your device.

There are, however, privacy tradeoffs with third-party apps. Firstly, you’re giving information about who calls you — and sometimes who you call — to another company that isn’t your cell carrier. That additional exposure puts your data at risk — we’ve all seen cases of cell data leaking. But the small monthly cost of the apps are worth if it means the apps don’t make money off your data, like serving you ads. Some apps will ask you for access to your phone contacts — be extremely mindful of this.

The three apps we’ve selected balance privacy, cost and their features.

  • Nomorobo has a constantly updated database of more than 800,000 phone numbers which lets the app proactively block against spammy incoming calls while still allowing legal robocalls through, like school closures and emergency alerts. It doesn’t ask for access to your contacts unlike other apps, and can also protect against spam texts. It’s $1.99 per month but comes with a 14-day free trial. Available for iOS and Android.
  • Hiya is an ad-free spam and robocall blocker that powers Samsung’s Smart Call service. Hiya pulls in caller profile information to tell you who’s calling. The app doesn’t automatically ask for access to your contacts but it’s an option for some of the enhanced features, though its privacy policy says it may upload them to its servers. The app has a premium feature set at $2.99 per month after a seven-day trial. Available for iOS and Android.
  • RoboKiller is another spam call blocker with a twist: it has the option to answer spam calls with prerecorded audio that aims to waste the bot’s time. Better yet, you can listen back to the recording for your own peace of mind. The app has more than 1.1 million numbers in its database. RoboKiller’s full feature set can be found on iOS but is slowly rolling out to Android users. The app starts at $0.99 per month. Available for iOS and Android

You may find one app better than another. It’s worth experimenting with each app one at a time, which you can do with their free trials.

WHAT YOUR PHONE CAN DO FOR YOU

There are some more drastic but necessary options at your disposal.

Both iOS and Android devices have the ability to block callers. On one hand it helps against repeat offenders, but on the other it’s like a constant game of Whac-a-Mole. Using your in-built phone’s feature to block numbers prevents audio calls, video calls and text messages from coming through. But you have to block each number as they come in.

How to block spam calls on an iPhone (left) and filter spam calls on Android (right).

Some Android versions are different, but for most versions you can go to Settings > Caller ID & Spam and switch on the feature. You should be aware that incoming and outgoing call data will be sent to Google. You can also block individual numbers by going to Phone > Recents and tapping on each spam number to Block and Report call as spam, which helps improve Google spam busting efforts.

iPhones don’t come with an in-built spam filter, but you can block calls nonetheless. Go to Phone > Recents and tap on the information button next to each call record. Press Block this caller and that number will not be able to contact you again.

You can also use each device’s Do Not Disturb feature, a more drastic technique that blocks calls and notifications from bugging you when you’re busy. This feature for both iOS and Android block calls by default unless you whitelist each number.

How to enable Do Not Disturb on an iPhone (left) and Android (right).

In Android, swipe down from the notifications area and hit the Do Not Disturb icon, a bubble with a line through it. To change its settings, long tap on the button. From here, go to Exceptions > Calls. If you want to only allow calls from your contacts, select From contacts only or From starred contacts only for a more granular list. Your phone will only ring if a contact in your phone book calls you.

It’s almost the same in iOS. You can swipe up from your notifications area and hit the Do Not Disturb icon, shaped as a moon. To configure your notifications, go to Settings > Do Not Disturb and scroll down to Phone. From here you can set it so you only Allow Calls From your contacts or your favorites.

WHAT THE REGULATORS SHOULD DO

Robocalls aren’t going away unless they’re stamped out at the source. That requires an industry-wide effort — and the U.S. just isn’t quite there yet.

You might be surprised to learn that robocalls aren’t nearly as frequent or as common in the Europe. In the U.K., the carriers and the communications regulator Ofcom worked together in recent years to pool their technical and data sharing resources to find ways to prevent misuse on the cell networks.

Collectively, more than a billion calls have been stopped in the past year. Vodafone, one of the largest networks in Europe, said the carrier prevents around two million automated calls from reaching customers each day alone.

“In the U.K., the problem has been reduced by every major operator implementing techniques to reject nuisance calls,” said Vodafone’s Laura Hind in an email to TechCrunch. “These are generally based on evidence from customer complaints and network heuristics.”

Though collaboration and sharing spam numbers is important, technology is vital to crushing the spammers. Because most calls nowadays rely in some way on voice-over-the-internet, it’s easier than ever to prevent spoofed calls. Ofcom, with help from privacy regulator the Information Commissioner’s Office, plans to bring in technical solutions this year to bring into effect caller authentication to weed out spoofed spam calls.

The reality is that there are solutions to fix the robocall and spammer problem. The downside is that it’s up to the cell carriers to act.

Federal regulators are as sick of the problem as everyone else, ramping up the pressure on the big four to take the situation more seriously. Earlier this year, the Federal Communications Commission chairman Ajit Pai threatened “regulatory intervention” if carriers don’t roll out a system that properly identifies real callers.

One authentication system would make call spoofing nearly impossible. Known as Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using Tokens (SHAKEN), the system relies on every phone number having a digital signature which, when checked against the cell networks, will prove you are a real caller. Once the system rolls out, every outbound call will sends a cryptographically signed message to the carrier which only it can open, proving the identity of the caller. The carrier then approves the call and patches it through to the recipient. This happens near-instantly.

The carriers have so far promised to implement the protocol, though the system isn’t expected to go into effect across the board for months — if not another year. So far only AT&T and Comcast have tested the protocol — with success. But there is still a way to go.

Until then, don’t let the spammers win.

Cybersecurity 101 - TechCrunch