OODA Loop
Understand tomorrow, today.
Archive, Decision Intelligence, OODA Original, Security and Resiliency / by
The time has come for the United States to mount a major effort to address the finding in last week’s OODA Loop: a new analysis from the FTC showed that bogus bank fraud warnings were the most common form of text message scam reported to the agency and that many of the most common text scams impersonate well-known businesses.
It is far too easy for criminals to use caller ID to pretend they represent well-known businesses, and they use this technique to steal tens of billions from US citizens annually. Fraudsters–supported by organized crime–thrive by using a veil of deception to pretend they are somebody they are not. It is time to rip the veil away. What should the US do in response to the growing threat of spoofing?
Singapore Leads the Way in the Fight Against Text-based Spoofing
“Over 2,000 companies have voluntarily participated in the government’s whitelist…”
“Over 2,000 companies have voluntarily participated in the government’s whitelist…”
Singapore is leading the way to provide authentication for text messages. Starting last year, in Singapore, a real text from Chase Bank says, “Chase Bank,” because Chase Bank is on the whitelist maintained by the government. A text from a scammer says “LIKELY-SCAM”. By the end of July 2023, Singapore plans to block non-registered Sender IDs, so spoofed text messages will not be delivered to end-users. Singapore says they saw a 64% drop in scams via text within six months of the system’s introduction. Australia likes what Singapore has done so much that they announced in May that they will implement a similar system.
Singapore is also requiring banks to remove hyperlinks from email or SMS messages sent to consumers. That way, a consumer knows it’s a scam if there is a hyperlink.
The business community in Singapore supports the government’s efforts. Over 2,000 companies have voluntarily participated in the whitelist, and the business press calls the system “spoof-proof.”
Caller: “Hello, I’m calling Microsoft because a |
Caller ID: “Microsoft, Washington State” |
Caller: “Hello, I’m calling Microsoft because a
pop-up says my computer has been hacked”
Caller ID: “Microsoft, Washington State”
Actual location: A scam operation in Mumbai, India
UK Efforts
The British government on 3 May announced plans to ban certain cold calls. Example: the UK plans to ban cold calls on all financial products to help protect people against fake investments. The British government has also announced plans to explore user registration for text services, similar to what Singapore has done.
US Efforts
“…she gave the caller her two-factor identification code, which the thief then used to steal her life’s savings.”
“…she gave the caller her two-factor identification code, which the thief then used to steal her life’s savings.”
To their credit, the FCC is moving down the path to having verification of phone caller ID (draft rules were released for comment in May 2023), but the US is not yet moving to provide verification of the sender of text messages. The American Banking Association, however, is lobbying the FCC to get moving on text authentication.
Verified caller ID would prevent losses such as those recently suffered by a woman in Guerneville, California. According to CBS News, she received a text from “Chase Bank.” Because she trusted the caller ID, she gave the caller her two-factor identification code, which the thief then used to steal her life’s savings. Chase Bank is blaming her and refusing to reimburse her.
“…penalties…should be increased–at least doubled–to raise the operating costs for scammers who pretend they are representing reputable companies.”
“…penalties…should be increased–at least doubled–to raise the operating costs for scammers who pretend they are representing reputable companies.”
Her experience prompted me to talk to some contacts at the Federal Communications Commission (FCC). Their advice and perspectives informed this post:
The 2009 Truth in Caller Act needs to be revised to keep up with the times. As written, the Act allows spoofing, as long as the spoofing is not done for fraudulent purposes. But it is very difficult for regulators to determine intent, so the Act is rarely enforced. A better approach would be to ban anyone from displaying caller ID information that usurps another person’s identity, business identity, or location, regardless of intent.
For example, it should be illegal for a person who is not employed by Chase Bank to display “Chase Bank” in caller ID for a phone call or text message. A person should not be able to display “Microsoft” or “Washington State” unless they are really from Microsoft or Washington State. It should be illegal to display an area code in caller ID that is different from the one assigned to your phone. This ban should apply regardless of intent.
Some people or organizations need to be anonymous, so they should be allowed to display “anonymous” or “unknown caller” or a different phone number (like the office phone number for a dentist) if they wish. But they cannot take on the identity of another person or company or organization. Of course, there should be exceptions for legitimate law enforcement investigations.
In addition, the 2009 Act includes penalties of $10,000 for each violation (not to exceed a total of $1,000,000 for any single act). These penalties have eroded with inflation so they should be increased–at least doubled–to raise the operating costs for scammers who pretend they are representing reputable companies.
“The technology and protocols already exist to do this–it’s just a matter of mustering the will to implement.”
“The technology and protocols already exist to do this–it’s just a matter of mustering the will to implement.”
A strengthened version of the 2009 Act would provide at least a deterrent effect and would provide regulators and law enforcement with an additional tool for catching the bad guys. With these changes, the FCC would have more powerful authorities to shut down or penalize organized crime rings that are caught spoofing. Any spoofing would be grounds for blocking calls from such organizations, without the need to prove the intent of the spoofing.
Telecoms could also play a “secure by design” role: If all text messages had a way to report a scam via a single click, the information would go to the telecom – who would use the information to improve their “blacklist” of suspected scammers. To take it a step further, telecom companies could be required to share their blacklists with each other. Security and deterrence should be designed into the system – again, by law through an update of the Truth in Caller Act.
We have to step up our game against the Spoofers. We need to work harder to provide authentication for good guys who want to be known as good guys. Fortune 5000 companies want to be known, and they don’t want people to be able to pretend to represent them. And then we need to make it harder for the bad guys to pretend to be good guys.
If someone wants to be anonymous on the internet, that’s fine: be anonymous. But scammers should not be able to pretend they are from Chase Bank when they are really in a call center operation in Mumbai. The technology and protocols already exist to do this–it’s just a matter of mustering the will to implement.
Tech Support scams are escalating dramatically. What should society do to respond?