Tech-invite
Overview21222324252627282931323334353637384‑5x

Top   in Index   Prev   Next

TR 22.898
Study on User Control over Spoofed Calls

Use "3GPP‑Page" to get the Word version, and "ETSI‑search" to get the PDF version
V14.0.0 (Wzip)  2015/03  16 p.
Rapporteur:
Mr. Schumacher, GregSPRINT Corporation

Content for  TR 22.898  Word version:  14.0.0

Here   Top

0  IntroductionWord‑p. 5

Spoofing or malicious modification of caller information to hide the real caller identity provided by such capabilities as Calling Line Identification and Caller Name (Caller ID) is growing into a significant problem in many countries. The complaints to authorities and PLMN operators regarding these spoofed calls range from nuisance calls, violations of various phone solicitation rules (such as the US Federal Trade Commission's Telemarketing Sales Rules) to being used as a platform for significant fraud, identity theft and social engineering. Various malicious uses of caller information spoofing include these categories: swatting, vishing, and TDOS.
There are several SDOs dealing with creating the ability to detect caller information spoofing within call setup signalling including IETF's Stir working group, 3GPP's SA3 and ATIS's PTSC CSEC. However their focus is to define automated mechanisms to identify whether the caller information is authentic and the caller is authorized to use the presented caller information. What the user and network is able to control when spoofed calls are identified or mis-identified is not addressed in these activities.
Up

1  ScopeWord‑p. 6

The present document studies new service capabilities and enhancements to existing service capabilities needed to allow the called user to control:
  • How spoofed calls are reported to the called user.
  • The treatment given to the spoofed call and calling user.
  • Provide the called user the ability to review the results of spoofed call detection.
  • Allow the called user to provide feedback to the network of incorrect detection decisions (false positive and false negative).
New service network capabilities and enhancements to existing network capabilities needed to support network operator policies regarding treatment of spoofed calls are also covered including:
  • Support for law enforcement and network operator fraud investigations into originators of spoofed calls.
  • Setting default or limiting spoofed call controls the user is able to access.
The present document also studies the interaction between spoofed call control capabilities available to users using MTSI voice services.
Up

2  References

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 22.173: "Multimedia Telephony Service and supplementary services; Stage 1"
Up

3  Definitions

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply.
A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Caller identity:
At least the originating phone number, and optionally the caller's name (CNAME) included in call signalling used to identify the caller for call screening purposes. In some cases this may be the Calling Line Identification or Public User Identity. For the purposes of this study, the caller identity may be set to an identity other than the caller's Calling Line Identification or Public User Identity. Presentation of the caller identity to the called user may be the originating phone number or the caller's name if available, or both.
Robo-call system:
An automated call system which usually plays a series of pre-recorded messages to the called user after which may transfer the call to a call agent, often used in outbound call centers for telemarketing purposes. For the purposes of this study, only the modification or obscuring the Robo-call system's caller identity for the purposes to commit fraud or violate regional regulations is considered.
Spoofed call:
A call where caller identity creation, modification or removal in call signalling results in an unauthorized or illegal use of this identity in the call., This typically occurs where the caller intends to defraud the called user or otherwise illegally obscure the real caller identity.
Up

4  Use CasesWord‑p. 7

4.1  User reporting a spoofed call

4.1.1  Description

This use case describes how the called user is able to report a spoofed call not detected by the network.

4.1.2  Pre-conditions

Network X is a PLMN which employs automated spoofed call detection.
Peter is a subscriber of Network X.
Percival is a subscriber of Network 9.
Network 9 is a network which does not validate any subscriber's authenticity.

4.1.3  Service Flows

  1. Percival, as part of an illegal solicitation organization initiates a call to Peter changing his caller identity to an identity Percival is not authorized to use.
  2. Network 9 delivers the call attempt with the spoofed caller identity to Network X.
  3. The spoofed call detection in Network X is unable to identify the call as a spoofed call.
  4. Network X presents the caller identity provided by Percival to Peter along with an indication that Network X can neither confirm nor repudiate the caller identity.
  5. Peter does not recognize the caller identity and becomes suspicious that Network X is unable to verify the authentication of and the authorization to use the caller identity.
  6. Peter indicates to Network X that the call is believed to be spoofed, and does not answer the call.
  7. Percival's provided caller identity information is investigated by Network X's fraud unit and determined to be part of a criminal activity.
  8. Network X's fraud unit adds the spoofed caller identity to the spoofed call blacklist to block future call attempts with the same caller identity characteristics.
Up

4.1.4  Post-conditions

Peter is able to report a spoofed call (either before the call is answered, during the call or after the call is completed) which goes undetected by the spoofed call detection. This allows the Network X operator to investigate the spoofed caller identity and take actions on enhancing the spoofed call detection and support further fraud and criminal investigations.

4.1.5  Potential Impacts or Interactions with Existing Services/Features

This use case describes a service contains elements which are similar to existing services such as Malicious Communication IDentification (MCID). Comparison with existing service definitions is discussed later in this specification.

4.1.6  Potential RequirementsWord‑p. 8

  1. The user shall be able to notify the network, either before the call is answered, during the call, or after the call is completed, that an incoming call or call attempt is believed to have a spoofed caller identity.
  2. The network operator shall be able to take further action based on this indication of an undetected spoofed call or call attempt.

4.2  User reporting a call incorrectly determined to be a spoofed call

5.2.1  Description

This use case describes how a user indicates to the network that specific calls which the network has determined to be spoofed calls, contain an authentic caller identity, and exceptions are required for the specific caller identity for calls to that user.

4.2.2  Pre-conditions

Network X is a PLMN which employs automated spoofed call detection.
Network X provides its users with the ability to review the history of selected incoming call and call attempts determined by the network to be spoofed calls
Peter is a subscriber of Network X.
Sandra is Peter's daughter and is in another country for college studies and needs additional funds from her parents.

4.2.3  Service Flows

  1. Sandra calls Peter from a phone in the country she is studying in.
  2. The call is identified by Network X as a spoofed call and blocked.
  3. Network X records the call attempt in Peter's spoofed call history.
  4. Peter finds out that Sandra has been trying to reach him, and accesses his spoofed call history provided by Network X.
  5. Peter discovers that Sandra's calls are being blocked.
  6. Peter indicates to Network X that calls from the country that Sandra is in should not be blocked as spoofed calls and should be delivered to Peter in the future.
Up

4.2.4  Post-conditions

Sandra is finally able to call Peter to ask for additional funds for her studies.

4.2.5  Potential Impacts or Interactions with Existing Services/Features

This use case describes a service containing elements which are similar to existing services such as blacklists. Comparison with existing service definitions is discussed later in this specification.

4.2.6  Potential Requirements

  1. The user shall be able to notify the network that calls that had been determined to be spoofed and possibly blocked by the network are either not spoofed calls or an exception is needed for the particular user.
  2. The network operator shall be able to take further action based on this user notification that a spoofed call or call attempt detected to be spoofed is not considered spoofed by the user or an exception for the particular user is required.

4.3  User accessing spoofed call history informationWord‑p. 9

4.3.1  Description

This use case describes the capabilities to view the history of spoofed calls to the user which will be needed to have available when spoofed calls are provided a treatment such that the user isn't aware of the call attempt when it arrives in the terminating network. The treatment can include call blocking, redirecting the call to record a message in a voicemail spam folder or an announcement regarding illegal call spoofing.

4.3.2  Pre-conditions

Network X is a PLMN which employs automated spoofed call detection.
Network X provides its users with the ability to review the history of selected incoming call and call attempts identified by the network as spoofed calls.
Peter is a subscriber of Network X.

4.3.3  Service Flows

  1. Network X sends Peter a notice that there has been some recent spoofed call activity and the history is listed for Peter to review.
  2. Network X lists the calls and call attempts identified as spoofed for the past 30 days.
  3. Peter accesses the list and reviews the incoming spoofed call attempts.
  4. Several spoofed call attempts Peter doesn't recognize and believes they are spoofed call attempts. Peter deletes these from the list so he doesn't have to review them again in the future.
  5. Peter identifies one call which he does not consider to be a spoofed call. Peter indicates to the network that this call was incorrectly determined to be a spoofed call. Peter then deletes this call from the list so he doesn't have to review it again. In the future
Up

4.3.4  Post-conditions

Peter is able to review his network selected spoofed call history list to identify any incoming calls and incoming call attempts incorrectly determined to be spoofed calls.

4.3.5  Potential Impacts or Interactions with Existing Services/Features

None identified.

4.3.6  Potential Requirements

  1. The user shall be able to review the selected history list of spoofed calls and call attempts to the user and determined by the network to be spoofed calls.
  2. The network shall be able to select the history list of spoofed calls and call attempts to present to users for review.
  3. Within the selected history list of spoofed calls and call attempts, the user shall be able to manage the list entries depending on network operator policy.

4.4  Presenting the trust level of the caller's claimed identityWord‑p. 10

4.4.1  Description

When the terminating network supports calling number or caller identity verification, there is a need for the terminating network to receive and present this trust level to the called user. This trust level is provided to support the users choice of appropriate call treatment to apply such as answer the call, direct to voicemail, or direct to a network provided spoofed call information collection service.

4.4.2  Pre-conditions

Network A is a PLMN which employs automated spoofed call detection.
Network A has the ability to indicate to Alice at call alerting the automated spoofed call detection service's trust of the claim by the caller as to their identity in the form of the calling number.
Alice is a subscriber of Network X.

4.4.3  Service Flows

  1. A family member calls Alice.
  2. Network A's automated spoofed call detection verifies that the family member's calling number is authentic and they are authorized to use the calling number.
  3. Network A presents the call to Alice along with an indication that there is a high level of trust in the caller's identity.
  4. Alice views the indication and based on the trust indication, decides to answer the call.
  5. Later a robo-call system places a call to Alice using a random phone number as the originating number.
  6. Network A's automated spoofed call detection detects that the calling number is spoofed, that the robo-call system is not authorized to use the number.
  7. Network A presents the call to Alice along with an indication that there is a high level of mistrust in the caller's identity.
  8. Alice views the indication and based on the mistrust indication, decides to apply the Network A's service to redirect the call to Network A's spoofed call information collection service.
  9. Still later, Alice's son traveling on another continent calls. The originating network does not support caller identity verification and does not provide the appropriate verification information with the call.
  10. Network A's automated spoofed call detection is unable to verify whether the calling number is authentic and the caller is authorized to use the calling number.
  11. Network A presents the call to Alice along with an indication that the network was unable to determine the trust level of the caller's identity.
  12. Alice views the indication and even though the network is not able to establish a trust level, recognizes the calling number as her son's, decides to answer the call.
Up

4.4.4  Post-conditions

The terminating network presents its determination of the trust level of the caller's claimed identity in the form of calling number at the time the call is presented to the user.
The called user takes the network trust level into consideration when deciding what call treatment to apply to the call.

4.4.5  Potential Impacts or Interactions with Existing Services/FeaturesWord‑p. 11

Potentially additional information (trust level) would be presented to the called user at call alerting from the terminating network.
Potential additional call treatment options can be made available to the user to direct spoofed calls to a spoofed call information collection function.

4.4.6  Potential Requirements

  1. The terminating network and UE shall provide the ability to present a trust level regarding the originating caller's claimed identity to the user along with the call delivery.
  2. The terminating network and UE shall be able to provide to the user, incoming call treatment which includes the choice of identifying spoofed calls for which call information needs to be collected for further investigation.

4.5  Using caller identity trust level in incoming call filtering

4.5.1  Description

When terminating networks provide users personal call filtering mechanism such as white list/black list call blocking and support calling number or caller identity verification, there is a need to be able to incorporate the terminating network identified trust level of the claimed identity in the filtering criteria.

4.5.2  Pre-conditions

Network A is a PLMN which employs automated spoofed call detection.
Network A has the ability to indicate to Alice at call alerting the automated spoofed call detection service's trust of the claim by the caller as to their identity in the form of the calling number.
Alice is a subscriber of Network A.
Alice subscribes to Network A's personal white list/black list service.

4.5.3  Service Flows

  1. Alice creates a personal white list/black list rule to block all calls where the caller identity is determined to be untrusted by the terminating network.
  2. A family member calls Alice.
  3. Network A's automated spoofed call detection service verifies that the family member's calling number is authentic and they are authorized to use the calling number.
  4. Network A examines the rules in Alice's personal white list/black list service and finds that Alice wants to allow the call from the family member.
  5. Later a robo-calling system calls Alice with a random phone number as the calling identity that it is not authorized to use.
  6. Network A's automated spoofed call detection service verifies that the robo-calling system's random calling number is not authentic and it is not authorized to use the selected number.
    Network A examines the rules in Alice's personal white list/black list service and finds that Alice wants calls with untrusted calling numbers to be blocked.
Up

4.5.4  Post-conditionsWord‑p. 12

Alice personal white list/black list service has rules which allow the caller identity trust level to be included as a condition.
The Network A's personal white list/black list utilizes the determined caller identity trust level when included in personal white list/black list rule conditions in acting on the rules.

4.5.5  Potential Impacts or Interactions with Existing Services/Features

Potentially supplemental information about the caller's identity would be presented to the called user at call alerting from the terminating network.
Presentation of caller's identity supplemental information will be determined by any caller privacy settings and network operator privacy policies.

4.5.6  Potential Requirements

  1. The terminating network shall allow the calling identity trust level to be included as a condition to any incoming call filtering services.
  2. The terminating network shall utilize the calling identity trust level determined in the terminating network, when included as a condition, when applying any call filtering services to a user's incoming calls.

5  Considerations

5.1  Interactions with existing MMTEL features

5.1.1  Introduction

Many of the MMTEL features defined in TS 22.173 will likely have interactions with possible services giving user control or interact with reporting and managing spoofed calls. This section presents some of the interaction considerations which may need to be addressed for any user control or management of spoofed calls and apply mainly to the call termination aspects of the MMTEL services.
The following clauses only describe the MMTEL features in TS 22.173 where possible interactions have been identified The actual interactions will depend on the specific user service definition providing user control and management of receiving spoofed calls.
Up

5.1.2  White / blacklists

If other MMTEL services use whitelist or blacklist capabilities, they may need to be integrated with possible spoofed call whitelists or blacklists. The spoofed call whitelist or blacklist may be a user's personal list or list(s) maintained by the network applicable to all users.
There may be a need to distinguish the user whitelist or blacklist entries which have been added by spoofed call detection or user reporting of spoofed calls.

5.1.3  Originating Identification Presentation (OIP)

OIP may need to be enhanced to report additional information regarding the results of any terminating network detection of spoofed calls or any matching with whitelists or blacklists.

5.1.4  Originating Identification Restriction (OIR)Word‑p. 13

Since OIR restricts the presentation of Originating Identification, but not the transport to the terminating network, any spoofed call detection can still be applied and the results potentially presented to the called user.
However there are some privacy related considerations which are likely to be required when OIR is set for a call including:
  • Any regional privacy regulatory determination whether OIR also applies to spoofed call detection results
  • Not disclosing the Originating Identification to the user when added to any whitelist or blacklist as part of any list management by the user
  • Not disclosing Originating Identification to the user as part of any spoofed call history or log reporting.
Up

5.1.5  Malicious Communication Identification (MCID)

There are similarities in the function of MCID and some aspects of user control of spoofed calls in that both can be used to report a malicious or spoofed call. MCID would only need to record the results of spoofed call detection by the terminating network. However the MCID feature does not include the rest of the possible user control of spoofed calls such as call history, white/blacklists.
Also in some regions, there is a distinction needed between reporting malicious calls from spoofed calls. MCID may be used to report threatening or harassing calls which could have authorized use of the Originating Identification (i.e. are not spoofed calls). Whereas indicating a false positive spoofed call detection result may be used only to report violations of regional spoofed call regulations. The procedures for dealing with malicious calls and spoofed calls by network operators and public safety agencies are likely to be different as well, requiring a service distinction be made.
Up

5.1.6  Anonymous Communication Rejection (ACR)

As it is possible that the terminating network may define automated treatment for terminating calls identified as spoofed calls and may provide the user with service settings on which treatment to apply, the interaction between spoofed call treatment and application of ACR may be needed.

5.1.7  Communication DIVersion (CDIV)

It is assumed that any security elements in call signalling which are used as part of spoofed call detection will be delivered to the CDIV destination. The criteria for detecting spoofed call may differ between the invoker of the CDIV service and the CDIV destination, so the spoofed call detection may need to be re-evaluated for the CDIV target.
As part of the user control of handling spoofed calls, the definition of an additional CDIV service to forward on spoofed call detection (e.g. spoofed call, possible spoofed call) may prove beneficial.
Up

5.1.8  Communicaton Barring (CB)

For Incoming Call Baring (ICB) only interaction with any incoming call treatment defined by user control of spoofed call detection may be needed.

5.1.9  Explicit Communication Transfer (ECT)

It is assumed that any security elements in call signalling which are used as part of spoofed call detection will be delivered to the ECT destination (transfer target). The criteria for detecting spoofed call may differ between the transferring user and the ECT destination, so the spoofed call detection may need to be re-evaluated for the ECT destination
If the transferring user identity (either alone or along with the transferee) as defined in clause 8.2.15.2.1.2 in TS 22.173 is presented to the transfer target, whether to apply spoofed call detection and how to report the results to the user may be required.
Up

5.1.10  Flexible Alerting (FA)Word‑p. 14

There may need to be a definition of interaction between FA and user control of spoofed calls when one of the FA group members indicates or marks a call as a spoofed call or when a caller identity is present only on a subset of the FA group members' personal blacklists or whitelists, or appears both on a FA group member's personal blacklist and on another FA group member's personal whitelist.

5.2  Device capability considerations

There are several aspects of user control of spoofed call detection which are enabled or limited by the called user's device. This is mainly concerning the ability of the device to receive and present caller identity and the results of spoofed call detection plus the ability of the device to access various features of a potential user control of spoofed call detection service such as managing white lists/black lists and displaying spoofed call histories.
The range of devices for this discussion can be classed as follows:
  • Devices with an ability for presenting a limited caller identity (e.g. caller name or number, not both) and limited or non-existent ability to handle user control of spoofed call features such as short black list/white lists or only displaying recent call histories.
  • Smartphones with the potential to present extended caller identity as well as the results of any network spoofed call detection as well as user control of spoofed call features more extensively such as longer black lists/white lists or spoofed call histories.
As spoofed call exploits of different elements of a caller identity, become more complex and sophisticated it may be that more details of both the caller identity and what aspects of the identity are spoofed may need to be presented to the called user relying on the capabilities of a smartphone.The consideration is to determine what classes of devices have the necessary capabilities to adequately support user control of spoofed call detection.
Up

5.3  Adoption levels of spoofed call detection by network operators

Any user control of spoofed call detection service is likely to need to consider different adoption levels of spoofed call detection capabilities such as the mechanisms being developed by the IETF Stir WG. These types of spoofed call detection mechanisms require that the originating network operator certify that the caller is authorized to use the delivered caller identity. This certification is delivered along with existing call information to the terminating network. If the originating network has not deployed this certification mechanism, then the terminating network is unable to definitively determine whether the call is a spoofed call or not.
It is expected that in early phases of adoption of spoofed call detection mechanisms small number of network operators will have deployed spoofed call detection described above and hence there will be a high percentage of incoming calls that are not certified by the originating network operator and the spoofed call determination at the terminating network will be uncertain or unknown.
As network operators deploy and support this kind of spoofed call detection, then the percentage of calls that can be determined to be spoofed calls or not will increase significantly.
The impact of this on user control of spoofed call detection service is the need to consider how to handle potentially large amounts of calls where the spoofed call detection results are uncertain or unknown and handle the transition to high percentages of spoofed call determinations.
Up

6  Potential Requirements

6.1  Potential network requirements

The user shall be able to notify the network containing the spoofed call detection capability, either before the call is answered, during the call, or after the call is completed, that an incoming call or call attempt is believed to be a false positive or false negative spoofed call detection result.
The network operator shall be able to take further action based on this false positive or false negative indication of an undetected spoofed call or call attempt including updating the caller identification on any white lists/black lists
The user shall be able to review and manage the selected history list of detected spoofed calls and call attempts to the user depending on operator policy.
The network containing the spoofed call detection capability and UE shall provide the ability to present a trust level regarding the originating caller's claimed identity to the user along with the call delivery.
The network containing the spoofed call detection capability and UE shall be able to provide to the user, incoming call treatment which includes the choice of identifying spoofed calls for which call information needs to be collected for further investigation.
The network containing the spoofed call detection capability shall allow the calling identity trust level to be included as a condition to any incoming call filtering services.
The network containing the spoofed call detection capability shall utilize the detected calling identity trust level, when included as a condition, when applying any call filtering services to a user's incoming calls.
Up

6.2  Potential UE requirementsWord‑p. 15

The user shall be able to notify the network containing the spoofed call detection capability, either before the call is answered, during the call, or after the call is completed, that an incoming call or call attempt is believed to be a false positive or false negative spoofed call detection result
The user shall be able to review and manage the selected history list of detected spoofed calls and call attempts to the user depending on operator policy.
The network containing the spoofed call detection capability and UE shall provide the ability to present a trust level regarding the originating caller's claimed identity to the user along with the call delivery.
The network containing the spoofed call detection capability and UE shall be able to provide to the user, incoming call treatment which includes the choice of identifying spoofed calls for which call information needs to be collected for further investigation.
Up

7  Conclusion and Recommendations

This study demonstrates that when spoofed call detection mechanisms are available and deployed such as the approach developed by the IETF Stir WG work, there will be a need for user control of spoofed call detection. This need arises both from several aspects of spoofed call detection:
  • User reporting false positive and false negative spoofed call detection results
  • Differing user needs regarding the sophistication level of control of spoofed call detection as well as differing UE MMI capabilities
  • Increasing penetration of support for spoofed call detection mechanisms by network operators
  • Opportunities to allow users to personalize how spoofed call detection interacts with MMTEL capabilities such as treatments for calls detected as spoofed calls
In conclusion this study recommends that when a spoofed call detection mechanism is standardized by 3GPP, that a service providing user control of spoofed call detection should also be considered for standardization considering the following points:
  • Definition of what aspects of user interaction with spoofed call detection mechanisms should be standardized
  • Specification of the interaction between this potential new service and MMTEL services
  • Consider both what classes of devices that should be supported by this potential new service as well as several scenarios of network adoption levels of spoofed call detection deployments
Up

$  Change historyWord‑p. 16


Up   Top