Tech-invite3GPPspaceIETF RFCsSIP

Content for  TR 33.831  Word version:  12.0.0

Top   Top   None   None   Next
0…   4…


0  Introductionp. 4

The Study on Security on spoofed call detection and prevention (FS_SPOOF) is linked to the Rel-11 Specification of Protection against Unsolicited Communication for IMS (SPUCI) work concluded in TR 33.838 (un-trusted networks), which at its turn builds on the Rel-9 Study of Mechanisms for Protection against Unsolicited Communication for IMS (PUCI) in TR 33.937.
There are a variety of methods and technologies that can be used to make spoofed calls. The most common ways can be through leased voice line/PRI or using VoIP technology. Spoofed call is unfortunately an existing method in telecom fraud. It tricks the called party into thinking the call was coming from a different, sometimes authoritative organization than the caller's. In some regions, commonly spoofed IDs are those from authoritative organizations, emergency IDs, bank IDs and police IDs. In other regions, threats typically include e.g. voicemail spoofing (privacy threats) and premium services spoofing (commercial threats). Spoofed calls may indeed be terminated in a 3GPP mobile network - an increasing probability and threat. There are several impacts by the spoofing calls. For example, the existence of spoofed calls lowers the trust level of telecom services, in that people may trust all networks less and less. It enhances the fraud effect greatly by tricking people, it causes great loss to the users, and threatens to create bad reputation to also mobile networks and its services.
  • Spoofing call is possible in local, long distance and international calls with low cost, although the cost and effort to implement it varies with network, and with country
  • It is hard to detect spoofing calls in current mobile network; It is almost impossible to detect spoofing calls from gateways, especially the spoofed call ID is subscribers of different networks
In order to detect the spoofing call and find measures to deal with this heavy problem of spoofed call, the best common methods and possible practices for this kind of problem need to be described.
The objective is to come up with recommendations on means to identify spoofed calls in CS domain where the call could have originated from outside the CS domain. This study has the following objectives:
  • Outline valid threat scenarios for spoofing calls coming to 2G and 3G CS domains.
  • Analyze and evaluate if any tools in 3GPP can be used to counteract this problem.
  • Study and identify possible required technology mechanism to detect the spoofed calls in the first step and also study prevention as second step if detection is achievable.

1  Scopep. 6

The present document studies the means to identify calls with spoofed Calling Line Identification terminating in the CS domain where the call could have originated from either inside or outside the CS domain. Calling Line Identification (CLI or CLID), also called Caller Identification (CID), evaluates and transmits a caller's number while Calling Line Identity Presentation (CLIP) enables displaying the caller's number during call setup or ringing. Usual applications for CLIP are:
to display the original number of the caller;
to display a caller's presentation number, e.g. a doctor calling a patient out of hours who doesn't want to disclose his private number but showing instead the number of his office;
to display a number unrelated to the calling line, e.g. call centers displaying numbers related to their customers (depending on national regulations).
But CLI can also be misused to display a misleading number in the display that is in no way related to the originator of the call. This behaviour is called CLI spoofing or spoofed call. CLI spoofing ranges from harmless hoax to criminal activities like for example Voice Phishing (vishing) by displaying the forged number of a bank in order to steal the callee's credentials. And although CLI may be unreliable, people use it to decide whether to accept a call or not.
This study item studies the detection of a spoofed call as the first step, and prevention as a second step if detection is achievable. In particular, the goals of this document are:
  • Outline valid threat scenarios for spoofed calls coming to 2G and 3G CS domains;
  • Analyze and evaluate if any tools in 3GPP can be used to counteract spoofed call detection and prevention;
  • Study and identify any other suitable techniques or mechanisms for spoofed call detection and prevention.

2  Referencesp. 6

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
TR 21.905: "Vocabulary for 3GPP Specifications".
TR 33.838: "Study on Protection against Unsolicited Communication for IMS (PUCI)".
TR 33.937: "Study of mechanisms for Protection against Unsolicited Communication for IMS (PUCI)".
TS 29.163: "Interworking between the IP Multimedia (IM) Core Network (CN) subsystem and Circuit Switched (CS) networks".
TS 23.228: "IP Multimedia Subsystem (IMS); Stage 2".
TS 33.210: "3G security; Network Domain Security (NDS); IP network layer security".
TS 23.081: "Line Identification supplementary services; Stage 2".
Caller ID spoofing,
TS 22.081: "Line Identification supplementary services - Stage 1"
TS 29.011: "Signalling interworking for supplementary services"
ITU Q.701: "Functional description of the message transfer part (MTP) of SignallingSystem No. 7"
ITU Q.704: "Signalling network functions and messages"
ITU Q.723: "Telephone user part formats and codes"
ITU Q.931: "ISDN user-network interface layer 3 specification for basic call control ITU-T"
ITU Q.951: "Digital subscriber signalling system No.1 Stage 3 description for supplementary services using DSS1"
TS 22.228: "Service requirements for the Internet Protocol (IP) multimedia core network subsystem (IMS); Stage 1".
TS 29.010: "Signalling procedures and the Mobile Application Part (MAP)"
TS 23.078: "Customised Applications for Mobile network Enhanced Logic (CAMEL) Phase 4; Stage 2"

3  Definitions and abbreviationsp. 7

3.1  Definitionsp. 7

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply.
A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Spoofed call:
It is the practice of causing the telephone network to display a number on the recipient's display that is not that of the actual originating station.

3.2  Abbreviationsp. 7

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply.
An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
Calling Line Identity Presentation
Calling Line Identification
Initial Address Message
Caller Identification
Primary Rate Interface
Line Identity
Screening Indicator
Presentation Indicator
Private Branch eXchange
Primary Rate Interface

Up   Top   ToC