Skip to main content

The Re-Invention of Phone Calls: Building an Environment of Trust and Accountability

red mobile phone spam header

An Interview with Jon Peterson, Fellow and Vice President of Research and Consulting, TransUnion

Q: After years of robocalls and call scams, will consumers ever be able to trust the person on the other end of the phone is who they say they are?

Today, when you get a call and see a green check mark and name associated with it, you can finally feel as though it’s something you can trust — that your carrier is telling you the call isn’t being spoofed.

Hopefully, we'll get to a place where you won't get any calls you shouldn't trust. As we work more on developing solutions like Branded Call Display and Rich Call Data, I think there will be additional indications of trust. For instance, when Bank of America calls, you’ll now start to see its logo and everything associated with that rendered to the consumer. And this will be crucial, we think, to solving the problem of how you get consumers to pick up the phone again.

Watch the full video series of Jon Peterson's interview here.

Q: What’s the truth behind call labeling? A lot of businesses feel their calls are being mistakenly tagged as spam.

Because there are so many analytics providers and different people and organizations advising carriers on how they should treat a call, standards for scoring robocalls or determining the threshold at which a call should be blocked or rendered to a user without ‘spam risk’ or similar attached to it is something we're still kind of playing by ear. And it would probably be valuable if the industry could coalesce around a consensus of what those scores should look like so we can avoid creating confusion for consumers.

To my eternal chagrin, SIP has not been universally deployed in the US. There's still a lot of legacy traffic and content out there. And as a consequence, we need either a full IP transition that will get every carrier and gateway provider that's participating in the PSTN onto SIP. Or, we need some kind of a provisional technology or other flavor of out-of-band solution so call passports (and the assurance they provide) will still make it to the terminating providers, even if there's legacy content somewhere in the middle.

That’s why products like our TruContactTM Caller ID Authentication are such a strong vector for enterprises to provide assurance to consumers. This way they can know they're being called by the proper entity for that calling number and logo — which is how we can convince consumers to pick up the phone again.

Q. What are the network vulnerabilities behind robocalls and call scams?

You’d think a problem as annoying and pervasive in the network as robocalling must have many causes. Certainly the traditional trust models of the public switched telephone network (PSTN) are part of the issue. Unlike the internet, the PSTN was always a closed network where carriers basically trusted each other. In more diverse environments where you have a lot of different carriers, they may have conflicting incentives in terms of what traffic they want to admit to the PSTN that will ultimately reach consumers.

I hate to point a finger at myself, but to some degree, I must. Back in the late nineties, those of us who figured out the first ways to bridge the internet with the PSTN did so in a way that enabled call spoofing. I often tell the story about how when SIP was designed, it was pretty much a concept borrowed from the ‘header’ field of emails. And you’ve likely noticed, you get a lot of emails you might not necessarily want or trust.

One of the root causes of robocalling is the ease of call spoofing and the difficulty in figuring out who’s responsible for a call you’ve received. This is what STIR/SHAKEN is hoping to clamp down on — hard. Now we can take these largely IP-originated calls that say, “This is my calling number, you should trust me” and ask — should we really?

Today, we can look at it as a forensic activity where we can assess if there was an abusive call and determine the entity that originated it — and whether someone should reach out to get more information about the call. But due to sophisticated analytics we've been able to build from seeing so much STIR/SHAKEN traffic in production, to determine who's calling who and who should actually be signing the calls. Ultimately, we want to get to the point where calls that shouldn't reach consumers never even get placed.

Q. There’s been a lot of industry focus around know your customer (KYC). What does it mean for an operator to truly ‘know your customer,’ and what are the pros and cons?

Who doesn't want to know their customers?  I think the issue is knowing your customer means a lot of different things to different people. And there's a sense in which of course every carrier knows their customers. Their customers pay them, and they have business relationships and billing addresses.

However, I think there's a level of knowledge that goes a bit deeper than that. And this is more of the interplay between KYC and what analytics, machine learning and things like that could really accomplish for call validation.

There are a lot of different ways to get to know customers. TransUnion knows quite a bit about customers from a variety of businesses with which we participate. I wouldn't go as far as saying we know more about customers than their carriers do, but it’s beneficial to know things like their call patterns, who they call regularly, how many calls they place and how many of those calls are successful. To me, knowing your customer means something much greater than simply having a database of phone numbers.

It must involve a much deeper understanding of the behaviors and calling patterns of these enterprises needed to make necessary predictions — ones that will help consumers decide whether to pick up the phone. Unfortunately, because of the way SHAKEN has been implemented in the US thus far, it's possible to give an A attestation to a call you maybe shouldn't. That fact, along with KYC systems that are strongly decoupled from the call authentication phase, raises the possibility we could actually make the problem worse through what we've implemented. And that's my nightmare — what keeps me up at night.

I believe, to make this better, we need to look at KYC as a much more holistic set of behavioral analytics that are both deterministic and probabilistic, and involves knowing many different factors about enterprises and their relationships to consumers. 

About a quarter of respondents targeted by an unemployment fraud scheme also reported being targeted by a different benefits fraud scheme, suggesting many fraudsters may be taking a “shotgun-style” approach to scams. A compromised identity can be leveraged to apply for benefits across multiple programs in a short time span, providing bad actors with a variety of opportunities to exploit fragmented information systems for maximum gain.

Learn more about Caller ID Authentication.

Do you have questions? Our team is ready to help.