Background

Apologies for the slight audio quality issue. I made the mistake of maxing the gain on my microphone. Its audible, though a little annoying. I’ll not do that again.

We experience it everyday, incoming calls labelled ‘scam likely’, even more annoyingly voicemails left from those scams calls. For some customers, SMS is not as bad as voice, not every day, but multiple times per week.

It’s not only my carrier, every neighbor and colleague I know is frustrated by the pollution of the PSTN across all carriers in the US.  And we’re not the ones being targeted.

My mother-in-law and sister-in-law are targets and have fallen for scams, so receive many more scam calls than average. I’ve explained what is happening, yet they seem unable to be appropriately suspicious.

Recently, my wife had to cancel her mother’s credit card as she used it in a scam, some nonsense about Bruce Willis recovering, with a fake video as evidence. The story is maddening to say the least. Do we have to ban the elderly from the PSTN, until they take defensive internet use courses?

A national resource, the PSTN, is being destroyed because service providers are pointing fingers at each other, or just shrugging their shoulders.

Alex showed recently robocalls are at lowest level since last July, down for the 4th straight month, and 16% lower than this year’s peak. But that’s  still 2.5 billion scams and telemarketing calls/month.

Politicians are trying to do what’s right for their voters. We’re all pissed with the PSTN and the lack of progress in removing the pollution.  In Texas, SB 140 (Senate Bill 140) broadens state telemarketing regulations, treating SMS like calling. The Ecommerce Innovation Alliance (always be concerned about dodgy industry bodies with nebulous names, they are front groups) files a lawsuit to block SB 140.

The FCC is officially seeking comments on Stir/Shaken, DA 25-763. BUT there’s too many lawyers making money on the STIR/SHAKEN mess. The noise outweighs citizen-focused action.

How do we reclaim the PSTN? One problem is that its is going to take an act of congress, but the PSTN and every American deserves such action. Alex and I discussion the situation.

Opening Discussion

We kicked off the discussion with pleasantries, and I shared with Alex how I recently discovered I have Lyme disease, an amebic infection from a tick bite.

I hike regularly, so it’s not a surprise. But the symptoms are subtle, random swelling, brain fog, slightly impaired motor function. I had it all labeled as “getting old”. I was wrong. At least there’s a simple path to wellness with a one month course of antibiotics that look big enough for a horse.

But if you have a number of occasional minor things and hike, don’t ignore them, get a screening just in case. Its easily cured. I feel an impact after just three doses of the antibiotic (likely placebo effect).

Back to the focus on this session, Alex explained how things are not getting better with robocalling. At SIPNOC Alex presented on what’s happened with unwanted calls. I like this definition as its customer centric, the customer pays for the PSTN and should be the focus. From 2021 to 2023 the volume decreased from successful enforcement actions, e.g. the car warranty scam, student loans scam.

Through 2023 the volume oscillated around an average, enforcement actions causing a drop, and crooks filling the gap as they found work-arounds. Since 2024 the volume has steadily increased, driven by for example loan scams. And remember YouMail is known by the scammers, they try to avoid their honeypots. YouMail customers provide a great sampling resource on robocalling traffic.

Since 2024 a Continuous rise in robocalling

Enforcement actions are expensive and take time, robocalls are increasingly positioned as telemarketing calls, do they have consent? Scammers learn how to game the system, for example STIR/SHAKEN loopholes, prepaid SIMs, third party signing, TDM routes, hiding in traffic. It’s a whack-a-mole game, where the motivation is on the side that makes hundreds of millions a year. Hence all the scam likely and voice messages we receive from “Alison at the approvals department”.

The NYC SIM box find opened many people’s eyes to the scale of operations. 300 co-located SIM servers and 100,000 SIM cards. Some of the questions I was asked include:

• Why would MobileX sell so many SIM cards to one person? We do not know that, there could be hundreds of fake identities buying them online with US KYC (Know Your Customer) data. It’s all available on the dark web and many chat groups.
• Why would Verizon Wireless not generate an alarm for 100k phones in one location, all generating outbound traffic? Good question, SIM boxes are decades old, and this should generate an alarm when in operation on any carriers network. However, everybody’s making money, the MVNO, the MNO, the agent, the criminal. Last year we discussed methods with Wadaro on how this could be solved using their SIM app.
• Why would Verizon FiOS not detect the traffic? A VPN can mask the data, and Verizon Fixed / Wireless are effectively separate companies,
• Did the crook manufacturer the SIM servers? No, SIM servers are available over the internet, attend any messaging conference and they are available under the table. The technology is widely available under software control to make network blocking more difficult, e.g. IMEI cycling (International Mobile Equipment Identity).

Important Improvements

Alex makes the point about KYC (Know Your Customer) on prepaid, for example identity verification with a driving license or passport. There are resellers that are looser on KYC, because they sell more SIMs that way.

Prepaid KYC must be mandated. If every 1 on those 100k SIMs required purchasing a fake identity, assuming $2 per identity, that’s and extra $200k but its not really the cost, rather making things more difficult for the crooks to set things up.

The work-around in Europe was to use business prepaid SIMs registration, as discussed in the Definitive Truth in A2P SMS. Enforcement action is the only way to close off that channel so only traceable genuine businesses sign up for prepaid SIMs.

I referred to Europe and my personal experiences in proving my identity for a prepaid SIM using my passport, and the checks the agent did to ensure the identity was valid. Alex raises the point on the need to monitor what the new prepaid SIMs are doing, Youmail has a tool.

Economics of prepaid is aimed at supporting lower income people. But there are ways to make SIMs less disposable for people who use them as their main phone. say a 1 year term for that number at $1/month for one year. For the crooks buying 100k SIMs, that’s an upfront cost of $1.2M. The exact economics and restrictions need to be worked out.

However, there needs to be a crime for enforcement to act upon, with KYC, using a fake identity is fraud. I think using a SIM in a SIM box should be a crime, the toll it paces on all citizens with robocalling is unacceptable. The more ways for robocallers to break the law, the more opportunities for them to get caught, for example putting false information in the robocall mitigation database.

I shared my frustration with my mother-in-law believing a fake AI generated videos. Alex highlighted it’s a matter of time as people get more exposure to the AI generated content. From an enterprise context, training does not work, Vishr.com shows pen testing works. We remember when we l let the “bad guys” in. Should I set-up my mother-in-law?

Alex shared how he trained his family to take a breadth. Do not immediately respond, it can wait, remove the false sense of urgency. We covered this in the Social Engineering with Matt Holland and Enrico Faccioli. I find myself referring back to their session quite often these days. We discuss some of the latest developments in protections, e.g. Apple’s Call Screen.

Alex draws a great analogy with Tesla’s dumb summon versus smart summon. Call screening need to be actively smart using data from many sources including the network.

I asked the question, can we get to no more non-signed calls.   There always seems to be an exception. Alex says a first step is out of band STIR/SHAKEN. Which is a band-aid. The core question is how to we get to all IP?

A limiting factor is smaller carriers prefer TDM as they earn more money. The FCC needs to sort out that compensation issue. But beyond that, e911 is wired up to TDM. FCC needs to set a deadline of 24-36 months and force the change to all-IP for the PSTN. This may need an act of Congress to avoid all the inevitable litigation, the PSTN is polluted, urgent and decisive action is required. Else it will be one decade later and we’re still talking about the move to all IP.

We moved on to mandating robocallers to leave a voice message to change their economics. Other changes are on the cost for a phone number, a source of potential spam (SMS and voice). There needs to be a change in pricing and longevity. Say a minimum of one year. I’ve had my mobile phone number for 26 years. Imagine a government tax of $1 per month, which us used for fund enforcement.

I raised the point that there’s enough signals around me and my number, I should never be labelled spam likely. Alex also brings up the challenges we see with branded calling.

The Decline of the PSTN?

Our discussion moved onto the decline of the PSTN, given the move to in-app messaging and calling. It’s hard not to be pessimistic given the pollution of the PSTN, and the slow adoption of RCS.

TikTok, Snapchat., Instagram, WhatsApp are messaging channels with significant share where their customer base aligns with the brand’s. See Labubu Doll on TikTok, https://www.tiktok.com/tag/labubu?lang=en. WhatsApp is cheaper than SMS in some markets, https://www.linkedin.com/posts/marcus-kallavus_sms-is-getting-a-lot-more-expensive-in-latvia-activity-7378704106951086080-x0wH. Fragmentation is increasing, The PSTN is no longer the common denominator in communications, it’s the web.

Messaging has become complex, regional, and ever more aligned with the web. All the phones kids are using are IP devices, not only mobile devices, with the bulk of their time is spent on WiFi/Web, they rarely use the PSTN.

I see a similar pattern with voice over PSTN. Polluted with robocalling we’re using tools other than the PSTN to arrange times to chat and use platforms like snapchat, Facetime, Zoom, Teams, etc. I think we’ve entered a phase with the PSTN is increasingly substituted as common communications denominator by the web. Yet the web equally has its challenges.