Criminals are more likely to steal your money with a phone than a gun these days. That makes it easy to pump out stories about scams on a regular basis. It is so easy that even the mainstream media has started writing about them. The problem with reacting to a crimewave is that it meant people did not pay attention to the factors that enabled crime before criminals started duplicating and refining each other’s methods. When criminals gain a foothold, they use their profits to reinvest in crime, making it harder to stop them in future. Fraud is essentially an evolutionary competition. If we only seek to learn about fraud from actual frauds then we never aspire to be anything but the fraudster’s prey.

Slapdash security surrounding personal data laid the initial groundwork for the crimewave. Businesses pushed you to perform more transactions remotely, and they placed more emphasis on your convenience than on validating your identity. At least they made some effort to check who you are. They continued to act like they could never be impersonated. They would call you, or send you a message, and you were expected to believe that your bank, or a delivery firm, or a government agency was on the other end of the line.

It was a mistake to train ordinary people to have faith that somebody far away would never lie about who they were. The seriousness of that mistake is appreciated now, albeit much later than it should have been. The consequences were so predictable that I began reorienting the content of this website towards consumer scams years ago, despite the low readership figures that articles about the topic used to generate. I gather my thoughts by writing about developments that interest me; it is a fortunate coincidence that they also interest discerning readers like you.

However, you do not come to Commsrisk to read about the past. You come here to be three steps ahead of your peers. This week’s bulletin is dedicated to some small but important news items that indicate the solution to impersonation fraud is in the pipeline. These news stories appear infinitesimally tiny and extraordinarily dull when compared to splashy headlines about all the people who lost money to scammers this week. But the stories recounted below are also potentially huge, because the significance of an innovation only becomes apparent a while after the innovation occurs.

• ISO Publishes Standard on Verifiable Digital Identifiers for Legal Entities
• Draft IETF Standard Would Tie STIR Signatures to Verifiable Third Party Authenticators of a Legal Identity
• Other News

ISO Publishes Standard on Verifiable Digital Identifiers for Legal Entities

Various parties are creating data repositories so telcos can verify if a call or message displaying a legal name or brand actually comes from an entity registered to use that name or brand. This means telcos can block a communication if the content suggests it comes from business X, but other details do not match the information about business X which has been stored in the repository.

The difficulty with these repositories is that the world will end up with lots of different and incompatible repositories unless a body like the Mobile Ecosystem Forum creates a global federation to tie them all together. And that will be difficult because there are hundreds of players who will try to make money by establishing and running new repositories, whilst only a few can be trusted to manage repositories on a nonprofit basis and to impartially administer them everywhere, so that no country’s business interests receives favorable treatment.

Others are filling the void by offering lots of intelligence, both artificial and otherwise, to try to distinguish authentic communications from the work of imposters. Their methods will be useful up to a point, but only because we lack more reliable alternatives. If AI can be used to detect fraud, then fraudsters will also use it to make fraud harder to detect.

What is really required is a piece of data which acts like a digital signature, and which cannot be corrupted, nor duplicated, and which can only be appended to a communication by the entity which demonstrably owns it. The signature also needs to be designed so somebody on the far end of the communication can verify the signature is genuine. In other words, we need a verifiable legal entity identifier (vLEI), as explained last year by three leading experts on a Commsrisk TV episode entitled “Turning Bank ID into Caller ID”.

One little news story which is actually a big news story is that the International Organization for Standardization (ISO) has published a new standard which explicitly covers vLEIs. The root of trust for vLEIs is the Global Legal Entity Identifier Foundation (GLEIF), an offshoot of the Financial Stability Board of the G20 countries. GLEIF was established in 2014 with a goal that sounds simple: create a common global identifier for each party to a financial transaction so everybody knows who they are dealing with.

You now appreciate why that objective is difficult to achieve in practice, and also why it has become more necessary than ever before. In other words, GLEIF represents the other big sector that wants to prevent scammers using phones to steal from bank accounts. And they have a realistic chance of implementing a global framework where big businesses get their identities independently audited, and then apply digital signatures to calls and messages so they cannot be impersonated.

Per GLEIF’s press release about the new ISO standard:

This standard outlines how vLEIs utilize Authentic Chained Data Container (ACDC) technology and the Key Event Receipt Infrastructure (KERI) protocol to securely trace credentials… it describes how vLEIs can verify the identities of individuals representing organizations in official or functional roles, marking a significant advancement toward universally trusted digital verification of organizations and their authorized representatives.

To put it another way, the standard shows how a distributed but global architecture can be used to uniquely identify each party to a transaction. This is complemented by a process where third party auditors have verified that a unique identifier is only ever issued to the legal entity that deserves to to use the identifier.

All of this leaves the communications industry with a strategic choice, though not everybody knows enough to appreciate that the choice already exists. We can collectively devote a decade or two to jabbering about ‘collaboration’ whilst actually promoting lots of competing near-sighted, dead-end national and/or proprietary data repositories and technologies that each promise to tackle the challenge of authenticating corporate phone users, although none have much chance of becoming globally dominant. Or we can work with the banking sector on pursuing the most rapid implementation of a credible global solution that already has the implicit backing of the G20 governments. Based on past experience, I expect we will pursue the latter only after much time is wasted on the former.

Part 3 of ISO 17442-3:2024, the new section that adds vLEIs to the existing standard on Legal entity identifiers, can be purchased from here.

Draft IETF Standard Would Tie STIR/SHAKEN Signatures to Verifiable Third Party Authenticators of a Legal Identity

If you read the story above, you may soon experience a queasy semi-dyslexic sensation upon noticing the following news involves a rearrangement of such words as “verifiable” and “signature”. The news is completely separate although it bears a resemblance to the press release about vLEIs being standardized because the same evolutionary pressures can influence how separate solutions develop.

Please manage your discomfort whilst acknowledging that lots of people who talk about collaboration do not know enough other people to know who they should be collaborating with. Worse than this is the realization that some of the people talking about collaboration may not be important enough to influence the overall direction of travel. So hold on tight, because this ride starts with a digression into Darwinian natural selection.

Have you ever wondered why so many animals have two eyes next to each other? It is a terrible layout from a defensive perspective; the back of the head is an enormous blind spot. However, predators care more about what lies ahead than what lies behind. Cats, sharks, owls and human beings are not closely related to each other, but they all separately evolved binocular vision so they can efficiently evaluate the distance between them and their prey. So a completely separate evolutionary chain can result in the same design when trying to accomplish the same essential goal. The principles that apply to competition in nature can also sometimes be exhibited when observing the competition of ideas.

Regular readers will know my thoughts about STIR/SHAKEN, the US combination of governance and technology standards that forces telcos in a few countries to attach digital signatures to calls. Trying to stop scam calls with STIR/SHAKEN has proven as effective as trying to stop a wildfire with a wet fart. This outcome was predicted in Commsrisk although advocates of STIR/SHAKEN still try to pretend their method has succeeded, despite all their optimistic predictions coming to nothing. There are so many things wrong with STIR/SHAKEN that it would be tedious to recount them all, but one of the most important deficiencies of STIR/SHAKEN is that it is described as a method to ‘authenticate’ the origin of calls in the complete absence of any authentication being demanded by anything written into the various standards that define STIR/SHAKEN.

Describing a STIR/SHAKEN signature as a form of authentication is like saying a forger can authenticate a painting by applying Picasso’s name to the bottom-right corner. The application of paint to a canvas does not make the painting authentic. The application of a STIR/SHAKEN signature to a call does not make the call authentic. This egregious flaw should have been obvious to everybody from the outset.

The existence of the flaw was made indisputable by the US Federal Communications Commission (FCC) needing to punish a telco that applied the highest grade of STIR/SHAKEN signature to spoofed and deepfaked phone calls that intentionally misled voters. It is of some interest that one of the architects of STIR/SHAKEN is now addressing this fundamental flaw.

The significance of the fix is huge, though it is my experience that when people fix a massive screw-up they do not like to draw attention to the fix because it also draws attention to the massive screw-up. They prefer instead to present the fix like it was a natural progression of their past success. Enter Chris Wendt, formerly of Comcast and now of Somos. Wendt was one of the co-authors of STIR/SHAKEN, and he is now the co-author of a draft Internet Engineering Task Force standard called VESPER. The draft standard for VESPER begins:

This document extends the STIR architecture by defining a secure telephone identity token and PASSporT with a type of “vesper” and specifies the use of Selective Disclosure JWT (SD-JWT) for representing persona related claim information intended to be associated with verifiable information such as the assignment of a telephone number or the output of a Know Your Customer (KYC) or Know Your Business (KYB) type of vetting process or Rich Call Data (RCD) or claims of consent provided to the telephone number holder.

For those who do not speak techno-ese, the draft is proposing the creation of a web token, encoded so that holders of a key can extract information including a third party auditor’s determination that the entity claiming to originate the communication really is who they say they are. In other words, it wants to do something new that STIR/SHAKEN should have done from the outset. The need for this development is made plain within the draft standard.

Recently, the illegitimate use of telephone numbers by unauthorized parties and the associated fraudulent activity associated with those communications has generally eroded trust in communications systems. Further, basic reliance on the trust of the signer alone to at the time of the communications without (sic) has proven to require time and people consuming work to perform after-the-fact investigation and enforcement activities.

In other words, people who attach STIR/SHAKEN signatures to calls do not always tell the truth. Discovering that some people who run businesses are liars ‘has proven’ to be a fundamental flaw with STIR/SHAKEN. It needs rectification by enabling authentication to occur before the application of the technology that claims to show something is authenticated, instead of trying to play catch-up with the liars afterwards.

Other industries, like the financial industry, have adopted well-known successful practices of Know Your Customer (KYC) or Know Your Business (KYB), otherwise referred to as the application of vetting practices of an entity.

You can see where this is going. Some people who know some stuff about internet technologies persuaded a US government agency to implement a way of signaling that a call had been authenticated before anybody had bothered to stipulate what telcos should be doing to check that the entity making the call is trustworthy. Years earlier, a group of people who know about banking worked out how to check and uniquely identify every business that provides financial services. The banking people were not internet people, so they worked out how to authenticate an entity before they started thinking about how to use the internet to remotely signal the fact that an entity has been authenticated. So like sharks and owls, two completely different evolutionary branches have independently been progressing towards a common design to address a common challenge. That design, in outline, is:

1. Give third-party auditors a framework so they can independently verify that an organization is the organization that it says it is.
2. Translate the decision of the third-party auditor into cryptographically secure data that can be understood by anybody who has access to it and who wants to verify the identity of the organization they are transacting with.
3. Make timely access to that data available through the internet.

Telcos employ more technologists than experts in preventing corruption, and so they neglected the first step in this three-step design, leaving a void that undermined the remainder of their plan. This void has been somewhat filled with ill-considered panic-measures, such as the US Robocall Mitigation Database (RMD). The lack of thought given to the crucial first step in this design has encouraged many naive folks to believe the eventual solution will involve somebody in government knowing who everybody is. Or worse, they expect one business to be paid by government to maintain a database of who everybody is. Readers of Commsrisk will be wise enough to appreciate why neither government, nor a government-backed monopoly, is the answer. A multiplicity of auditors exist in other domains, such as the auditing of financial accounts, because auditors also need the pressure of competition to discourage them from sliding into complacency and corruption.

It would be unfair to expect a technologist to be familiar with topics that fall well outside of their domain, such as the history of corporate governance. But that is also why big problems need to be tackled using a multi-disciplinary approach at the design stage, rather than trusting technologists to devise answers, only to then watch them learn from expensive forms of trial-and-error. Perhaps some communications businesses are now being drawn into this multi-disciplinary approach, whether they welcome what is happening or not.

Technologists may not change that much — technological specialization requires a high degree of focus — but they might find themselves working for new people with different perspectives. I currently do not think much of the old telco cliques that have only recently discovered that fraud afflicts phone users as well as phone companies. They should be ashamed of themselves for being so inward-looking for so long, with the result that the comms sector is riven with crime, to the detriment of the rest of society.