Who’s Calling? Who’s Texting? Assessing Sender ID Validation (Part 1)

titlepending FBO ID --- Image by © Bernd Vogel/Corbis

This was first published in D!gitalist on September 30, 2019.

Part 1 of the 3-part “Fighting Robocalls” series presenting a comprehensive assessment of sender ID validation in mobile messaging

Remember when you knew people’s — friends, family, even businesses — phone numbers by heart? Maybe you even remember your first phone number.

Before there were smartphones and even feature phones, we had to remember or write down different phone numbers. When someone called us, we typically answered the phone – even after calling line identification, or Caller ID, started to become prevalent.

Fast-forward some years later, and we usually know who we are texting with, as we recognize their phone number or short code if it is a business. Today, we typically assign that number to a contact name, so when we call or text, we are communicating with that person or business by name. All subsequent texts from that number appear on our smartphones by the name we have assigned.

For the most part, we are able to identify, with a high level of credibility, the source of an incoming text or call. But over the past few years, our communications devices – whether landline or mobile, voice, or text – are under attack by robocalls. This is especially true in the voice world. It’s gotten so bad that legitimate businesses are suffering because people don’t answer their phone calls anymore.

Worse, many robocalls utilize sender-spoofing – meaning the recipient sees a phone number that is different from the actual calling station. In many cases, the fraudulent caller will spoof the area, region, or city of the recipient to try to make it look as if the recipient is receiving a local call.

The voice world is fighting back. In the United States, where robocalls may be most common, the Federal Communications Commission (FCC) has mandated that all carriers (both landline and mobile) implement SHAKEN/STIR (Signature-based Handling of Asserted Information Using toKENs (SHAKEN) and the Secure Telephone Identity Revisited (STIR)) standards. The FCC explains SHAKEN/STIR as follows:

“… calls traveling through interconnected phone networks would have their caller ID ‘signed’ as legitimate by originating carriers and validated by other carriers before reaching consumers. SHAKEN/STIR digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is from the person making it.”

Even some business voice providers are fighting back. Twilio recently introduced Verified by Twilio, a solution designed to enable businesses to “help more than 200 million consumers know exactly who is calling them and why to help them determine what calls are real and needed versus those that are unwanted.”

The voice world is still inundated with robocalls, but there are signs that this trend may start to reverse, should SHAKEN/STIR and other concepts gain traction.

Who’s texting me?

In the texting world, we don’t have the full level of authentication for sender IDs found in the voice world, but there are renewed pushes by trade organizations, countries, and even service providers to provide some validity of sender IDs – especially for legitimate businesses.

In SMS, the phone number of a sender can really be anything. But subscribers are assigned an MSISDN (Mobile Station International Subscriber Directory Number) along with an IMSI (International Mobile Subscriber Identity). The MSISDN is essentially the subscriber’s phone number. Text messages use MSISDN to map to other identifiers (including the IMSI) to locate the mobile subscriber and to forward calls and text to their devices.

Short codes

When businesses connect to messaging aggregators and even directly to mobile operators, they can be assigned any number. This is why we have short codes. Short codes were designed to provide an easy-to-use method for businesses to have an identifier so they can text subscribers (e.g. consumers).

In many countries, various trade organizations and mobile operator organizations have created entities that assign and manage short codes for businesses to use. In the United States, the Common Short Code Registry was established by the CTIA with iconectiv administering the registry. For Canada, txt.ca is the CWTA registry for Canadian short codes. For the UK, it is short-codes.com, administered by the Short Code Management Group, a consortium of the top mobile operators in the UK. Nearly 50 countries now have some sort of short-code program for SMS (which also extends to MMS).

You might think that makes everything well and good – and for senders that acquire and use short codes, that is typically true. Most are maintained by consortiums of mobile operators or trade associations – especially for those countries that operate a registry. They do have lease fees involved, and in some countries, the associated campaigns or use cases are vetted and approved by the mobile operators.

In the next blog in this series, we’ll examine alphanumeric sender IDs for SMS.