ECC WorkProgram Database

NaN2_03

Last update: 08-11-2024

ECC Report

ECC Report on the definition of missing, invalid, or fraudulent CLI

NaN2_02
NPS_06
NPS_04

CLI spoofing has been increasing during the last years with a very negative impact not only for end-users but also for operators. ECC Report 338 on CLI spoofing adopted 7th June 2022 contains in the conclusion, under the form of 6 points, possible actions for CEPT administrations to take to help mitigate or stop CLI spoofing. The proposed report implements the conclusions contained in the first and last bullet points of number 2 of the ECC Report 338.

There are several places where terms like missing, invalid or fraudulent CLI are used, but these terms are not clearly defined. When the CLI is considered as missing, invalid or fraudulent, operators may decide to block the calls, to remove the CLI from any further routing or to change the CLI, applying higher wholesale interconnection rates. This could have implications on multiple aspects.

Therefore, without a common understanding of these terms, disputes may arise between operators on the handling of calls with a CLI that is considered by one of the operators involved in the conveyance of the call as falling within these categories. It is therefore important to establish a common understanding of what qualifies as a missing, invalid or a fraudulent CLI, in order to encourage a common approach.

Some use cases where this would be beneficial follow. For instance, a common practice is to change the CLI in order to mask the origin of the call, in particular changing the CLI for traffic originating from a number from the national numbering plan of a country that does not apply the delegated regulation (EU) 2021/654 setting the Eurorates to a CLI from the national numbering plan of a country that is part of the Eurorates zone, with the objective being to make the terminating operator believe that the traffic originates from a number pertaining to the national numbering plan of a Eurorates country, in order to take advantage of the cheaper termination fees that apply in the Eurorates zone. In this way, fraudulent arbitrage income can be generated.

Also, negative impacts may also be pointed out for end-users, since when the CLI is missing, spoofed to show an invalid number (e.g. from an unassigned range) or it fraudulently shows a CLI belonging to another end-user (e.g. a trusted bank), it would pose dangers for the end-user. Call-back would not be possible on invalid numbers or when the CLI is missing, or fraudulent use of third parties’ CLI would not identify the real caller and possibly expose the receiving party to fraud.

For those reasons, there is a need to define clear verifiable guidelines in a report of what is and what is not to be considered as missing, invalid or fraudulent CLI, in order to mitigate CLI spoofing and encourage a more harmonised approach in handling of such calls.

S: 22-11-2022
T: 21-05-2024

Work item approved at WG NaN#25 (22-24 November 2022).

In Progress

NaN2_04

Last update: 08-11-2024

ECC Recommendation

ECC Recommendation on SMS Sender ID

The ECC Recommendation will contain policy rules on how to handle the SMS SenderID in order to maintain trust in the SenderID

The WG NaN has already developed detailed policies on how to handle the CLI in voice communications in order to maintain trust in the CLI.

SMS SenderID is the equivalent identifier as CLI for voice calls but for SMS. SMS is used for person-to-person (P2P) communications, but also more and more for application-to-person (A2P) communications. In this last category, we can distinguish between premium rate SMS, where the receiver of the SMS pays for the premium rate service and business messaging as one-time passwords, alerts for appointments which are not charged for the receiver. While the premium rate SMS- service is in decline, business messaging including the use of SMS as an extra security layer are getting more and more popular (2-factor authorisation as defined in Payment Services Directive - PSD2).

The work item will be limited to A2P- communications.

While for voice communication the CLI is always a telephone number, for SMS it is possible to use alphanumeric characters in SenderIDs. It is not common that CEPT Administrations regulate their use. This creates additional risks as people are more likely to be mis leaded in case of spoofing by an alphanumeric identifier (e.g. well-known brands) than a numeric one. From a technical point of view it is easy to modify the SenderID in a number or alphanumeric characters. SenderID spoofing for SMS is seen by many administrations more and more as a problem with a very negative impact for end-users, since often it is used for frauds. Moreover, in case of provisioning of business messaging via SMS typically a long chain of subjects is involved and this increases the complexity in identifying the real sender of the messaging.

Although the scope of the ECC Report 338 on CLI spoofing adopted 7^th June 2022 and the following ECC Recommendation in preparation is limited to voice communications, some principles (e.g. with A/B handshaking and the respect of international Recommendation E.157 for international communications) described can be used in this new Recommendation.

This ECC Recommendation aims to increase the trust in SenderID proposing rules and good polices on how to handle SMS SenderID. Special attention will be given to maximise the commercial benefit for the stakeholders of SMS while minimising the risk of fraud and or abuse where SenderID plays a role. It will draw on the good practices currently applied in several countries.

The ambition of the ECC Recommendation is to move as far as possible towards a common approach in the CEPT countries.

S: 21-06-2023
T: 10-06-2025

Work item approved at WG NaN#26, Budapest, 20-22 June 2023

In Progress

NPS_07

Last update: 25-05-2021

ECC Report

CEPT cooperation process for withholding payments and/or blocking access to numbers or services in cases of cross-border fraud or misuse

One of the most effective long-term approaches to tackling fraud and misuse is greater cooperation and information sharing between regulators. This can help us to better understand the changing nature of fraud mechanisms and to develop ex-ante and ex-post measures to protect the interests of citizens and consumers. With this aim, it is proposed to define a process for cooperation in the investigation of cross-border cases of fraud and misuse. The process would assist any regulatory intervention in the withholding of payments and/or blocking of access to numbers or services where fraud or misuse has occurred.

As a starting point, we plan to review the BEREC cooperation process, as set out in report BoR (13)37. The BEREC cooperation process was developed to assist regulatory authorities in the effective application of powers provided by Article 28(2) of the Universal Service Directive (USD) to require the withholding of payments and/or blocking of access to numbers or services in cases of fraud or misuse. It is a cooperation and information sharing tool used to complement national processes in combating fraud and misuse. We would consider the strengths and weaknesses of the BEREC cooperation process in developing the CEPT process.

References:
ECC Report 275 (2018) The role of E.164 numbers in international fraud and misuse of electronic communications services
BEREC Report BoR (13)37 Article 28(2) USD Universal Service Directive: A harmonised BEREC cooperation process, March 2013

S: 31-05-2018
T:

On Hold

NaN2_03 Last update: 08-11-2024	ECC Report	ECC Report on the definition of missing, invalid, or fraudulent CLI	NaN2_02 NPS_06 NPS_04	CLI spoofing has been increasing during the last years with a very negative impact not only for end-users but also for operators. ECC Report 338 on CLI spoofing adopted 7th June 2022 contains in the conclusion, under the form of 6 points, possible actions for CEPT administrations to take to help mitigate or stop CLI spoofing. The proposed report implements the conclusions contained in the first and last bullet points of number 2 of the ECC Report 338. There are several places where terms like missing, invalid or fraudulent CLI are used, but these terms are not clearly defined. When the CLI is considered as missing, invalid or fraudulent, operators may decide to block the calls, to remove the CLI from any further routing or to change the CLI, applying higher wholesale interconnection rates. This could have implications on multiple aspects. Therefore, without a common understanding of these terms, disputes may arise between operators on the handling of calls with a CLI that is considered by one of the operators involved in the conveyance of the call as falling within these categories. It is therefore important to establish a common understanding of what qualifies as a missing, invalid or a fraudulent CLI, in order to encourage a common approach. Some use cases where this would be beneficial follow. For instance, a common practice is to change the CLI in order to mask the origin of the call, in particular changing the CLI for traffic originating from a number from the national numbering plan of a country that does not apply the delegated regulation (EU) 2021/654 setting the Eurorates to a CLI from the national numbering plan of a country that is part of the Eurorates zone, with the objective being to make the terminating operator believe that the traffic originates from a number pertaining to the national numbering plan of a Eurorates country, in order to take advantage of the cheaper termination fees that apply in the Eurorates zone. In this way, fraudulent arbitrage income can be generated. Also, negative impacts may also be pointed out for end-users, since when the CLI is missing, spoofed to show an invalid number (e.g. from an unassigned range) or it fraudulently shows a CLI belonging to another end-user (e.g. a trusted bank), it would pose dangers for the end-user. Call-back would not be possible on invalid numbers or when the CLI is missing, or fraudulent use of third parties’ CLI would not identify the real caller and possibly expose the receiving party to fraud. For those reasons, there is a need to define clear verifiable guidelines in a report of what is and what is not to be considered as missing, invalid or fraudulent CLI, in order to mitigate CLI spoofing and encourage a more harmonised approach in handling of such calls.	S: 22-11-2022 T: 21-05-2024	Work item approved at WG NaN#25 (22-24 November 2022).	In Progress
NaN2_04 Last update: 08-11-2024	ECC Recommendation	ECC Recommendation on SMS Sender ID		The ECC Recommendation will contain policy rules on how to handle the SMS SenderID in order to maintain trust in the SenderID The WG NaN has already developed detailed policies on how to handle the CLI in voice communications in order to maintain trust in the CLI. SMS SenderID is the equivalent identifier as CLI for voice calls but for SMS. SMS is used for person-to-person (P2P) communications, but also more and more for application-to-person (A2P) communications. In this last category, we can distinguish between premium rate SMS, where the receiver of the SMS pays for the premium rate service and business messaging as one-time passwords, alerts for appointments which are not charged for the receiver. While the premium rate SMS- service is in decline, business messaging including the use of SMS as an extra security layer are getting more and more popular (2-factor authorisation as defined in Payment Services Directive - PSD2). The work item will be limited to A2P- communications. While for voice communication the CLI is always a telephone number, for SMS it is possible to use alphanumeric characters in SenderIDs. It is not common that CEPT Administrations regulate their use. This creates additional risks as people are more likely to be mis leaded in case of spoofing by an alphanumeric identifier (e.g. well-known brands) than a numeric one. From a technical point of view it is easy to modify the SenderID in a number or alphanumeric characters. SenderID spoofing for SMS is seen by many administrations more and more as a problem with a very negative impact for end-users, since often it is used for frauds. Moreover, in case of provisioning of business messaging via SMS typically a long chain of subjects is involved and this increases the complexity in identifying the real sender of the messaging. Although the scope of the ECC Report 338 on CLI spoofing adopted 7^th June 2022 and the following ECC Recommendation in preparation is limited to voice communications, some principles (e.g. with A/B handshaking and the respect of international Recommendation E.157 for international communications) described can be used in this new Recommendation. This ECC Recommendation aims to increase the trust in SenderID proposing rules and good polices on how to handle SMS SenderID. Special attention will be given to maximise the commercial benefit for the stakeholders of SMS while minimising the risk of fraud and or abuse where SenderID plays a role. It will draw on the good practices currently applied in several countries. The ambition of the ECC Recommendation is to move as far as possible towards a common approach in the CEPT countries.	S: 21-06-2023 T: 10-06-2025	Work item approved at WG NaN#26, Budapest, 20-22 June 2023	In Progress
NPS_07 Last update: 25-05-2021	ECC Report	CEPT cooperation process for withholding payments and/or blocking access to numbers or services in cases of cross-border fraud or misuse		One of the most effective long-term approaches to tackling fraud and misuse is greater cooperation and information sharing between regulators. This can help us to better understand the changing nature of fraud mechanisms and to develop ex-ante and ex-post measures to protect the interests of citizens and consumers. With this aim, it is proposed to define a process for cooperation in the investigation of cross-border cases of fraud and misuse. The process would assist any regulatory intervention in the withholding of payments and/or blocking of access to numbers or services where fraud or misuse has occurred. As a starting point, we plan to review the BEREC cooperation process, as set out in report BoR (13)37. The BEREC cooperation process was developed to assist regulatory authorities in the effective application of powers provided by Article 28(2) of the Universal Service Directive (USD) to require the withholding of payments and/or blocking of access to numbers or services in cases of fraud or misuse. It is a cooperation and information sharing tool used to complement national processes in combating fraud and misuse. We would consider the strengths and weaknesses of the BEREC cooperation process in developing the CEPT process. References: ECC Report 275 (2018) The role of E.164 numbers in international fraud and misuse of electronic communications services BEREC Report BoR (13)37 Article 28(2) USD Universal Service Directive: A harmonised BEREC cooperation process, March 2013	S: 31-05-2018 T:		On Hold