logo

GSMA Call Check

Network Based Telecoms Communication Protection

GSMA Call Check has been developed specifically to fight and overcome one of the most significant voice telephony fraud problems impacting consumers and operators alike: CLI spoofing

CLI spoofing assists fraudsters to conduct a wide range of activities; for instance, to disguise their identity as a means to facilitate scamming activities towards consumers, or simply to misrepresent traffic to gain commercial advantage.

Learn More

Zero Trust

To prevent scam calls from reaching consumers, GSMA Call Check aligns with recent “zero trust” regulatory initiatives that mandate the blocking of international calls displaying a spoofed national CLI, but crucially with the ability also to support the safe passage of valid traffic scenarios (e.g., roaming subscribers) that are identified as legitimate exceptions in such policies.

The Security Network

GSMA Call Check addresses this by introducing an additional communication flow (a security network) that runs in parallel to and indeed faster than the regular telephony network. In essence it is a highly secure, peer-to-peer, collaborative operator network, operating automatically in realtime, and delivered by GSMA as a secure and encrypted hosted service.

GSMA Call Check lets the receiving telco network know “ahead of call start” that a call is coming, and then automatically performs a comprehensive but fast-acting series of checks to identify calls which are using spoofed numbers, so that operators have an opportunity to block them, and thereby prevent scammers from reaching consumers via the voice network.

Nodes and a Registration Server

When operators subscribe to the service, they are allocated a dedicated node within the Call Check network. Within the network, node servers communicate with each other based on the configuration managed via the registration server.

All peer-to-peer communications via the network feature end-to-end encryption, whereby the data required during processing operations is encrypted both at-rest and in-transit. In line with GDPR, data is minimized and held only as long as necessary to fulfill the network’s purpose.

Interaction with the Network

Operators communicate with their network node via API. Therefore, the implementation of GSMA Call Check is extremely light and quick, and for the operator the task of configuring these APIs represents the extent of the technical onboarding.

Use Cases

GSMA Call Check supports a wide range of use cases in the context of enhancing security and fraud resilience of telecom communications and they generally sit within the following two main areas of focus

I. Consumer Protection

  • CLI spoofing detection (e.g., for prevention of scam calls).
  • Roaming status checks (and similar CEPT/ECC (23)03 “legitimate exception” scenarios).

II. Commercial Frauds

  • Commercial frauds (e.g., for commercial gain), including IRSF, OBR fraud, assigned number checks, bypass fraud.

CLI Spoofing Detection

In this use case, nodes inform on call setup the nodes of expected receiving operators about an incoming call attempt in a given country. The node receiving the incoming call check from his owning operator (when the call attempt arrives via the telecoms network) will verify the call attempt while all other nodes, which were notified as well, forget about this notification instantly.

Roaming Status Checks

Roaming status checks (and similar legitimate exceptions documented in ECC (23)03) are vital to ensure that calls from outbound roamers do not get falsely blocked.

GSMA Call Check directly empowers inter-operator collaboration in a given country, so that each national operator has the ability to instantly verify that an incoming international call with a national A-number belongs to a roamer on any national network, not just their own.

With GSMA Call Check this is done without disclosing commercially-sensitive roaming information to other operators, or centrally storing roaming numbers.

Other Use Cases

Plenty of other use cases exist and are already on the agenda such as

  • IRSF Prevention, in which the service is fully pre-integrated with the GSMA IRSF prevention service.
  • OBR Frauds, in which the CLI spoofing use case indicates if an Anumber has changed mid-call flow. To get this use case working, the only ones required to adopt GSMA Call Check are the OBR participants.
  • Assigned Number Check, in which MNOs in countries with small populations often have ranges of several million possible numbers, most of which may be unallocated and therefore vulnerable to misappropriation by fraudsters for spoofing. GSMA Call Check enables operators to load and maintain their assigned numbers into their node, and provide to interconnect partners the response that the B-number is assigned.
  • Bypass Fraud Protection, which will work on all calls that are initiated by a customer of an MNO who is connected to the call check network and owns a node and where the receiving MNO is connected to the GSMA Call Check Network as well. In this case all incoming calls will be placed on the receiving node until they are resolved, which happens via the incoming international gateway. Therefore, if calls enter the national network via a hacked PBX or Sim Box, a check against the node will identify that the calls should have entered via the international gateway.
  • Resolving Number Portability, which can be handled by the call check network via one of the following two options:
    1. Node owners provide their numbers to their node and before the call starts. These nodes will provide feedback to the node validating the current holder of the number.
    2. A special “country” node could be provided for number portability providers via which they can provide their service similar to option 1).
  • RCD (Rich Call Data) and/or similar “on-top” services, in which consumer trust in numbers can, potentially, be further boosted by the presence of device-level information, such as RCD or similar data types.
  • vLEI (Verifiable Legal Entity Identifier) and/or similar digital ID services, in which consumers could further be reassured towards number validity by the presence of advanced labeling protocols, such as vLEI, carrying cryptographic validation of an enterprise’s identity.
  • Number Owner Labelling, in which enterprises have an interest that their customers see and know who is calling and the other way round, in order to verify who called. This can be implemented in GSMA Call Check, by adding an additional MNO in network node allowing enterprises to communicate with this node via API while they set up calls to clients and receive calls from clients.
  • General Data Exchange between operators, in which the future-proofed design of GSMA Call Check enables the further incorporation of theoretically limitless range of services, involving the general exchange of data between operators, in a fashion that is highly secure and privacy compliant.

Technical Prerequisites

Operation requires the connection via API or SIP as API alternative. A slim Web client verifies the own node is working.

Penetration testing and Security Audit

GSMA Call Check has been rigorously pen tested by two separate and independent leading authorities, in order to ensure the highest levels of system security and data privacy.

Oculeus is an official service provider for GSMA Call Check.