Westpac Scam Notice

From Westpac today. Note the sophistication regarding spoofing the callerIDs. The technique will probably propagate to other financial institutions, and other businesses with particular ‘twists’.

We’ve recently received reports of scammers impersonating us, including spoofing our trusted phone numbers.

These often start with receiving an SMS, with a sender name of “Westpac”, advising a Fraud or Security Officer will call. When a call is received, the number on screen may display as one of our advertised numbers.

Legitimate calls from the Bank will never ask you to make a transaction (e.g. to a safe account or transfer to another financial institution), share Online Banking Security Codes, or request remote access your computer/device.

What is Spoofing?
Caller ID spoofing is the unauthorised use of a phone number to mislead you about the origin of the call/SMS.

Simply put, it is when the Caller ID shows a phone number or name different to the initiating phone number.

Scammers use this technique to in hopes you will answer their call or action an SMS, as Australians become more wary about answering calls from unusual or unknown numbers.

What should I look out for?
Scammers may use a sender name of “Westpac” or spoof our common phone numbers to try and convince you this is a trusted call or message.

Your phone will automatically group spoofed SMS messages alongside any existing legitimate messages you may have received from Westpac.

Unfortunately, there is little you can do to prevent a scammer calling or messaging you from a spoofed number.

How can you protect yourself?
Stay alert to scam calls and SMS messages.

If you receive any messages regarding your account or transaction activity, do not click on any links provided via SMS - always sign in securely to check your account by typing westpac.com.au to your browser or using the App.

Never share your Online Banking Security Codes with anyone, including callers claiming to be Westpac.

15 Likes

Why is this still possible, Mr Government? Something for Choice to raise?

However I dare say that some people will be tricked even without spoofing.

If responding at all to the possible scam, always obtain the correct phone number for the bank from a trusted source and call back and call back on a different phone.

What should I look out for?

And obviously crap about banks (or other companies) that you don’t even bank with (deal with).

To that extent, a healthy market that is not dominated by a small number of large companies is good or, alternatively, using one of the smaller players. But I guess Westpac is not going to advise you not to use Westpac. :wink:

Scammers like to be efficient. So an oligopoly suits them.

2 Likes

I am not qualified to say one way or the other but I have not seen anyone, expert or just claiming to be, who can say technically speaking how the problem of number spoofing can be solved. Many say “but surely there is a way” but they don’t say what it is.

2 Likes

As most spoofed numbers are generated overseas, by stopping OS callers being allowed to use Australian numbers is one way. I have made previous posts about this. While Australia allows our numbers to be used by non Australian users (those without a direct Australian presence) the ability to control the large amount of spoofing to continue is hindered.

A number that is being used by OS callers is possible to be identified as such. The ability to block them exists, we just don’t use the systems available as it is not illegal here to use Australian numbers even when no Australian presence exists.

4 Likes

Can a roaming mobile in a foreign land with a genuine +614xx xxx xxx number be differentiated from the same number that was spoofed? Landline numbers might be easier.

4 Likes

Can you point to somewhere that tells us how those things would be done?

1 Like

Unfortunately it appears it currently doesn’t exist and requires technical development. See the above link (Stepchange):

A longer-term goal is the introduction of CLI ‘authentication’ practices. We are engaged with the US Federal Communications Committee (FCC)’s work to develop technical solutions to CLI ‘spoofing’, which will be delivered through the Internet Engineering Task Force (IETF) and International Telecommunications Union, and have established a related Memorandum of Understanding with other national regulatory authorities. This type of solution will require the development of CLI authorisation through a certification scheme.

3 Likes

The system is based on that only those with addresses or a real Australian presence or need are issued phone numbers. So first step is to stop the allowing of selling Australian numbers blocks to VOIP providers unless the numbers are only allocated to genuine Australian linked people or businesses. Currently anyone can buy Australian blocks of numbers (currently in allocation or out of allocation).

A number that is coming through an OS exchange/VOIP provider is and has always been able to be identified. Many streaming businesses use similar tech to identify VPN connections to their services to block OS access to their catalogs.

“ Australia Caller ID spoofing laws

Caller ID spoofing is completely legal in Australia unless it’s part of a scam. Number spoofing scams fall under laws governing unwanted communications. Scammers caught in the act can be subject to fines and/or criminal prosecution.

To report number spoofing scams in Australia, contact the following resources:

In the US many providers are now employing anti spoofing tools to block the calls before they reach users because the US authorities are fining the providers (particularly VOIP providers) who allow spoofed calls through.

“3. Some carriers now employ number spoofing and spam blockers across their networks

Focusing on that third point, many large, first-party mobile carriers have started to deploy spam blocking technologies at the network level. As calls come into the network, they’re scrutinized and filtered. So instead of having to wait for calls to hit your phone before being blocked, many get blocked before you know it.

This is particularly true in the US, where network-level spam blocking is now a marketing tool to draw in customers. All major US mobile carriers (Verizon, T-Mobile, AT&T) now offer free spam blocking to customers. Notably, they tend not to offer these services to MNVOs that ride on their networks, and most MVNOs do not offer free spam blocking.”

Only now is ACMA making rules to combat spam calls, before it was largely unregulated.

“The Australian Communications and Media Authority (ACMA) is stepping up its fight against mobile number fraud with a new industry standard that requires telcos to add an additional identity verification when transferring customers’ phone numbers from one telco to another”.

This ability is not new, the implementation here is new.

3 Likes

The number is allocated and as such should be able to be linked to a genuine Australian “presence”. While in this case it isn’t perfect, it will still be passed via a legitimate provider in Australia as it will form part of the cost sharing for providing the roaming service. If it isn’t a legit service roaming would be blocked.

4 Likes

Spoofing doesn’t require selling of phone numbers or allocation to real businesses or individuals. Such has no impact on ability to spoof a number - it would be good if it did. Any number can be spoofed (real or yet to be assigned). Often real phone numbers are spoofed and there are many reports of this occurring. It is recognised by ACMA…

Calling Line Identification (CLI) overstamping and spoofing | ACMA.

3 Likes

First step is banning the number selling to non Australian linked users of numbers, it isn’t the whole requirement nor could it be. Once there is strong confidence that the numbers being issued are not owned by foreign players with no connection to Australia then the next series of steps is to identify if the number is originating from outside Australia and that if it is a legitimate use of the number. These are all possible, it is just no rules that really required telcos to take steps had been in place. Now there are standards being developed to ensure compliance. Why has it happened, because spoofing was legal (if for a scam it isn’t), and so no one bothered to identify spoofed numbers. If one got used for a scam, sure that was illegal, a Telco however didn’t need to assess before they allowed a spoofed number through. It was all reactionary to a spoofed call spam in the past and often too late to catch the issue.

3 Likes

I am not seeing any working solution in what you have said. The efforts of the ACMA are a joke that have achieved very little.

When in opposition the new government said they would deal with the problem. I suppose we ought to give them time but I won’t be holding my breath.

2 Likes

LOL. I’ll have a stab at it.

In the world of IP addresses, this is called ingress filtering. The idea is that, for example, your ISP knows what IP address block contains the IP address that they have (for this moment in time) assigned to you. If you start generating traffic containing a source IP address outside that block (or indeed not the exact IP address that has been assigned to you) then the packet should be dropped, filtered out at the point of ingress.

So what does this involve? It involves a set of mutually trusting parties (all Australian ISPs) who are the gatekeepers for all traffic originating from a bunch of untrustworthy reprobates (that’s us) - and of course it involves those ISPs actually doing ingress filtering.

There are sometimes technical reasons why an untrusted party might legitimately not want ingress filtering to occur. In that scenario the relevant gatekeeper might grant the privilege of an exemption from ingress filtering to one of their customers who has proven to be trustworthy (i.e. not just some $2 shelf company customer who signed up 5 minutes ago) - but that privilege would surely be revoked in the event of demonstrated abuse.

Now … here comes the hand wavey part … apply the same principle to phone numbers.

I believe so … because the only way the genuine Aussie who is overseas can do roaming is that the foreign carrier communicates with the Aussie carrier who issued the SIM in order to authenticate the user. (However there may be a difference between what is theoretically possible and what functionality actually exists.)

Mobile phone connections are authenticated (and encrypted). The SIM contains a secret key that can only be verified by the issuing carrier.

Identifying foreign numbers is not as such necessary. It just means that the set of trusted parties (as per my discussion above) is much much larger if you can’t solve the “foreign” problem.

Another approach is to erase the +614xxx as it comes in from overseas regardless of whether it is genuine. So all calls that originate overseas are shown as “overseas” even if they are genuine Aussies overseas who are using roaming. That would be a win as far as I am concerned but travellers might disagree.

I think that is an approach that is different from what I am talking about. I think CLI authentication might involve allowing anyone to send any old crap, as now, but it would be possible to distinguish authentic CLI values from spoofed CLI values.

So there are two different approaches … stop at source v. detect.

4 Likes

It is identified OS traffic, just like IP addresses have places where they originate from, telephone ( mostly VOIP) these days have the means to identify the origin so the connection can be created and maintained.

A call can be blocked by identifying the origin and blocking those that do not have the necessary markers to satisfy that they are Australian or have been allocated to an Australian linked person or business.

Your provider supports your number and how to manage your connection within their network and transferring your connection via other Telco networks. They do so using your unique identifiers including SIM details. How else does someone ring Telstra numbers from a Voda one or vice versa. This is all that needs to be used to largely stop spam.

But as I noted above Australian laws allow the spoofing (unless used for spamming which is only identified after the spamming), Australian laws allow the purchase and use of numbers that have no Australian connection/link, only after a call has been identified as a spam call is the call considered an illegal call. So telcos do not block spoofed numbers based on where they originate from (which they can do), they block the call after it is identified as spam. When is a call identified as spam? When the receiver of the call complains and not before that. Then the telco advises that they can’t do anything as the call has ended.

So as I noted above, it is necessary to obtain proof of Australian linkage before a phone number is made available to someone requesting a number. Making numbers available without that linkage allows anyone in the World to have and use Australian numbers….oh so easy then to use the spoofed number in a scam call.

The issue again here is that spoofed numbers are legal as long as it isn’t used for illegal purposes. Say your insurer wants a single number as the number they use for display purposes, they can legally spoof the calling number when they contact their customers.

What the ACMA are trying to do is stop spoofed spam or scam calls by identifying the number as one a spammer/scammer is using and blocking that call. It is a hamstrung approach when the number could be a legitimate number most of time used by a VOIP service that gets used by several users. If we limited phone number allocation to a known Australian link, this would make it much harder for a VOIP provider or user to have access to spoofed numbers that aren’t linked properly.

Again, in Germany allocation is based on providing adequate proof of residence or linkage. So a German Company could have a number that is used in Italy as an example but appears as a Germany based number for the purposes of a customer or employee ringing and paying for a call as if it was within Germany.

2 Likes

This will make no difference for spoofing. Spoofed numbers aren’t bought…they are numbers the criminals put into their dialling software to create the data package attached to the call and shown as the caller ID. As outlined above, they can use real phone numbers of innocent consumers/businesses or use any number they chose even if the number isn’t assigned. Even Westpac has indicated that the criminals are getting clever and using their real numbers for spoofing.

If you are taking about numbers assigned to a particular consumer, this is also irrelevant as indicated above, any number can be spoofed irrespective if it has been assigned or not.

For any system to work, only assigned numbers would be those authorised to be accepted to the Australian telecom network…and a certification process needs to be adopted to ensure that the sender is that the number has been assigned to (possibly a CLI authorisation through a certification scheme). This may be a stop gap if certification isn’t universally adopted and/or maintained by every telco system worldwide and they it can’t be bypassed.

2 Likes

So getting back to the example at hand since the scammers are using an Oz number of an Oz company they are doing it for illegal purposes, especially when the contact directs the customer to do things to their own detriment. So the state of legislation is not relevant to the case - it is already an illegal act. The issue is there is as yet no practical way to stop them.

Look at what the ACMA have done in their three point Scam Technology Project where they give themselves a tick for every point:

  • Held meetings! There’s progress for you! That is not developing new tech.
  • Assisted with public information on how to not get scammed. That isn’t new tech either.
  • Had a trial two years ago that stopped some scam calls. That may have been new tech but it wasn’t much use or else why did they discontinued it?
1 Like

As long as the International standards allow for CLID to be set, changed, blocked, by the caller side, and as long as business find this feature of great benefit, I cannot see much will be done from a communications protocol side.
Really just up to comms providers to do what they can to assist their paying customers with rules based filtering.

1 Like

No, stopping numbers being sold to non Australian linked is what is required to ensure only legit users are given numbers, then with that in place telcos can exclude numbers that are spoofed from outside Australia, if a legit business purchases an Australian number they will be filtered via their telco. Spoofing by scammers will be severely hamper.

Sure they can spoof a number but telco checks would ensure that most spoofed numbers would be filtered out. But right now as we allow our numbers to be sold to non linked users, almost no telco bothers to filter non Australian spoofed numbers because there is no check on who uses a number as spoofing from foreign users is allowed without really any restrictions, except when the number is used to scam (and at that instance the call has been made because no prior filtering was carried out). ACMA made regulations that made Telcos check more diligently, however Telcos were hampered by the law that allows OS users to spoof any number as they can buy numbers without needing to have any link to Australia. It isn’t about the actual buying a number but the fact we don’t care about OS spoofing as we allow the non linked OS use of Australian numbers. So if the number is purchased or not there are no checks on linkage, so why would at the moment would a Telco really care if the number is spoofed from OS.

It doesn’t matter whether they use a “real” Australian number or a rubbish Australian number to spoof, the origin check would discard most of the phone calls generated offshore that are using spoofed numbers.

Germany has fairly strict rules about allocation of their numbers and VOIP providers are required to get proof of residency and have the number allocated by the Federal Network Agency to the VOIP user. The example of requirements below is from 8X8 who are a VOIP provider

“ Proof of address

8x8 is unable to accept utility bills as proof of address. The proofs need to be from official sources to prove that the end-user has a legal presence at the location within Germany. Documents issued by a local authority (a government agency) such as proof of residence from the municipality or proof of business registration from the trade registry are acceptable.

Here are examples of what is accepted:

For individuals:

  • A valid, German government-issued ID Card (18 or older) that shows the address
  • Meldebescheinigung (A valid Registration Certificate)

For businesses:

  • Handelsregisterauszug (Commercial Register)
  • Bescheinigung der Gewerbeanzeige (Business Registration)”

If proof of residency is not provided the user will not be allocated a number.

From fox business about determining origin

“ “In the digital age, it’s immediate,” says private investigator Gary Tuttle of Assured Investigations in Atlanta. “As soon as the call is placed, it can be tracked and traced to where it is being originated.”

An FBI agent who spoke on condition of anonymity agrees: “If someone is calling from a landline, the carrier will know immediately. They can’t hide it from the phone company. It may come up on your phone as unavailable, but the phone company knows exactly where it’s coming from,” she says.”

1 Like

But that assumes those who spoof buy Australian numbers. They don’t. They spoof any number.

How is this done as from information online it can’t be done.

It used to be able to be done with the pre-NBN phone system, but with internet phone technology, it can’t be currently done. Hopefully in the future if bulletproof authentication systems can be developed and install universally, they might have a chance - but as the article you posted indicated, it is still requires development (and testing). If it had been developed, many countries would have adopted such systems.

The key issue is origin of call can’t be authenticated, nor can certification a caller is legitimately attached to the number. When they solve these across the world, if bulletproof, there might be a chance of stalling the spoofing of numbers

And in relation to Germany, they suffer the fake and spoofed phone numbers like other countries. There are multiple websites that explain how to generate fake/spoofed German phone numbers and some even recommended it for local Germans to use to hide ones identity. Controlling and issuing numbers is one thing (noting Australia does likewise requiring personal information for setting up new phones numbers - this is done to try and reduce throw-away-phones used for criminal purposes), controlling their legitimate use so they can’t be spoofed is another.

1 Like

I have yet to have a spam call that uses anything but spoofed Australian numbers. Some might get calls from what appears to be an OS number, I would think these are relatively rare.

1 Like