By Lucian Gheorghe, CTO at TMT Analysis.
As part of my job at TMT Analysis I often discuss with customers about problems they are experiencing. More and more one of the problems that has been coming up more frequently is the issue of ‘Flash Calls’.
What Are Flash Calls?
In a nutshell, a Flash Call uses a missed call as a way of bypassing using an SMS to provide a one-time password (OTP). The sender calls the subscriber and hangs up very fast so the subscriber can’t answer it.
The Caller ID from the call forms a one-time password. If the subscriber uses an Android phone, and gives the receiving app permission to manage phone calls, the app will read the Caller ID and authenticate the user. On IOS, user input is required.
Recent research by Juniper predicts the number of calls used for flash authentication will be near 130 billion globally by 2026.
How Does Flash Calling Work?
This procedure is different from traditional 2FA methods. Most traditional methods require users to enter a code from a text message. However, this procedure uses digits from the incoming call number as the passcode through an entirely automated process.
Technically, there are 3 ways of doing Flash Calls:
- Spoof the A-number (Caller ID) into a one-time password (typically a 4-5 digit pin).
- Spoof the A-number (Caller ID) into a number that looks valid. The OTP is then either the last 4-5 digits or a combination (digits 1,3,7,2 of the Caller ID form the OTP)
- Use a valid, assigned caller id from a range owned by the company offering the product. The OTP is then formed as in the previous point.
Obviously, the main parties in this scenario are the End user and the Enterprise using Flash Calls to authenticate the End User. But they are not the customers and prospects I mentioned earlier; they are the users of a service that involves multiple parties with different interests. The customers and prospects I have spoken with include:
- CPaaS providers – They offer Flash Call service to the Enterprises. As some operators are increasing the A2P SMS fees, CPaaS players started offering this service as an alternative to avoid these fees. Unlike SMS or a call with an IVR (Interactive Voice Response) dictating an OTP, a missed call doesn’t have a direct cost, so it is a great alternative for CPaaS providers to make money as the Flash Calls are 100% gross margin for them.
- Voice transit carriers – They pass the calls to the mobile operators. They don’t like Flash Calls as the transit carriers incur real costs for routing, investing in capacity to support quality of service requirements, etc. Voice transit carriers get revenue by charging a per minute fee for completed calls. Since Flash Calls do not register as a completed call, these carriers receive no compensation for the use of their network facilities.
- Mobile Network Operators (MNOs) – they are the most affected by the introduction of Flash Call services by their customers since they are losing money they would have received from the handling of A2P SMS. Their Revenue Assurance and Fraud Groups have been building awareness of the Flash Call phenomenon, and are trying to work with their Firewall vendors or companies like TMT Analysis to find solutions to identify Flash Calls so they can be charged.
- Signaling firewall vendors – they are being pushed by the MNOs to find solutions for stopping Flash Calls.
So, How Can TMT Help?
- Some Flash Calls can be identified and then stopped by using the TMT Analysis TeleShield product. With TeleShield, Voice transit carriers and MNOs of firewall vendors can do a real-time check of the Caller ID and if it’s a spoofed OTP, the call can be dropped.
- In a similar way, if the Caller ID is spoofed to look like a real number, the number may not be in an allocated range. A TMT Analysis LIVE or Enhanced TeleShield query can be performed to find out if there’s a subscriber behind that number. But there’s a caveat to this – random real subscriber numbers can be used as Caller ID and there’s no way to identify and stop them.
- If the call comes from a valid range of numbers that the CPaaS player owns and operates, the transit carrier, MNO or firewall vendor needs to know those ranges in order to be able to stop these Flash Calls.
The Future Of Flash Calling
My personal opinion is Flash Calls won’t be stopped and MNOs shouldn’t try to stop them, but rather the focus should be on identifying ways to monetise these calls.
As initiatives to authenticate the Caller ID are advancing, such as STIR/SHAKEN in the US and Canada, some of the spoofed Caller IDs may go away in the near term. But it will take quite a lot of time to do that everywhere. If MNOs want to stop losing revenue with Flash Calls, there needs to be a joint effort which I see like this:
- With TMT’s big telco data analytics capabilities, we can help MNOs measure average levels of legitimate missed calls on incoming trunks and identify obvious Flash Calls.
- MNOs should change their wholesale voice contracts to charge Flash Calls that are detected and also allow % missed-calls and consider everything above that % as Flash Calls.
- TMT can identify Flash Calls on spoofed Caller IDs that belong to unallocated ranges or to numbers that don’t belong to real subscribers so that MNOs can charge them accordingly.
- Using Artificial Intelligence (AI) driven data analytics, TMT Analysis can identify and correctly flag Flash Calls from valid, allocated ranges of Flash Calls providers.
- The remaining missed calls per voice trunk then can be calculated and anything above normal thresholds can be charged as Flash Calls.
In conclusion, I think Flash Calls are here to stay, although I don’t think it will have as much traction as the A2P SMS. As it can be considered “cherry-picking” for now, it is a valid service that some Enterprises and end-users like.