Show all episodes

I Know You Called featuring Douglas Tait

Released on FEBRUARY 16, 2024

The 1994 R.E.M. hit Star 69 referenced the access number for the “last-call return” feature of telephones in North America.The chorus repeats the phrase, “I know you called” 5 times before revealing the caller hung up but was discovered using the *69 feature.

That feature, however, pre-dates the current telephony system that primarily uses VoIP (Voice over Internet Protocol) which allows the “spoofing” of phone numbers.In short, today, it’s hard to know who actually called.But by utilizing data passed through the SIP (Session Initiated Protocol) Header, Oracle is able to identify calls with the potential of malicious activity.Douglas Tait joins to explain why this is important and how the technology can impact contact centers.

We discuss:

  • Threats in the voice channel
  • Examples of cybersecurity failures and social engineering
  • The important role of SIP headers and metadata
  • The role of AI in emerging threats
  • Protective measures companies can take
  • Balancing “zero-trust” with customer experience

Connect with Doug on LinkedIn

Music courtesy of Big Red Horse


Rob Dwyer (00:00.93)
Hey everyone, Doug Tait is with me today. He is next in queue. Hi Doug, how are you?

Douglas Tait (00:08.302)
Okay, Rob, how are you doing?

Rob Dwyer (00:10.082)
I am fantastic. So Doug, we probably need to establish who you are. Right now, you're the director of Telecom Global Markets at Oracle. And I would say that's a pretty nebulous title. So let's talk a little bit about what you do today.

Douglas Tait (00:34.682)
It is maybe on purpose. So, not really to define what I really want to do in life, but I am in a marketing group. My responsibilities are to stab one foot in engineering and the other foot in sales and produce the proper sales material for Oracle when it comes to communication. So we are focused strictly on communications, communications products. And usually the salesmen are telling me, oh, we need this and the engineering say,

Rob Dwyer (00:37.454)
Ha ha ha!

Douglas Tait (01:03.202)
Well, we need to publish this. So it's a matter of me telling the world what Oracle does when it comes to communications.

Rob Dwyer (01:10.326)
Now, unlike, I shouldn't paint with this broad brush. I'm just going to say you've been in the technology sphere for about as long as I've been alive. So much so that at one point, you were doing something very different but pretty cool for the FAA. Can you tell us about that?

Douglas Tait (01:12.334)

Douglas Tait (01:23.986)
Ha ha.

Douglas Tait (01:34.63)
Oh my, a long time ago. Wow, you dug out my history. I was designing radar systems for the FAA. This is something, one of those engineering products was just a lot of fun, basically tracking. More interesting work I did for the DOD was, I had it as related in the Air Force, was to track planes, potentially, for looking for incoming missiles. So that was far more interesting work.

FAA started with radar systems and then I kind of graduated into the DoD doing long range radar, the radar systems that could see pretty much the whole Atlantic Ocean well into Europe and we could track and detect incoming missiles. And so it was a pretty interesting work there as well.

Rob Dwyer (02:24.962)
very interesting and tracking or recognizing incoming dangers is actually a really great segue to what we're going to talk about today. We are going to talk about the threat of attacks on organizations coming through the voice channel or originating in the voice channel. And I think we can look at some.

Douglas Tait (02:35.318)
That is, that did very good.

Rob Dwyer (02:53.226)
some pretty high profile incidents, cybersecurity incidents. But those cybersecurity incidents, for instance, late last year MGM and to a lesser extent, Caesars got attacked. MGM I think eventually said they lost like a hundred million dollars over this. I don't think anyone's crying for the casinos losing money. But.

At the same time, if you were there, right, we are not rooting for the hackers. That's absolutely correct. And if you were there, right, staying in one of those properties, all of a sudden you were experiencing a lot of problems as, as a customer of MGM. Maybe you couldn't get into your room. There were issues on the, on the casino floor with other amenities there at the casino and that attack started through a phone call.

Douglas Tait (03:22.732)
But we're not rooting for the hackers.

Rob Dwyer (03:51.594)
That's how it started. It actually started with a third party, with Okta who managed security, but it's not uncommon. And those social engineering, for those that are not familiar with it, right? That kind of attack is typically called social engineering where I try to get credentials to something I'm not supposed to have access to so that I can get in and do some damage. That is still a threat today.

in 2024 as far as we've come with the technology, correct?

Douglas Tait (04:28.562)
That's correct. And unfortunately, I think we'll probably see something else, another big attack before the years through. And it's kind of a shame. One of the things, you know, yet we could feasibly detect these things. There is enough information out there. It's just a matter of connecting the dots and providing the tools and utilities or I would say the defense mechanism, so the defense armory.

for these organizations. And I'm glad you kind of narrowed it down on voice and social engineering because I think that's one of these key vulnerable areas. I think these hackers have, they're tapping into the human nature of kindness and gentleness to get at these private or confidential resources and bring systems to their knees. Which is quite a shame because now all of a sudden your elements of trust go out the window. We have zero trust.

that incoming call and now swings the pendulum the other way. Now they have to be like thoroughly vet the incoming calls. But I think it comes back. It does show that when it comes to security perimeter, we don't have a full protection in one vulnerable area. Here was voice calls. It's very simple voice calls.

Rob Dwyer (05:46.618)
Yeah, and you bring up something specific for contact centers. The agent job is to help people. And I've actually experienced this. When you are presented with a customer that you need to authenticate through, let's say, a PIN or a password, and they don't remember what they set up three years ago that they've never had to use, but now they need it.

Douglas Tait (05:55.166)

Rob Dwyer (06:17.71)
from an agent perspective, right? You want to help them, but you also have a responsibility to protect their information and you don't know who you're talking to. And so that is that tug on the human aspect that presents a problem, but part of the problem is the fact that that...

call that might come in from a threat actor, not the actual customer. Not everyone is recognizing that there are ways to deflect those calls. So let's talk about the industry in general. What is the industry doing to protect the network, to make it secure?

Douglas Tait (07:12.686)
Voiced network, in my opinion, not very much or not enough. I think we see this with our carriers. You have a carrier, my phone will ring, say, oh, suspected incoming spam, and hey, that's at least something that we see. As far as, I think there's far more they can do. Before I even.

go further down that answer, I think a lot of this comes culturally speaking, in that we came from a world of telecommunications, where it's very much closed off and owned by a monopoly, but they were very careful to make sure that it protected our privacy, it protected our confidentiality. And now that we would go to voiceover IP and we enter the wild, wild west of the internet, I think it left these vulnerabilities wide open that we were protected through.

through an ATT or a mob bell. So now that these vulnerabilities are there. But I find interesting, we switched over to voiceover IP. In fact, almost all networks started doing it around 2005, 2001, 2002, we really started to see moving into the industry, the cost benefits were huge. The whole, everything's now voiceover IP. And that left it wide open for your terrorists to come in and provide these threats.

But the funny part is I look at how it's all developed and it's all based on the SIP protocol and you have SIP headers and SIP information. The arriving on every incoming call is a good deal of information about where that call came from, what was the device, what country, what context. There's a lot of context. And I think a lot of that information has been ignored. Or it's, you know.

I think we came from a culture where we just trusted everyone, so why bother looking at that? That's where we can find out, that's where I think the pearl is here or the silver bullet, fight back the enemy, is to at least grab that information and do a check online or check fast to find out what is the source, where is it coming, what's going on, what type of message, and what type of device. And that's where I think we're missing the boat. That's where I think...

Douglas Tait (09:30.922)
these calls are coming through, we could at least provide a warning. Like, like we see with, uh, you know, AT&T does with me saying, incoming spam call. Well, you can at least provide a warning to a contact center or to a business like, Hey, this one, it looks suspicious. Or, Hey, you better, you better do that extra check. You know, we need to give instructions. We can even be so smart to say, Hey, there's one that looks suspicious. Ask them what the last four digits of their social security number is, or ask them what the account number is.

provide that level of check. So I see where we kind of missed the boat here, but we did it, I understand, because of the cultures we came from. But this is one area where Oracle's taking a deep look at it. Hey, it's data. That SIP header is data. We are great at data. We are great at data processing. Can we go ahead and do a check on that information before they even answer the call and do it done in time and verify it?

And then provide any levels of protection that the customer wants. So raise the yellow flag or block the call or send it to the security office, whatever. Give them more options. I'm fairly convinced that we could have helped the MGM. We could have been in there catching these things early on. And so I think this kind of software, this kind of solution has to be in place.

Rob Dwyer (10:41.815)
Yeah, I want to.

Rob Dwyer (10:55.938)
Yeah, I want to dig in a little bit to the SIP header. So I think most people are familiar, even if they don't know the acronym or the.

the official name of the ANI, the Automatic Number Identification. That's your caller ID, if you will. That's whatever phone you're using, when you can see who's calling, the reason that you can see that is because there's one piece of data called an Automatic Number Identification that's passed through that you can display on the phone. Why is that not good enough? And why do I need to be looking at other things

come through as metadata with that call.

Douglas Tait (11:45.026)
The meditative, number one, I could manipulate that header and pass on the wrong information, in which case, now we're at a level of fraud, you know, we've always let those tap your line, grab the zip header, change it, now I'm the man in the middle and changing it. So just looking at that one A and I may not be sufficient, you may wanna look at the source of where it came from, what country or what.

how many hops went through the internet or so forth or what other originating call, the type of call, even the device, a lot of that stuff is buried in the header. What we've discovered is a lot of that information about that incoming call is known. Like for instance, you know whether it's a burner phone or not. So we can determine that.

You take the number, you take the header, you go in and you can ask various database dips from carriers or vendors. Hey, is this a predefined burner phone? Or you can find out if it originated from China or from a foreign country or how many hops went through. So I think there's a... That's where we look at, I must say, the metadata that's on the SIP header becomes very important and it's been overlooked.

as far as what we can do with it. So that's one area we've looked at quite dramatically. It said, hey, we can do over 2,000 tests up in our cloud on that one piece of metadata to determine if it's at all questionable and what we can do with it. And that's just one area that we look at. I think the other, before we leave that subject, I think it's interesting.

I came from the world of SS7, you know, signaling system seven, where you had to have special equipment just to read the header. I mean, moving forward in the world of voice over IP and SIP or Session Initiation Protocol, there was determined by the IETF to make these things ASCII, so it's all readable. So you'll need special equipment. That's the amazing part is when I receive a SIP call on my phone here, which almost all MART carriers are all doing it, voice over IP, I can...

Douglas Tait (14:08.194)
dissect that header right here and have the information. So it's very readable or legible, which is good for me to try to protect myself, but also good for the hacker because it's really easy to go to manipulate. But that's just one key area around the SIP, which I think that's one reason why we do see some hacking going on here, but it's also one area where we can really lock it down and protect ourselves.

Rob Dwyer (14:34.318)
I mean, if I am a contact center.

Should I expect my CCAS provider, my contact center as a service for those people that aren't in the business, right? My cloud-based telecom provider, shouldn't I expect them to be doing that stuff for me or no?

Douglas Tait (15:01.178)
Yeah, but you know, it's going to be, I'll look at our price amount, it's going to be an upcharge, right? Hey, do you want that premium gold platinum protection, or do you want that gold or silver? And of course, then you know, they're more overhead. You know, like I said, we can do 2000 checks on it, or we just do 1000 checks. And what's the difference? Oh, we hit more database, we have more engineering that goes into it. So.

Rob Dwyer (15:03.727)
Ha ha!

Douglas Tait (15:30.318)
I would like to think so, but I know we're not, because it's a wide open area right now, and so vulnerable, and to put something in place is pretty costly. That's one, what's not, just to do an individual solution for a on-premise piece of gear would be far too expensive to try to do all the checks. But if you do a common interface or common solution that several different companies could tap into.

then it reduces the cost. You have a point of diminishing returns where now, hey, I can have that one set of algorithms and I can offer that level of service depending on what they need. Yeah, I think the answer to your question is maybe we'll get there one day. But I think it's going to be at cost. You want that platinum level protection? Well, $5 we can provide it. But I think also it's not final or static.

kind of follow on to your question there. It's like, great, I buy that platinum level. Will our hackers get around it? And I think the answer is yes, and that the ones who are smart, they're using analytics now, or they're going to the dark web, or they're grabbing information, or, and they're even probably going off and using some AI. You know, so I can, let me try to get around this somehow. And so I see we have to kind of fight those hackers on our end. Hey, the platinum and now the platinum plus.

you know, perhaps for something like it's nothing it's not all a service where you have many colors coming in at once, I need to do a modeling and add that modeling capability and look for anomalies in that network. So it's almost like we keep another big advantage of cloud-based process. And we keep on adding these processes into the cloud, you know, and do it once for everyone, as opposed to keep on adding revisions out to the field.

So this is what the strength of the cloud that it brings there. But yeah, I know that's a long roundabout answer, but I think we're going to see the add, oh yeah, we'll have the gold, silver, platinum, and then platinum plus that you keep adding to the sponsorship. But these things will, you get what you pay for, it'll add that added benefit of protection.

Rob Dwyer (17:29.358)

Rob Dwyer (17:49.814)
You brought up AI. And I think 2023 was kind of the year of AI in the public perception. AI has been doing all kinds of things for a long time. But certainly, the public is now far more aware of some of the capabilities. Can you talk about how that becomes part of the threat?

Douglas Tait (17:50.912)
Thank you.

Douglas Tait (18:01.162)
Thank you.

Rob Dwyer (18:17.838)
that companies are now going to be guarding against or should be guarding against.

Douglas Tait (18:26.802)
I think the, for now, AI, just like if you were the user, I use it almost like a consultant, like having you in the room. What do you think about this? And get some ideas. Well, here, the hacker can use the AI or use other means of getting a profile of a company or getting a profile of the employees.

knowing that profile and just either they up level their sophistication when it comes to social engineering such that they can even make themselves look like a legitimate business You know and come in fact, I got hacked this past year. Uh, I lost uh 250 dollars not much, you know, it wasn't as big as MGM but But the fact that they a business came forward. It looked like a legitimate business that I bought into and

and they actually carried on for two years before they walked away with my money, they were actually doing a legitimate business. They're filing my claims for me through the state. And then all of a sudden the state came back to me after two years and said, hey, you haven't filed a claim this year. And I'm going, wait a second, I've been paying this organization. And then I looked it up online, it's like, oh, I've been hoodwinked. So I see the hacker can now start building out a facade.

of legitimacy, you know, with AI, which you normally can't just take too much effort. But if I have other things automated, and then I can also get profiles of the company and then look like, hey, this is a great match for us to partner with and do business with, you know, and present those kind of facades and things that we normally don't even think of, you know, and the voice recognition and they can go down these paths and they have a whole bunch more tools at their disposal.

You know, I always enjoyed the Larry Ellison quote that says, Hey, they're going to get smarter. And it's not a matter of fighting back their hacks and with their, their computers, it's a matter of our computers fighting their computers, our programs fighting their programs, our AI fighting their AI. You know, so I think as they get smarter, we definitely have to be smarter at the same time. I agree with you. Hey, 2023 was a year of AI.

Douglas Tait (20:48.614)
I think 2024 will be the year that hackers start using AI to up their game.

Rob Dwyer (20:58.062)
So it sounds really scary to think that. I mean, when you see some of the things that are out there and the way some of these deep fake videos, voice emulation, all of the things that can be done with AI today, and as a company thinking about, I need to protect our data. I need to protect my customers' data.

Douglas Tait (21:03.575)
Ha ha ha.

Rob Dwyer (21:27.354)
I mean, what are some of the big things that companies can do today that maybe they're not doing to protect themselves?

Douglas Tait (21:40.82)
Um, there's

I would say a set of principles or a set of rules that you can certainly establish and do it manually. Number one, inspection. Here, we could potentially, you could inspect every single call coming in. And the way it's currently done is, it looks like usually the CSP, the carrier's doing the inspection for you, or the service provider, or the MSP is doing the inspection for you.

and then we trust that, but then they take it to the next level of authentication. Usually we see this as a manual process. Hey, give me your last four of your social, authenticated. What's your date of birth? And then analyze it, because that's where I think this is where we fall down. We can take that phone number, we can take that date of birth, we can take that social, and then you analyze it and make sure it all lines up. And then of course, the last step is enforcement.

And so I see that inspection, that authentication, the analyze, the enforcement, you have to do this, no matter what, whether you do it manually or whether you do it automatically. What we're proposing, what we're doing at Oracle is we're able to check and provide that level of inspection and authentication and even analyze it and go down to that level of enforcement and do it all automated, turnkey.

And then that level of, here's where I alluded to it before, but that level of analysis, how deep you want to go. Do you want to model your whole network? Well, we can do that too. Start providing analytics or AI on the back end of that. And even with enforcement, we can then give the command or the customer can say, well, based on what we see coming back from Oracle, I can block the call. I can then reroute it to a security office or to a recording or to a different agent.

Douglas Tait (23:39.462)
So there's things that we can do that aren't being done. And all this, this is one area we're looking deep. And the area we're going deep on is that back end up in the cloud. Great. I can take that metadata. We'll ship it up to Oracle. I look at it like it's very much like a CDR that you get in carrier space. It's a call detail. It's the metadata on the front. Hey, Oracle, check out this number. We will do that $2,000 check.

against everything in our data item, our databases. We have several databases, not our own, but also external, we have third party. But then it's that next check above that, can I perform a little analytics on that information that I have? You know, what's the frequency of the call? How many calls are we getting from that same location? Because maybe it's a telephony denial of service. Or what else can we do? And then even go further and then start applying AI to that and do a little modeling on our own.

So that's the cool part of the strength of the cloud. And this is one area where I know we're pushing the envelope. How much intelligence can we put at the back end in that cloud? Just from receiving that little bit of information on the front end. So we don't see, I don't see anyone else doing this in the industry. I think the closest we see coming is maybe the, you have companies like PinDrop that are doing a sine wave recognition, very expensive.

Now I look at the wave and try to analyze that. And we know, hey, they're starting to get around that with deep fake, especially around voice. But at least it's identifying that. And since that's very expensive, we could be the first check, because we're not as expensive as that. We say, hey, this thing's very suspect. We think maybe you should do a pin drop, do a deep packet inspection on that sine wave, and try to make it seem that it requires further checking. So.

Yeah, sorry, long windy here. This is an exciting subject matter for me. But you get back to the industry is not doing enough. And yet, we can be doing more. I'm very pleased on what Oracle is taking the space. Because you can't do this without a cloud. You need to have that big infrastructure in the sky that can then keep adding to these models, keep adding to the analytics, and keep adding. And do it so the customer doesn't get affected on the front end.

Rob Dwyer (25:40.794)
It's all right.

Douglas Tait (26:07.794)
And we can do these checks up front. So I think that's the right model as far as, and pass that little bit information to the cloud, and let the cloud do its work.

Rob Dwyer (26:19.662)
So there are contact centers that are still using on-prem solutions. Am I out of luck if I'm running on-prem as opposed to a CCAS solution?

Douglas Tait (26:36.866)
For the automated process, yeah, you only go so far. How much equipment do you want to buy and purchase? Again, we're getting back to whether it's a licensing model or a subscription model, right? So how much more licenses, how much hardware, or how much software do I need to purchase? Or can I just go to the cloud and say, subscription-based, here's more messaging I want to send you. So it becomes, I think, more of an economic question.

what you can afford or can't afford. But more fundamental to your question is like well, what's that world look like on the front end? Well now we have to implement zero trust Yeah, it kind of throws me back to 9-eleven, right? Where before you could virtually almost walk right onto the plane now you almost get have to be tapped down Go through all sorts of sensors you have waited an extra hour in line to get through the TSA Because there's zero trust. Well now we're into that point, too

I'm calling into my contact center, oh, let me pat you down. Give me account number, give me your date of birth, give me your mother's maiden name. Okay, now they have that information, let me check legitimacy of the call. These are all areas that can be trumped and fooled on. And so maybe you have to add another level of protection on the data side here, as I'm starting to go in. I just see that a zero trust becomes an effect of

of all of a sudden my company's become hard to work with. I call my fidelity, or I call my E-Trade, and now I have to go through, jump through all these hoops and do double authentication and do all sorts of things. It's just gonna get deeper and deeper and deeper, which is just harder to do.

Rob Dwyer (28:08.078)

Rob Dwyer (28:20.138)
Yeah, I'm glad you brought up zero trust, because when you think about customer experience, those two things really butt heads. When I want to accomplish something that should be relatively simple, but I have to jump through a million hoops to get there, that's just frustrating, right? And while, yes, I can feel very secure,

and know that we're protecting everything if I'm using a zero trust policy doesn't make people happy. Because most of us aren't, as consumers, thinking about the security side. We tend not to think about the worst case scenario. We're thinking about the application as it relates to me and what I want to do right now. And so the more that we can implement...

Douglas Tait (29:15.118)
That's right.

Rob Dwyer (29:18.518)
types of solutions that I as a consumer don't feel any pain from, but are still protecting me, the better we're going to move toward a customer experience that is pleasant and desirable while still protecting information.

Douglas Tait (29:41.014)
That is the, that's the trick. I think it's a trick, because we can get to zero trust. Now, do we like going through TSA? You know? No, we don't. You know, we like to travel. You know, and here we have a contact center. Do I want to get patted down every time I talk to this agent? Or do I want to have a compelling user experience? I want my customers to come back. I always say, I'd like it, you know, there's a few call centers, contact centers, every time I have a problem.

Rob Dwyer (29:54.732)

Douglas Tait (30:10.422)
They walk away to give me a coupon or something like, oh, I got a discount. That was a great experience. I want to walk away with my customers feeling that, but knowing that Zero Trust has been implemented and knowing I passed the check and that the pat down wasn't as painful. And I'll point back, hey, we can automate with that pat down. We can automate this upfront. You can take away a lot of that pain. And there's some...

Rob Dwyer (30:29.274)
Right, right.

Douglas Tait (30:39.414)
Benefit to that, huge benefit, you know, cost-wise, because if I'm doing the automatic pat-down, that frees up the agent to take more calls. You know, and if, and also I can get, I can look at my own demographics of who's making the calls. I can now start doing other analytics based on that automatic pat-down upfront, the automatic analysis. And so it goes beyond just, hey, not only are we implementing zero trust, but I can start doing things for my business that makes sense for my contacts.

So yeah, I think it's tricky, you know, and unless the people who own the contact centers, the managers, they had to walk this fine line. How do I make this compelling, yet make it trustworthy for my customers? And then, you know, this is, I think it's only gonna get worse in 2024 and 2025, you know, as we go down this path, because the zero trust gets harder to do, and yet you wanna make it as compelling as possible.

Rob Dwyer (31:09.443)

Rob Dwyer (31:39.77)
There was a time when I flew a lot that I became a trusted traveler with TSA. I got to get into a special line. I didn't have to take my laptop out. I didn't have to take off the belt, right? It was because they trusted me because they had vetted some things up front.

Douglas Tait (31:54.191)

Rob Dwyer (32:08.474)
I had a more pleasant experience. Today, I don't travel as much. I don't pay for that. And every time I go to the airport, I have to go, I wear clothes to hide things on my body, but I gotta get in this scanner and put my hands above my head. And I don't even wanna know what they're seeing when they do that full body scan, right? So if you think of it like that,

right, this is a way that we can identify a trusted call almost like a trusted traveler. And for the people that we go, well, we don't necessarily trust you as much, we have a red flag, then we need to send you through the other line and do some more of those checks, which makes sense. But I think not enough companies and contact centers in particular are thinking about

Douglas Tait (32:58.634)

Rob Dwyer (33:06.906)
the next generation of threats and how we can leverage our technology to push those threats, keep them at bay as much as possible so that the humans can focus on doing the job, which is to help people, to be nice.

Douglas Tait (33:27.694)
That's right. Yeah, and I think the industry's kind of missed the boat in that, hey, this free information at the beginning of the header could be used for this kind of benefit. That's one area where we're saying, hey, we don't want to make that. We can take this to the cloud, you know, and really, really pull ahead. And we really see this as one of the differentiators in the product and, of course, working with the rest of the security industry to make this thing.

Rob Dwyer (33:43.843)

Douglas Tait (33:57.174)
make it as painless as possible and actually an enjoyable experience for the consumer. So yeah.

Rob Dwyer (34:04.494)
Well, Doug, thank you so much for joining me. And if you want to know more about what Oracle's doing, if you want to geek out about contact center technology and kind of the backbone end of things, feel free to get in touch with Doug. We'll put his contact information in the show notes so that you can get in touch with him. Doug Tate, thanks so much for being next in queue.

Douglas Tait (34:36.322)
Thank you. I really enjoyed it, Rob. Let's hope the solutions to deploy where you stop these hackers. And it would be nice. A wonderful world where women have to even be talking about it. Hey, we shut it all down. It's a fully trusted world. We'll get there. But thank you.

Rob Dwyer (34:56.418)
That will be a wonderful world.

Douglas Tait (34:59.653)
That's right.