itu-t Series-E: Overall Network Operation, Telephone Service & Fraud
The numbering and operations backbone of the PSTN — the primary attack surface for CLI spoofing, IRSF, Wangiri, and SS7-based identity fraud.
Official Scope
Study Group: SG2 — Operational Aspects of Service Provision and Telecommunications Management
Active Status: Ongoing
Covers overall network operation, the international telephone service, numbering plans (E.164), operational quality of service, and fraud mitigation frameworks. The E-series defines the numbering system that underpins every phone call and SMS worldwide.
Tactical Security Significance
- Relevance: 🟢 High — Fraud Mitigation, Numbering Integrity, CLI Authentication
- Key Security Concepts: CLI Spoofing, IRSF, Wangiri Fraud, STIR/SHAKEN Alignment, Numbering Resource Misuse
- Attack Surface: E.164 number space and CLI delivery mechanisms — enabling caller identity impersonation, premium-rate fraud, and SIM-based account takeover
Key Recommendations
| ITU Rec | Title | Security Domain | Cross-Reference |
|---|---|---|---|
| E.156 | Guidelines for reporting misuse of numbering resources | Fraud Reporting & IRSF | GSMA FS.11 |
| E.157 | International Calling Line Identification (CLI) | CLI Spoofing Prevention | STIR/SHAKEN (RFC 8226) |
| E.164 | The international public telecommunication numbering plan | Numbering Integrity | GSMA PRD BA.12 |
| E.190 | Principles for allocation of international numbering resources | Identity Integrity | NANPA / RIPE NCC |
| E.212 | International identification plan for public networks | IMSI / MSISDN Separation | 3GPP TS 23.003 |
| E.408 | Telecommunication network security requirements | Network Hardening Baseline | X.805 |
Security Mapping
CLI Spoofing and STIR/SHAKEN Alignment
E.157 defines requirements for delivering accurate Calling Line Identification across international interconnects. Fraudsters forge the CLI to impersonate banks, government agencies, or emergency services. ITU-T E.157 combined with IETF STIR/SHAKEN (RFC 8226) provides the attestation framework for verifying call authenticity.
- Attack: Spoofed CLI causes victims to trust calls from fraudsters impersonating (+44 20 xxxx — UK government; +1 202 456 — White House)
- Mitigation: Operators should implement E.157-compliant CLI verification at interconnect ingress; STIR/SHAKEN certificates provide cryptographic proof of originating carrier
Wangiri (One-Ring Fraud)
Fraudsters generate automated single-ring calls from high-cost international numbers. Victims call back, generating IRSF revenue. E.164 number analysis and E.156 reporting mechanisms enable blocking of known Wangiri ranges.
- Attack: Automated dialer targets millions of numbers; even 0.1% callback rate generates significant IRSF revenue
- Mitigation: Real-time blocking of known Wangiri prefixes; E.156 misuse reporting creates cross-operator blocklists
IMSI vs MSISDN Separation — SIM Swap Detection
E.212 (IMSI — International Mobile Subscriber Identity) and E.164 (MSISDN — the phone number) are separate identifiers. SIM-swap fraud exploits the gap between them: after a fraudulent SIM swap, the same E.164 number (MSISDN) maps to a new E.212 (IMSI) — enabling account takeover via OTP bypass.
- Detection: Monitor for IMSI changes against a known E.164 MSISDN; sudden IMSI change followed by SMS-based OTP requests is a strong SIM-swap signal
Operational Audit
- E.156 Misuse Reporting Checklist: Validate operator procedures for reporting numbering resource misuse to ITU-T.
!NOTE This series is part of the master Series Tracker.