Telnyx Knows Nothing
Posted . ~7min read.
Disclaimer: The views expressed in this post are solely my personal views and opinions. These do not necessarily represent the views and opinions of any company or project that I am (or have been) associated with.
Telnyx, a US based company offering communication products, recently received a $4.5 million fine proposal from the FCC. The proposed fine relates to “government imposter robocalls made on its Telnyx’s network.”
"Cracking down on illegal robocalls will be a top priority at the FCC," said FCC Chairman Brendan Carr. "That is why I am pleased that our first Commission-level action is a bipartisan vote in favor of this nearly $4.5 million proposed fine. This fine flows from an apparently illegal robocalling scheme and continues the FCC's longstanding work to stop bad actors."
Background / Highlights from the Notice of Liability
The FCC document alleges that Telnyx failed to take “affirmative, effective” measures to prevent their network from originating illegal voice traffic.
The FCC alleges:
- On February 6th, 2024, Telnyx signed up two new customers, “Christian Mitchell” and “Henry Walker”
- Both names used a “mariocop123.com” email address.
- Both names provided an address in Canada.
- Christian Mitchell signed up from an IP in Scotland
- Henry Walked signed up from an IP in London
- The address provided was a Sheraton Hotel in Canada
- No phone number provided for either name
- Payment made in Bitcoin
- The two accounts made over 1500 calls on Feb 6 - 7
What Type of Calls Were Made?
Starting on February 6th and into the morning of February 7th, FCC staff members and some of their family members started receiving calls on their personal and work numbers. The calls were automated, and stated:
Hello [first name of recipient] you are receiving an automated call from the Federal Communications Commission notifying you the Fraud Prevention Team would like to speak with you. If you are available to speak now please press one. If you prefer to schedule a call back please press two.
One of the persons called claimed that when they connected with a person, they were asked to pay the “FCC” $1,000.00 in Google gift cards or face jail time for their crimes.
Ok, What Else?
Normally, I’d not blog about something like this. Sure, I like to discuss robocalls, swatting, and other abuses of VoIP… and I’ve openly criticized TextNow for horrible practices that result in the use of Telephony to scam incredible amounts of money.
What makes this incident even more concerning is Telnyx CEO’s recent posting on LinkedIn. Now David Casem, the CEO, has edited the text (and many of his comments) which is frustrating. The current text reads:
If you havent heard, Telnyx was wrongfully hit with a proposed $4.5MM fine by the Federal Communications Commission
— David Casem
He then links to what he refers to as a “good analysis from a neutral third party” and further states that Telnyx “won’t be rolling over on this one.”
Tony Lewis, CEO/Co-Founder of Clearly IP, commented:
My bigger question is why is a new customer allowed to make calls before KYC is done. We all know we are not allowed to let a customer make calls until KYC [Know Your Customer] is done. KYC cant be done while the customer is allowed to make calls. While I agree the fine does not meet the "crime" the new customer should not have been able to make any calls until KYC was done.
This is how I saw David Casem’s post – I am connected to Tony (and a disclaimer… Clearly IP is a sponsor of APIBAN. You can be too… ).
David Casem responded (since edited) saying:
... What exactly is KYC?...
— David Casem
Only… at the time I replied, he stated just “What is KYC?,” which I thought was a pretty horrible reply from a CEO whose company is facing a multi-million dollar fine from the FCC.
To be honest, I thought any posting from the CEO was odd as generally a decent lawyer would encourage one to “remain silent” and certainly not make social media posts regarding their alleged activities.
Anyway, I commented:
David Casem "what is KYC?"
I certainly hope that's not the key foundation of your defense.
the parties used non-us ips to register non_us addresses, paid you in bitcoin, unverified name/addresses, no phone number, and made over 1000 calls.
I hardly think any reasonable person would think that you did any real attempt at verification here. With the tremendous amount of robocalls, swatting, hoax bomb threats, etc. allowing people like this to so quickly and easily make calls is irresponsible and dangerous.
To say David Casem disagreed would be an understatement. He replied that, among other things…
- Non-US IPs / Addresses are common
- Bitcoin is “100 Fold” less fraud than credit card
- They limit concurrent calls
- Anyone can go to Target or Walmart and buy a SIM and make calls anyway
I’d link and quote, but since David Casem continually edits the post, it’s kind of irrelevant.
Know Your Customer
The FCC, in the “crack down” on robocalls, made rules requiring that carriers know their upstream providers, customers, and basically the TL;DR being that when Alice complains about a call, one should be able to identify who is responsible for that call.
By “knowing your customer” you bear responsibility for being able to identify who you are allowing to make calls. If you can’t identify who made the call, you shouldn’t allow it to be made. If you allow the call anyway, you can (and should) be financially responsible for some hefty fines.
You, as a carrier, are expected to take effective measures to prevent new customers (as well as existing ones) from making illegal calls. You, as a carrier, are expected to know your customer.
Did Telnyx Do Any Reasonable Verification?
In my opinion? No. Absolutely not.
I don’t know how a reasonable person would feel that Telnyx took any (let alone minimal) steps to verify the accounts making the calls.
Taken one at a time, David Casem’s arguments seem like they can hold water. But this is only if you absolutely ignore key points.
- The IP addresses used did not match the country of the address.
- The address (a Sheraton Hotel) had no affiliation with either name or the domain
- The domain was registered that same month and used a privacy service to hide its owner / address
- No phone numbers collected
- No license/ID collected
- No credit card to match address / only bitcoin payment provided
I can’t see any due diligence taken from Telnyx to see if these accounts were real people. Worse, I see so many red flags here that I cannot see how a reasonable person would feel that the information belonged to a real person.
On bitcoin… I think taking bitcoin for international payments is awesome. It avoids a tremendous amount of fees and is basically a zero risk for the person taking the money. This is probably why David Casem made a comment about less fraud… You simply cannot do chargebacks on bitcoin. It has nothing to do with protecting the PSTN from fraud… it’s all about making sure the company (in this case Telnyx) doesn’t get chargeback fees, international fees, etc.
Looking at signup here… I believe (without question or hesitation) that ANY reasonable person would believe these accounts, based only the information provided, would most likely be concerned that the accounts could not be verified.
In other words, I cannot understand how anyone would reasonably believe that they knew these customers to be real, identifiable, and trusted to send calls to numbers on the PSTN.
Letting these accounts make 1500+ calls was irresponsible and dangerous.
The fact that the robocallers targeted FCC workers probably suggests a vendetta/score to settle, however the scammers were enabled by the very company they targeted.
My advice to David Casem would be to consult a good legal expert, not discuss this on social media, start taking strong action to verify their customer’s identity, and perhaps take down their public comments.