So, when was the last time you received one of those robocalls? We’d hazard a guess that it wasn’t too long ago. And typically, the caller’s number seems legit, so, naturally, you answer the call and realize they’re not who you thought.
It’s an annoying situation, isn’t it? Then you’ll be interested in STIR/SHAKEN. This new technology framework aims to combat this problem while also ensuring that you get legitimate calls.
It’s estimated that between 3 and 5 billion robocalls are made every month. What’s even more worrying is that over 40% of these calls are believed to be fraud-related.
In these calls, criminals typically use caller ID spoofing to mask their identity. So, in simple terms, it appears as if the call comes from a legitimate organization or someone the recipient knows.
This, in turn, increases the likelihood of the recipient answering the call. Sometimes the deception can even go further than this, where criminals impersonate legitimate organizations like the IRS to steal money.
But how does STIR/SHAKEN solve this problem? Let’s take a look.
What is STIR/SHAKEN?
STIR/SHAKEN Is a technology framework that aims to reduce fraudulent robocalls and number spoofing. Let’s take a closer look at these two acronyms:
Secure Telephony Identity Revisited (STIR) is a series of RFC standards documents developed by a Working Group of the Internet Engineering Task Force (IETF).
In short, it works by adding a digital certificate to the Session Initiation Protocol (SIP) information used to initiate and route calls in VoIP systems. We’ll explain how it works in more detail later.
Signature-based Handling of Asserted information using toKENs or SHAKEN defines how telephone service companies should implement the STIR protocol.
How STIR/SHAKEN Works
At its core, STIR/SHAKEN uses digital certificates based on public-key cryptography techniques to verify that a calling number of a telephone call is accurate and has not been spoofed.
The process to do this is:
1. When a call is initiated, the originating telephone service provider receives a SIP INVITE.
2. The originating telephone service provider then checks the call source and the calling number permissions to determine how to verify the validity of the calling number. It does this through one of three ways of attestation:
- Full Attestation (A). Here, the service provider can authenticate the calling party and that they’re authorized to use the number.
- Partial Attestation (B). Here, the service provider can authenticate the calling number but cannot verify that the call source is authorized to use the number.
- Gateway Attestation (C). Here, the service provider cannot authenticate the identity or the right to use the line. It just acts as a gateway for the call to take place.
3. The originating telephone service provider then uses an authentication service to create a SIP Identity header which contains the following information:
- Calling number
- Called number
- Current timestamp
- Attestation level
- Origination identify
4. The SIP INVITE and SIP Identity header is then sent to the terminating telephone service provider. The Identity token could also be sent across the internet for non-SIP call segments using Out-of-Band SHAKEN.
5. The SIP INVITE and SIP Identity header is then passed on to a verification service.
6. The verification service uses the digital certificate of the originating telephone service provider, which it obtains from the public certificate repository to start a multi-step verification process. If these verification steps are successful, it means that the number has not been spoofed.
7. After verification, the verification service returns the results to the terminating telephone service provider, either through its Softswitch or SBC.
8. The call to the recipient is then completed.
Why is STIR/SHAKEN Important?
Robocalls have been on the rise in the United States. In February 2021, there were about 159.1 million robocalls placed per day, as reported by CNN. As you can see, the numbers of these calls are simply staggering and the risk of fraud is real.
So, the goal of STIR/SHAKEN is to prevent criminals from scamming consumers and businesses by reducing illegal number spoofing while, at the same time, ensuring that legitimate calls reach recipients.
Ultimately, these protocols aim to restore trust in voice and telephone communications.
STIR/SHAKEN will be implemented in both the United States and Canada regarding two pieces of legislation. In the US, the TRACED Act, or the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, came into operation in late 2019.
This legislation created an interagency task force to address the problem with robocalls and push telephone service providers to implement the necessary call authentication systems. As such, the implementation of certain robocall enforcement rules and mechanisms started in March 2020.
In a similar move, the Canadian Radio-television and Telecommunications Commission (CRTC) introduced Compliance and Enforcement and Telecom Decision CRTC 2018-32 in 2018. This decision mandates that all Canadian telephone service providers must implement authentication and verification of caller ID information for Voice over IP calls. It cites STIR/SHAKEN as the chosen verification and authentication method for caller ID verification and information.
As the situation stands currently, telephone service providers need to implement the STIR/SHAKEN caller ID authentication framework by no later than June 30, 2021, in both Canada and the US.
Recently, the FCC in the US issued a Second Report and Order regarding the implementation of STIR/SHAKEN. While the implementation date remains June 30, 2021, the FCC also acknowledged several issues and gave special consideration to certain types of providers and call scenarios in this order.
As a result, it granted specific extensions to the standard implementation date of June 30, 2021. These are:
- A two-year extension until June 30, 2023, to small voice service providers.
- An extension to voice service providers for the non-IP portions of their networks. However, these providers should upgrade the non-IP parts of their networks to IP and implement the framework. If this is not possible, these providers should work to develop a non-IP authentication solution.
- A one-year extension to services scheduled for section 214 discontinuance.
- An extension for providers that can’t obtain STIR/SHAKEN certificates from the program’s Governance Authority issues certificates to providers that file an FCC Form 499-A has an Operating Company Number (OCN). It can obtain direct access to telephone numbers.
All the providers who rely on an extension and won’t fully implement STIR/SHAKEN by the deadline need to implement and document a robocall mitigation program to reduce unlawful robocalls.
STIR/SHAKEN promises to end the scourge of unlawful robocalling. By signing calls with digital signatures, it can prevent scamming and number spoofing while ensuring that legitimate calls reach you. As a result, it will restore your trust in voice communications.