illegal Robocalls

The number of unwanted and illegal robocalls in the US continues to rise. According to YouMail, Americans were hit by just under 46 billion robocalls in 2020, with about 40% of those calls thought to be fraud-related. And as annoying as these calls are for people who receive them, they’re even more detrimental for businesses that are trying to reach people with pertinent information. Many of these robocalls use caller ID spoofing to make recipients think they might know the caller. Caller ID spoofing hurts legitimate businesses by making call recipients less likely to pick up any calls.

While historically, telephony was highly regulated, technical innovations such as computerized dialers and inexpensive IP-based calling on the Public Telephone Network has turned robocalling into an everyday nuance. As a result, the US agency in charge of protecting consumers from communication scams, the Federal Communications Commission (FCC), has directed carriers to implement robust call authentication by adopting STIR/SHAKEN standards targeting by June 30, 2021. 

What is STIR/SHAKEN?

STIR/SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. They’re technical frameworks that measure trust in the displayed caller name and number by authenticating the calling number. Together they work in a way similar to attesting to the identity of the caller with a digital certificate. In the STIR/SHAKEN framework, a secure telephony identity (STI) governance authority issues digital certificates to carriers, or others who own or are assigned dedicated telephone numbers. The private key associated with a digital certificate is then used to sign a VoIP call, thereby indicating that the calling party number is who they claim to be. 

Attestation provides the mechanism for carriers to communicate about a calling phone number’s legitimacy. There are three attestation levels that can be assigned by an STI authentication service, which represent how confident a service provider is in that the number’s owner is truly the one placing the call. A service provider is defined as a business that offers digital telecommunications services based on Voice over Internet Protocol (VoIP) that are provisioned via the Internet.

Full attestation (A) — the service provider has authenticated its relationship with the customer making the call and the customer is authorized to use the calling number.

Partial attestation (B) — the service provider has authenticated its relationship with the customer making the call, but cannot verify that the customer is authorized to use the calling number.

Gateway attestation (C) — the service provider has authenticated that it has placed the call on its network, but has no relationship with the originator of the call (for example, a call received from an international gateway).

When someone receives an authenticated call, they may be notified with a verification keyword or symbol on the incoming call display. If a call cannot be verified (attestation C or no attestation), it may be blocked or the consumer may be warned on their caller ID screen of a potential scam call. The purpose of notifications is to allow people who receive calls to decide whether they wish to answer, ignore, or block a number. 

If you’re a business, these changes should help you feel more empowered and increase the chances of your calls being answered by recipients. Businesses that implement STIR/SHAKEN themselves (typically within a private cloud environment) will be held accountable with near-instant traceback by regulatory groups and law enforcement if STIR/SHAKEN is abused. This includes faking attestation levels. 

Leave a Reply