Robocalls, fraudsters and scammers have destroyed our collective confidence in the phone as a trusted communications channel. As a result, fewer calls are answered, and important calls are missed — with great impact on legitimate business callers. After all, the chances seem greater that the call will be a scammer and not a fraud alert call from your bank.
The Industry’s Solution
To address consumer concerns around unwanted calls, the telecommunications industry created new rules, endorsed by the Federal Communications Commission (FCC), requiring major carriers to adopt stronger call authentication protocols with the aim of preventing the completion of illegally spoofed calls. The industry aims to accomplish this via a pair of frameworks called secure telephony identity revisited (STIR) and secure handling of asserted information using tokens (SHAKEN). STIR/SHAKEN is complex and primarily focused on providing consumer benefit, but businesses need to understand how it works and address the realities and misconceptions around the solution as it pertains to their own consumer connections.
My company is a coauthor of STIR standards, a key contributor to the SHAKEN network and the exclusive operator of the ATIS robocalling testbed for STIR/SHAKEN implementations. We are also a secure telephone identity certification authority and are authorized to issue the digital certificates used by communication service providers to authenticate and verify telephone calls.
How It Works
Today’s telecommunications networks are complex and technologically diverse, and calls may navigate multiple pathways before reaching their intended targets. When an originating carrier allows a call to connect to its network, it documents several key factors about that call, such as:
• Is the originator a customer?
• Did the carrier assign the phone number being used by the caller?
• Did the carrier originate the call, or did it come from a gateway?
In STIR/SHAKEN, the answers to these questions determine how originating carriers attest to the validity of a call and assign an attestation level. The attestation level is passed on to the terminating carrier receiving the call. The terminating carrier can then reference this attestation level to determine if the call legitimately connected into the phone network and inform subscribers accordingly.
But how can the terminating carrier know that the attestation level is correct and has not been hacked during call routing? That’s where a digital signature comes in. The originating carrier can digitally sign its attestation using a STIR/SHAKEN authentication service, and the terminating carrier can confirm the attestation level using a STIR/SHAKEN verification service.
For consumers, this could mean a strongly verified call could receive a “valid call” symbol next to the phone number display. For legitimate business callers, this means that consumers who have stopped answering calls will, hopefully, begin to answer again.
There has been a lot of confusion around how STIR/SHAKEN will roll out, and further clarification is needed to understand what it does and does not (yet) offer businesses seeking improved outbound customer connections and enhanced inbound call authentication insights.
Myth 1: STIR/SHAKEN can be leveraged by businesses to assess calls from consumers.
For the foreseeable future, the FCC and telecommunications industry are focused on reducing spoofed robocalls to consumers. The STIR/SHAKEN specification is designed to support showing a call trust indicator on a consumer’s handset, and no specification has been developed for STIR/SHAKEN information to be passed from a carrier to their enterprise customers. That may change in the years ahead, but for now, businesses should be aware of the immediate impact of STIR/SHAKEN on outbound calls — while considering how they will leverage the framework’s call insights for inbound interactions in the future.
Myth 2: Thanks to STIR/SHAKEN verification, businesses can expect customers to begin answering their calls again.
While this may happen eventually, things could get worse before they get better. As STIR/SHAKEN is rolled out across carriers, legitimate business callers could be flagged as having low-attestation levels on customer devices. This will be more likely with calls that originate from, or transit through, carriers that do not yet fully support STIR/SHAKEN. These calls will automatically receive low grades even though there are real, likely trustworthy, callers on the other end.
At some point in the future, a new STIR/SHAKEN feature is expected to become available that will enable carriers to delegate authority for telephone numbers assigned to enterprises. This will allow businesses to more effectively participate in the STIR/SHAKEN ecosystem.
Myth 3: Once available to businesses, STIR/SHAKEN call information will help flag fraudulent inbound calls.
It’s important to clarify here that call authentication — like that supported by STIR/SHAKEN — simply establishes how a call connects into the phone network. A higher level of authentication is required to verify who is on the other line. This is known as caller authentication and is what most businesses rely on as part of their fraud-fighting efforts. Caller authentication is not a functionality of STIR/SHAKEN.
Virtualized calls can pose the greatest account takeover threat because fraudsters can be anonymous and call from millions of devices around the world. Under STIR/SHAKEN, these calls may still be given high trust levels, even though many criminals will make these calls.
A low attestation level also does not necessarily mean one should flag a call, as many of these calls will be from legitimate callers.
Reality: STIR/SHAKEN is a step in the right direction.
The STIR/SHAKEN framework is not a cure-all for the telecommunications industry. It should provide some relief to consumers plagued by unwanted robocalls and scammers, and it is currently the best and most viable option to address phone number spoofing and enforce higher levels of authentication on a broad scale, but its benefits to businesses will take time to develop.
Voice calls remain an important communications channel for businesses supporting complex, urgent or sensitive communications to and from consumers. At its core, industrywide adoption of STIR/SHAKEN protocols can make communications safer and help restore trust in the phone call, which will support good business and customer relations in the long run