Introduction
In the day and age of technical evolution, the mode of operations has transformed across industries. Marketing is one of the primary areas that ensures a business has garnered the expected scope by building a broader customer base. In recent years, the marketing sphere has adopted technical approaches to ensure business efficiency.
Robocalls and telemarketing are among the most common forms of marketing strategies in the industry today. However, the approach has been misused and drawn criticism from the customers. Telemarketing and robocalls have become a plague for society, and no individual has not come across such calls at odd intervals. As per recent reports, an estimate of over 15 billion robocalls was observed in five months in the US in 2018. The statistics provide an insight into the increasing numbers of such calls and marketing strategies that have resulted in growing consumer complaints. However, service providers and third-party applications offer offerings that ensure the possibility of call blocking. There are additional elements such as spoofing of caller identity used for scams on unsuspecting customers along with threats, offering easy loans, rewards, or free travel, to name a few. To address these concerns, the STIR/SHAKEN solutions provide more control to the consumers over the type of calls and text messages they receive. The article delves deep into insight into the terminologies and the framework behind the STIR/SHAKEN standards.
Exploring the STIR/SHAKEN Framework
Secure Telephony Identity Revisited (STIR) is the authentication standard developed by IETF that verifies the calls from a real caller ID instead of a spoofed caller ID. On the other hand, Signature-Based Handling of Asserted Information using toKENs (SHAKEN) is the document available for the framework developed by ATIS/SIP Forum IP-NNI task force. The documentation's primary purpose is to define the telephone service providers of the STIR technology implementation for avoiding spoofed numbers.
The STIR/SHAKEN uses encryption for the authenticating and verification of the callers. The origin carrier needs to authenticate the calls with an encrypted digital signature and an attestation of the callers' identity. There are three types of attestations which are.
Attestation Levels
The STI-AS is related to creating the digital signature. The purpose of attestation is for a carrier to ensure confidence that the caller ID is trustable. The level of confidence is denoted by the types of attestations: Full (A), Partial (B), and Gateway (C).
Full (A)
Full attestation is related to the carrier providing the call's digital signing in terms of authenticity. The call can be described as:
The carried is responsible for the source of the call included in the IP related voice network.
The carrier has ensured a direct relationship with the customer by checking for its authenticity and identity.
The providers have established the correct association of the telephone number that is used for the call.
Partial (B)
Partial attestation relates to the following criteria:
The carrier is responsible for the source of the call included in the IP voice network.
The carrier has established a direct relationship with the calling party and can identify the consumer.
The carrier cannot find the necessary verification of the telephone number used for the call. Hence, there is uncertainty over the call, and they can't vouch for the call's authenticity.
Gateway (C)
The primary purpose of Gateway attestation is to trace back. The provider is responsible for entry into the IP network for calls that originate on another network, i.e., an international network, that does not have the STIR/SHAKEN standards. The digital signing of the call is performed over the following criteria:
The entry point of the call is entering into the carrier's VOIP network.
The carrier could not determine the relationship between the calling party.
Following the attestation process, the telephone service providers can create a SIP identity header. Some of the available vital information are:
Calling Number
Called Number
Timestamp
Attestation Level
Origination Identifier
Location
Digital Signature
Finally, the terminating provider must ensure that all the verification is conducted thoroughly and only the trusted calls are allowed to pass to called party. However, the calls are passed in the form of sending a warning message to the called party that the call could be Spam or blocking the call entirely if the provider deems it illegal. It is to be noted that STIR/SHAKEN works with an internet protocol network only.
FIGURE: STIR/SHAKEN ARCHITECTURE
STI: SECURE TELEPHONE IDENTITY
STI-GA: GOVERNANCE AUTHORITY
STI-PA: POLICY ADMINISTRATOR
STI-CA: CERTIFICATION AUTHORITY
SKS: SECURE KEY STORE
SP-KMS: SERVICE PROVIDER KEY MANAGEMENT SERVER
STI-CR: CERTIFICATE REPOSITORY
STI-AS: AUTHENTICATION SERVICE
STI-VS: VERIFICATION SERVICE
The primary components of a STIR/SHAKEN implementation are:
STI-AS: It is responsible for providing the REST API that is used for signing requests. There is also access to the private keys located in the SKS.
STI-VS: The REST API is used for verifying the requests while retrieving the public keys from the internet with the help of the URL in the verification request.
SKS: Comprises of the private keys that STI-AS uses for signing the requests. However, the private key's security must be ensured as it is available only for the carrier involved in signing the call request.
STI-CR: The certificate repository is the webserver responsible for hosting the certificates. Additionally, this is accessible for the service providers on the public internet. It is essential for a service provider with private keys in SKS to have an STI-CR to have the certificates published.
SP-KMS: The management server handles the automation process for certificates and key management.
Authenticator: The authenticator in the carrier network is associated with authentication and signing services to create and verify the digital signatures.
SHAKEN Framework
The key components are:
Governance Policy
STI-GA: Governance Authority
STI-PA: Policy Administrator
STI-CA: Certification Authority
Key Management
SPI-KMS: Service Provider Key Management Server
STI-CR: Certificate Repository
SKS: Secure Key Store
Call Management
STI-AS: Authentication Service
STI-VS: Verification Service
Role of Regulatory Bodies for STIR/SHAKEN Adoptability
Federal Communications Commission (FCC) for American Consumers
The FCC is the regulatory body responsible for industry-wide adoption of the standards to help customers eliminate the threat of illegal and scam activities via unwanted calls and spoof the caller identity. As per recent reports, the commission ordered all the originating and terminating telephone service providers to adopt the STIR/SHAKEN in their network's IP. The implementation of the framework is done as per the TRACED Act, which signifies the need to promote caller ID authentication relying not only on IP technology but also on other aspects of the act. According to FCC, the expected robocall scam to exceed $3 billion annually. Additionally, STIR/SHAKEN adoption can lead to cost savings when paired with call analytics. The STIR/SHAKEN approach can lead to public safety as spoofed callers disrupt the healthcare and emergency communication systems.
Furthermore, such an approach will restore the consumer trust in caller ID information for crucial communication requirements. In recent years, FCC has aggressively pushed for a multi-part strategy to tackle spoofed calls with millions of dollars as fines for violations of caller ID rules and regulations. The rules are extended to foreign calls and text messages, enabling providers to block illegal calls even before they reach the consumer's phones. The FCC has opted for the technology industry to provide tracking functionalities for spoofed calls and messages for finding the origins.
Canadian Radio-Television and Telecommunications Commission (CRTC)
The CRTC was introduced in the year 2018. The commission made it mandatory that by 2019, all the Canadian telecommunication service provider should implement authentication and verification based frameworks for caller ID information over IP related voice calls. CRTC has opted for the STIR/SHAKEN framework to be the primary approach for adopting verification based methods for caller information.
STIR/SHAKEN Testing
Currently, the official testbed for STIR/SHAKEN testing is the ATIS Robocalling Testbed. It is a substantial governing body that Neustar Trust Lab hosts. It is currently used by several industries, namely telecommunications, manufacturers, and software suppliers, with remote testing solutions developed for the SHAKEN framework. The virtual test facility checks the effectiveness of caller authentication and standards jointly developed with IETF and ATIS. The participants perform the test while using the applicable ATIS standards. The facility provides the required technical support for the necessary connectivity information and the relevant network configurations. The SHAKEN software functionalities are supported for several test scenarios. The test environment enables the validation of caller authentication standards. The testing platform extends its support to a thorough call tracking procedure while focusing on troubleshooting during the testing sessions. The testing is performed with a detailed call tracing process, and it is available in real-time and shared across various levels.
The telecommunication service providers with an operating company number (OCN) maintained by the National Exchange Carrier Association are eligible for taking part in the testing without any charges. On the other hand, the testing participants can also perform if they have relevant solutions to the SHAKEN framework.
Essential STIR/SHAKEN Concepts
Call-ID spoofing
Call-ID spoofing is the process of disrupting the original caller ID by callers with malicious intent. With the increasing use of VOIP technologies, spoofing has become common in recent times. When spoofing is performed, the caller ID seems familiar to trick consumers into answering the calls. For example, a malicious robocall may appear to have a familiar number of a known institution or a company and may contain the local service providers' ID. It is crucial to understand that spoofing is illegal, whereas changing the caller ID for legitimate reasons is acceptable. For example, a marketing company or a call center offers the service on behalf of a company and calls with its ID. STIR/SHAKEN is the solution to combat the spoofing activities with authentication of the caller ID at the call source and proper validation of the ID at the termination point.
Real-Time Analytics with STIR/SHAKEN
The significant contribution of real-time analytics helps find the pattern of constant changing of the calling behavior of the malicious callers. With real-time analytical support, the data from multiple sources is considered, such as live calling behavior and STIR/SHAKEN inputs. The analytical engines are capable of producing the scores of separate calling numbers. The scores are essential for finding a malicious caller's changing behavior as the score can change from good to worse within a short time frame. The telecom service providers make use of real-time analytics for terminating calls. The reputation scores are assessed at the point of calling the number. The decisions are taken based on the scores such as a good score will allow the call to be sent without making any changes, and the telephones reach the concerned person directly.
On the other hand, if the scores are low, then the call is managed based on the scores attained. If the bad calls have an acceptable score, then the calls might be forwarded with a warning message as SPAM or can be sent directly into a voicemail along with the warning. This approach allows the consumer to be aware of the type of call and take precautions as necessary.
Calling Party and Called Party
The person or an organization making a phone call is known as the calling party, whereas the person or the organization at the receiving side of the call is termed as the called party.
Origination and Termination Calling
The call origination refers to the source of the call where it begins. Termination calls are the endpoint of the call where it is likely to be received. Both technologies for performing origination and termination is required for a call flow.
SIP
SIP is the acronym for Session Initiation Protocol. This protocol is responsible for a phone call session in telecom to begin and run throughout the call between the users.
SIP Invite
The SIP Invite is a method used for SIP technology. The invite's primary role is to define the action that a calling party is making for the called party to perform. The request is essential for all SIP calls that are conducted. The invite comprises header fields with crucial information for the call to pass through to the network's called party.
SIP Identity Header
The identity header is the identity of the calling party.
STIR/SHAKEN Exemptions
Five exemptions are considered for implementing STIR/SHAKEN:
Small Telecom Companies
The telecom providers with 100,000 or fewer subscribers are exempted from implementing the STIR/SHAKEN methods until June 30, 2023.
Difficulty in obtaining SPC Tokens
The providers facing difficulty obtaining the required SPC tokens for call authentication have an exemption for STIR/SHAKEN implementation for an indefinite time. It is agreed upon that the providers will not be having further exemptions once they have obtained the token. Such scenarios where the provider doesn't have the token have authentication of their next carrier's calls. This situation usually has lower attestation levels as opposed to the originating service provider.
Services Subject to Discontinuance
The telecom providers' service that is subject to discontinuance by June 30, 2021, is provided an extension until June 30, 2022, to implement STIR/SHAKEN for their services. It is not relevant if the services are discontinued entirely before the extension period.
Non-IP Portions of Networks
In the case of lack of IP portion in the provider's network, there is an indefinite exemption from the STIR/SHAKEN implementation. However, such providers need to fulfill additional requirements.
Case-Based Exemption
On a case-by-case basis, the providers can file a petition with the FCC for an extension or exemption from implementing STIR/SHAKEN methods.
Conclusion
As the digital market continues to expand and businesses thrive with the availability of a strong and loyal customer base. With the availability of multiple technologies, illegal calls and spoofing continue to grow with every passing year. However, firm actions from regulatory bodies and an approach like STIR/SHAKEN methods can help the users from Spam and unwanted robocalls. The cases of an average user falling for the monetary spams is prevailing in our lives and most likely affected the lesser tech-savvy individuals. These standards were a necessity in building a trusted environment for communication. Therefore, the STIR/SHAKEN methods have ensured the highest authentication level before the call is delivered to the end-user. The provision of informing a customer about the possibility of a spam call has further strengthened the calls' authenticity to keep the consumers safe and protected. It can be rightfully concluded that the STIR/SHAKEN implementation is essential in the long run, and constant updates of these methods will further ensure that the scope of spoofing activities are eliminated to provide a Spam free society.
0 Comments