The Impacts of STIR/SHAKEN Attestation

           

 

Have you ever received a phone call from a strange number? Do you want to implement a technology framework to reduce phone number spoofing and block fraudulent robocalls? The favorite technique of scammers is to spoof numbers to make the fraudulent calls look like it is coming from a local number. If someone answers such a call, you will probably get to hear the sound of a robot. The major thing about such calls is that they will usually trick you into parting with some money. According to a report published by the caller ID company Hiya, around 85 billion robocalls were recorded globally in 2018.

It has given rise to the need for creating anti-spam call apps. Scam calls aren’t only annoying but can also cost you a lot. Most people are getting scammed by such calls, and people have lost around $429 million in America in 2018. Unfortunately, these numbers are continuously increasing. However, spoofing phone numbers are just a way to trick people by gaining their confidence and playing with their fears.

You must have heard about the STIR/SHAKEN attestation by now. STIR is abbreviated as Secure Telephony Identity Revisited, and SHAKEN refers to Secure Handling of Asserted information using toKENs. This technology has left many companies wondering about the impacts and benefits that it can bring to their business operations. Following the trend and hype, some giant companies have also started taking active measures to prepare fundamental STIR/SHAKEN implementation program to minimize the burden on their clients.

STIR/SHAKEN attestation relies on different verifiable digital certificates that are provided by trusted authentication service providers. The certificate can help people identifying the legitimacy of a calling party’s number. However, the degree of authentication may vary widely depending upon the circumstances of each call. 

However, there are three various levels of attestation. In the process, each attestation level indicates different degrees of reliability about the source of the call.

Three Levels of Attestation

Your phone carrier or company will know whether you are spoofing the number or not. Spoofing means when a person tries to make the phone number appear like a local number. However, the companies will still not know if the person is allowed to spoof the number or not. Besides, there isn’t a way to send the information securely to the carrier, delivering the call to a receiver whom someone is calling. The upshot here is that when you see the number of an incoming call, you will not have a way of analyzing if the number being displayed on the caller ID is spoofed or legitimate.

Here, STIR/SHAKEN attestation comes into play. It provides a secure way to phone companies about communicating the caller’s number to a particular recipient while the call is being placed. This capability helps to build the caller’s reputation to identify scammers to block bogus calls straight away.

Here are the three major levels of attestation. These levels of attestation summarize three major categories of the calling phone number; whether the caller is a reliable customer of the carrier which is originating the call, whether the caller’s phone number is assigned by the originating carrier, and whether the call is originated on the network of originating carrier. 

Full Attestation

It means that the service provider has authenticated the calling party. Hence, the calling party is authorized to use that specific calling number. For instance, a call that is made by a subscriber who is registered with the soft switch of the originating telephone service provider would receive full attestation.

It is an A-level attestation that conveys strong trustworthiness. The originating carrier is actually saying that “ the caller is my customer and gave him this telephone. The call is also originated on my network.”

Partial Attestation

Partial attestation should not be confused with full attestation as there is a huge difference. Though the service provider has already authenticated the origination of the caller/customer, it cannot verify the source of the call. In other words, it will not be possible to identify if the source is authorized to use the calling number or not. For instance, a call from a telephone number that is being used as an enterprise’s private branch exchange utilizing an unknown extension will be partially attested.

In simpler words, the originating carrier is actually communicating that “The caller is my customer and the call is originated through my carrier; however, I don’t know who has assigned this number to the caller’s calling device.”

Gateway Attestation

It is when the service provider has authenticated the source of the received call but cannot authenticate the call source. For example, when someone receives a call from an international gateway that doesn’t have any further information for authentication, it will receive the only gateway attestation.

Why is the industry implementing STIR/SHAKEN Attestation?

Keeping in mind the continuously declining confidence of consumers in the telephone network, companies started deploying STIR/SHAKEN attestation to help combat fraudsters, scammers, and other illegal callers. Besides, some service providers have lobbied lawmakers to get STIR/SHAKEN attestation into the legal framework of the operation. It will allow the voice service providers to identify and block calls that don’t comply with STIR/SHAKEN attestation regulations.

By Law, US voice service providers must implement the STIR/SHAKEN attestation process by June 30, 2021. Thus, FCC is required to develop new regulations to create:

A safe harbor for different voice service providers to implement and follow STIR/SHAKEN’s framework to block spoofing. It will take into account those service providers who follow the attestation regulations but inadvertently or unintentionally misidentify the authentication level of a call.

Recourse the callers whose calls are usually misidentified, as it will allow callers to have their calls authenticated in a correct way.

Most importantly, the major groups of voice service providers have already started lobbying the FCC for the safe harbor and recourse that will allow voice service providers to block scam calls, including some legal calls as well.

How STIR/SHAKEN Tracks Down a Scammer?

Whenever a voice service provider’s carrier rolls out STIR/SHAKEN, the change that customers will experience is a message on the caller ID screens. The message will warn the receiver of the call about a potential scam or spoofed call. However, when the scammer places a robocall, there are a lot of things going on behind the scenes. Here is the process of how STIR/SHAKEN attestation keeps everyone informed about the call’s trustworthiness.

1.    1. The scammer starts up the robocalling equipment and starts placing the calls.

2.    2. The carrier of scammers will log the entry point of a robocall along with the physical        location and the device used.

3.     3. The carrier will also start the attestation process and will assign an “attestation level”        based on the information that the carrier has about the caller.

4.    4. After that, the carrier will encrypt the information and send it to the carrier of the call      receiver through the network and the call itself.

         

    

5.    5. The carrier determines the caller’s reputation by using the assigned attestation level,         previous complaints about calls from the same network entry point.

         

 

6.    6. The call recipient avoids picking up a phone call from a probable scammer.    

7.    7. If the recipient answers a scam robocall, they can report the robocaller to their carrier      and the authorities.

8.    8. The recipient’s carrier, and the authorities, can trace the call back to its origin using          the entry point logged by the first carrier, allowing for prosecution.   

             

The Impacts of STIR/SHAKEN Attestation

SHAKEN begins with the data that the originating voice service providing company knows about a particular call. For instance, residential landlines and mobile phones to transmit phone numbers whenever a call is originated. However, for various business, the carrier will also assign a unique key to the call, which is called “Orig-id or the origination identifier.” This key will be helpful in identifying the businesses that are placing the call. No matter what the case is, the carrier will create a digital signature via information that is available to transmit the call. The information related to the caller’s ID is also included in the digital signature. These digital signatures will be verified by the phone company completing the call. This is done to confirm that the information hasn’t modified by any third-party.

By doing so, the spoofed calls will be linked to the source for blocking the call. SHAKEN’s contribution in this whole process is to take what information do the originating phone company has about the caller and classify that information succinctly.

Thus, one of the biggest challenges here is deciding which information is important and which is not. Using too little information would simply mean that some crucial details would be lost in the process. On the other hand, too much information will result in clutter and make it too difficult that which data is important and which is not. For instance, you don’t necessarily have the information about the caller who is using a landline or a mobile phone to know whether they are spoofing the number or not.

For example, in order to determine if the call is being placed through an illegally spoofing number while using the landline or mobile number. One can only identify whether the call was spam or not only after the call has been placed.

There is a key difference between emails and phone calls that are highlighted by this limitation. It helps in explaining that the spam filter has been used for years now, and SHAKEN attestation is just emerging to identify illegitimate phone calls.

Spam filters were useful in scanning emails before delivering them to the recipient to compare if there is any content that can be termed as a scam. However, these filters aren’t good enough to hold the spam emails down to a tolerable level.

It can be done with a voice phone call as it is impossible to disclose the context of a call before connecting. Here SHAKEN attestation comes into play. It does the next big thing, as it assists in making the tracking process a bit easy to know whether the calling person is authentic or not. The reputation of a caller is determined through different levels of attestation that the caller receives from the carrier. Besides, reputation is determined by connecting the originating identity to the caller so that the less-reputable caller can be identified easily over time by tracking the number of complaints that the callers will make.

Suppose the carriers know very well that the call is originating from its own network and the caller can use the number in any way he/she wants, and the carrier hasn’t received any complaints about the caller, then the caller will be more trustworthy, and the carrier will know that he is not a scammer. SHAKEN makes it possible to label the calls as spam if there is enough information about the seller.

Criticism of STIR/SHAKEN

The major criticism about STIR/SHAKEN is that it cannot clearly identify if the call is a scam or not based on whether the number is legitimate or not. There is a probability that a call with “full attestation” can be a scam.

Fraudsters can easily gain access to the numbers that are fully verified for a short time period and eventually vanish before anyone realizes that someone is using the phone number.

For this very reason, SHAKEN has been designed to make the process of cal traceback simpler. Traceback is what it sounds like. It is actually a process that starts with the person who is receiving the call and then tracing the call back through the carrier by which the person or the organization is making the call.

The United States Telecom Association is leading the industry at this time to trace back and identify from where the illegal call was made. The process of traceback majorly consists of scanning the records of call details to correlate the incoming call into carrier A with the outgoing call from carrier B. After that, the process is repeated for as many carriers as possible and necessary to track the details of the person and business who have placed the call.

Though the process is semiautomated, it is still a multistep and complicated process. The traceback process is simplified through SHAKEN, turning it into just a one-step process regardless of the number of carriers involved in the call.

Digital signatures that are used to authenticate the attestation level and Orig-id if a call also identify the problem area along with the information from where the call has been placed. This method simplifies the process of tracing scam and illegal calls while enabling the authorities to investigate a plethora of complaints without needing any extra amount of time. For example, in the US, the enforcement is handled by the FCC, the Federal Trade Commission (FTC), the FBA, and local as well as state law enforcement. These agencies will be held responsible for introducing an easier way to coordinate the efforts through a simpler call traceback tool. To solicit some illegal robocalls, it is possible to deploy a less legitimate carrier that could bring reliable results. After all, the carrier will still get paid for the services it provides to the caller.

A simpler traceback process will make it a bit easier to spot various patterns. For instance, if one carrier will be hosting a lot of robocalls from illegal sources, it would be much easier to traceback. As the mainstream carriers will not have much interest in hosting robocalls, the SHAKEN attestation removes the small temptation which some fly-by-night carriers will not have to make money by simply soliciting the callers. The digital signature of SHAKEN provides some solid piece of evidence about the source of the call to determine if it is illegal or not. It makes the prosecution way easier.

The FTC has already announced that the agency has filed more than 145 cases till June 2020. All these cases were filed against the robocall operations from illegal sources. Of course, all these 145 cases predate SHAKEN. Though the number is not large, the FCC did go up against some clever players. The one man who was caught, Adrian Abramovich, made more than 100 million robocalls. The government also fined him a huge amount of around US $120 million.

Though SHAKEN will not stop the robocalls directly, it will play a pivotal role in identifying, locating, and prosecuting illegal callers. With the passage of time, the impact of STIR/SHAKEN will make a huge difference. It will not happen over time, and the number of illegal robocalls and their effectiveness will decrease greatly.

The user experience will be totally different from that of email spam. Experts will more likely predict that the email will rank among all the spam. The anti-spam measures were deployed industry-wide, and the situation is likely to improve with time. The impact of email scam is reduced significantly; you can also find a bit of its impact. However, SHAKEN will offer similar assault on illegal and unwanted robocalling.

Wrapping Up!

As the unscrupulous and criminal robo-callers often spoof the calling number to deceive people, the need to implement STIR/SHAKEN attestation is increasing. From simply changing the calling number to using someone else’s number to deceive someone, the number of scams is elevating. The Federal Communication Commission has been continuously encouraging the telecom industry to devise ways to control and stop robocalls and spoofed calls. By now, various measures have been taken to control the scams; still, a lot of telecommunication companies have not deployed STIR or SHAKEN attestation.