Nowadays, there will hardly be anyone who doesn’t own a cellular phone. You might have received an unwanted call from someone who tries to scam you in different ways. Such calls can be distressing for everyone where fraudsters spoof their caller ID in an attempt to defraud or dupe consumers. The majority of the cell phone numbers don’t even answer the phone call unless they are sure who is calling. This is a good way to protect themselves from unwanted and fraudulent calls. However, this practice is having a drastic impact on the reputation of legitimate businesses. Such businesses are often unable to contact potential customers by phone to relay some essential and sensitive information.
The top priority of the Federal
Communication Commission (FCC) regarding consumer protection is stopping
illegal robocalls. For this reason, the authorities have several actions
underway. The FCC has directed different carriers to implement robust call
authentication to address caller ID spoofing specifically. In this regard, STIR
or SHAKEN standards were introduced several years ago. But if you are new to
this technology, you might not know what this means for carriers?
STIR and SHAKEN are the set
standards and the most viable ways to provide the recipient with information
about the caller to provide a measure of trust. These technologies are used to
fetch information about the caller and present it to the customers in the
displayed caller name and number after authenticating the calling number. STIR
is abbreviated as Secure Telephony Identity Revisited and is a set of technical
standards developed by the Internet Engineering Task Force (IETF). This method
is adopted to certify the identity of the incoming or origination calls. On the
other hand, SHAKEN (Signature-based Handling of Asserted Information using
tokens) is actually a framework developed by the Alliance of Telecommunications
Industry Solutions (ATIS). It majorly focuses on the implementation of STIR to
various IP-based service provider networks.
We have scoured a list of
frequently asked questions that might have popped up in your mind a few times
while digging a bit deeper into STIR/SHAKEN technologies.
Q: Are robocalls somehow different from spoofed calls?
Robocalls refer to the programmatic
origination of phone calls. It is usually done in high volume to deliver either
a recorded message to the recipient or get you in touch with a live person on
the line. Some businesses are using legal robocalls to get out important
messages quickly, for instance, for weather alerts and school closures.
On the other hand, call spoofing is
the process when the call originator has changed the calling number. The person
does this with the intent of hiding or controlling the number that is shown on
the call display. A perfect example of the legal use of spoofing is to present
the primary callback numbers for various customer support or call centres or to
keep a specific private calling number. Besides, a doctor contacts a person
from a private phone number to inquire about his/her health. However, you may
come across different parties who spoof numbers nowadays whenever they wish to
trick users into receiving unwanted calls or avoid detection. Currently,
illegal calls are often a combination of spoofing and automated dialing to
defraud consumers.
Q: Why did call spoofing turn into such a big problem?
At first, the telephone network was
closed only for internationally licensed carriers. If a person doesn’t have
authorized access to the signalling network that underly, he/she will not be
able to process the call.
The Session Initiation Protocol
(SIP) was particularly designed to implement Voice over IP (VoIP) on phone
calls over the Internet. There were some unanticipated consequences where the
SS7 network was connected to the Internet by gateways that ultimately
compromised security. There was not a specific mechanism to verify the
originating numbers at a particular gateway.
Such gateways generally accept the
calling the number provided on the Internet and propagate it into the PSTN.
However, it has become easy and cheap to spoof calls and deliver untraceable
phone calls virtually with so many VoIP networks interconnected with various
PSTN.
Q: How can caller ID authentication
help consumers?
The caller ID authentication
technology helps subscribers trust callers who don’t hide their identity. It
reduces the effectiveness of a spoofed call that is made for fraudulent
activities. People can identify a scam or spoofed robocalls because it erodes
the caller’s ability to spoof the caller ID illegally. Some Americans are
usually tricked into picking up the calls of scammers when they should not.
Besides, caller ID authentication
technology allows law enforcement and consumers alike to more readily identify
illegal robocall sources. It also reduces the impact and frequency of
fraudulent calls. The STIR/SHAKEN framework is a set of technical standards
that allow for the verification and authentication of caller ID information for
calls that are carried over Internet Protocol networks. With the continuation
of implementation and its progress, it will give more confidence to the users
that caller ID information provided by the carrier is accurate. Additionally,
it will allow voice service providers the facility to provide helpful and
authentic information to their consumers. Thus, consumers will know which calls
they should answer and which calls they should avoid.
Q: What is “call authentication?”
The process of “call authentication”
is all about authenticating the identity of a caller by analyzing different
facts and connecting dots between the contact centre or enterprise and its
originating carriers or telco providers. Call authentication ensures that the
calls are identified as valid or trusted from the point of origination to the
point of termination. Once the identity of the caller has validated by the
originating service provider, your information will be associated with your out
pulsed telephone number. The next step leads towards the terminating device
(the telephone of the person to whom you are calling) to validate the identity
and phone number information that is passed from the originating service
provider to display the call as a Verified Call. The call will be displayed as
not-verified if the identity and phone number of the caller cannot be validated
by available data.
Q: How will “Verified” calls be
displayed?
The procedure of how some of the
specificities around the display of verified calls will be visually depicted
are in progress. However, the requirements to trace back the caller’s identity
are mandated by the renowned TRACED Act. Various service providers are looking
for ways and working to make sure that they meet these requirements to avoid
probable interruptions to the calls blocked and overall services.
It is crucial to take possible
steps now to ensure your identity or branded calling presence is the same as
associated with the use of your phone numbers’ authorization and verification.
The process provides “Know Your Customer” proofs that are needed to validate
the identity on behalf of or by service providers after passing the STIR/SHAKEN
signed calls all the way to the point of termination. This step will prevent
the improper blocking of the calls while enabling the highest levels of
STIR/SHAKEN attestation and visual depiction of the verified status (if and
when possible).
Q: Whose responsibility is
STIR/SHAKEN?
You are not responsible for
handling the ideation and logistics behind implementing STIR/SHAKEN. It is the
responsibility of your telco service provider. Thus, you should keep pace with
the progression of your service provider toward STIR/SHAKEN implementation.
Thus, you will be assured that your calls will be given the most significant opportunity
to the authenticated successfully.
With a lot of work going on behind
the scenes with STIR/SHAKEN, it is crucial for you to give your opinion. For
service providers, it is essential to weigh in the policies that will impact
their businesses and their users’ security. Also, be wary of solutions with
‘guarantees’ on STIR/SHAKEN. Special attention should be given to the ones with
promises for ‘attestation’ or ‘enterprise signing’. However, nothing has been
finalized yet. So at this point, no one can predict the outcomes with 100%
certainty.
Q: What is the reason that STIR/SHAKEN are considered the best way to
address caller ID spoofing?
STIR/SHAKEN technology combines the
security that ensures the safety of e-commerce on the Internet with telephone
security. It provides a proper way of knowing whether a caller can use a given
telephone number according to the law or not. Among the top ways to attest the
identity of a caller on the Internet is with a digital certificate.
In both the STIR and SHAKEN
framework, the digital certificates are issued first to the carriers or others
who are assigned to dedicate the telephone numbers. Hence, a private key is
associated with a digital certificate that is used to sign a VoIP call. Thus,
it indicates that the calling party’s telephone number has been attested
properly. So, if the recipient gets a call from a number that carriers cannot
verify, these are the ones that the caller has spoofed.
Q: What if a carrier has traditional TDM trunks and wants to implement
STIR/SHAKEN? Is it possible to do without SIP trunk?
There are many ways that carriers
with traditional TDM trucks can use to successfully implement STIR/SHAKEN.
There should be a STIR/SHAKEN-aware gateway that the carrier can put in front
of legacy infrastructure. It will enable calls to by referring them to be valid
for the destination. However, if there are intermediaries or endpoints in the
legacy TDM infrastructure to access the Internet, out of band infrastructure
can be implemented for STIR/SHAKEN. On behalf of the carriers, an upstream
carrier with a gateway can sign calls potentially on behalf of the carrier with
those traditional TDM trunks as well.
Q: In most cases, people get telemarketing calls from local numbers. As
the origination party has the local calling numbers, the number would be
authenticated successfully. How can STIR/SHAKEN address this situation?
About 98% of complaints that
carriers get are about telemarketing calls that they receive from local
telephone numbers. This phenomenon is referred to as “neighbor spoofing,” which
is a technique used to give the impact that the call is being made from a local
number. While most neighbor spoofing gets back to the caller ID spoofing, some
illegal robocalls, which are a bit more sophisticated, get legitimate numbers
in local NXXs/NPA for this purpose. In this case, STIR/SHAKEN adds a new layer
of authentication and accountability to the process. However, there is no efficient
way to trace back who is the calling entity behind all the calls.
By using STIR/SHAKEN, the neighbor
spoofed calls can be traced a bit more quickly to the carrier that is signing
the call and further isolated within the network of carriers. Some service
providers use more punitive policy and legal measures for the people who issue
such illegal robocalls like the ones being used in “neighbor spoofing.”
Q: Why should people use the option of flag calls instead of blocking
them?
Industry associations and
businesses have brought this issue to the table. They were in the view that by
blocking calls, the users are actually giving the impact of the business to
other consumers that the call is mistakenly marked as spam or doesn’t go
through. The most common example in this regard is of pharmacies and
highlighting how the calls were being marked as spam by different solutions
when they were only trying to send out some important prescription information.
Businesses and consumers both do not want to get such important calls blocked
or spammed automatically. A large number of enterprises came to know that
almost everyone has experienced some of the calls being mistakenly marked as
spam or blocked.
It can be attributed partly to the
call analytics program that takes into account crowdsourcing and volume metrics
to determine whether the call should be blocked or marked as spam or not. As
anyone will have the ability to mark the telephone number as “bad” or “unwanted
calls” from their personal mobile devices, the authority of data sources
becomes limited. Thus, it is always a better idea to inform consumers about the
person who is calling and empowering them to decide whether they want to pick
that call up or not. Consumers will have access to different tools to set their
policies to respond to the communication that is being held with someone. They
can consider the reliable information that STIR/SHAKEN will provide to make the
decision.
Q: Someone receives a spam call from a telephone number that is similar
to the ones being used in England. Will the STIR/SHAKEN standards work with
international originated callers?
The calls that are being originated
from any other country will have an ingress or entry point into the country of
the recipient. Suppose a US resident is getting the call from a phone number
that is identified as that of England. In such a situation, the carrier
responsible for bringing the call into the US can sign or attest it. SHAKEN has
the authority to sign these calls as the “gateway level of attestation.” The
information provided will be useful as an input to call analytics programs to
help advise/warn consumers about responding to the call.
Q: How are other countries playing their part in STIR/SHAKEN?
There is a particular process that
can be found in the US regarding Call Authentication Trust Anchor Working Group
(CATA) to define the trust for STIR/SHAKEN. It is endorsed by FCC. Countries
need to go through a similar regulatory process to participate in STIR/SHAKEN.
In Canada, STIR/SHAKEN has been put into effect from 2019 as per CRTC’s
recommendations. Canada is also working through a similar process to
efficiently define the trust anchor. Besides, many regulators in Europe are
putting efforts to track the progress of STIR/SHAKEN adoption and other US
measures and are at different stages of introducing initiatives in their
country.
Q: In what ways can enterprises use
STIR / SHAKEN for call authentication?
As many of you might already know, SHAKEN
is a carrier-centric framework that sets out a standard method to implement
STIR authentication to the Internet Protocol-based Network-to-Network Interface
(IP-NNI). Entreprises having their VoIP infrastructure are expected to have the
option to set up the process of call authentication by using a new STIR/SHAKEN
feature. Carriers can delegate the authority against various telephone numbers
to enterprises to effectively participate in the STIR/SHAKEN ecosystem.
The Verdict
It is not a secret that spammed
robocalls and spoofing numbers have destroyed the trust of people in telephone
calls. The trust of the common man is destroyed to the point that a lot of
people have stopped answering calls from unknown phone numbers. This practice
of not answering calls from telephone numbers that they are not familiar with
is certainly understandable from the consumers’ point of view. However, it is
costly for businesses and organizations that need to conduct various business
and marketing activities over the phone and face difficulty while connecting to
the customers. STIR/SHAKEN is the ultimate source to get back the trust of
consumers and combating a potential threat to public safety.
Post a Comment