When it comes to making our phone networks safer, one of the most important areas that we need to tackle is robocallers and scammers. There are many people out there who spend their time hiding behind spoofed numbers in order to trick people into giving them their time and money. These scams are not only upsetting and illegal, they also threaten the reputations of profits of those companies who are doing legitimate work. As part of the fight against robocallers and scammers, the Federal Communications Commission (FCC) now requires major carriers to adhere to STIR/SHAKEN protocols.
The need for the protocols to be put in place to protect us is highlighted by the data that has been collected around spoof robocalls made in the US. In the last year alone there have been 4-5 billion robocalls made each month, and 40% of those are fraudulent.
Before we take a look at some of the common misconceptions and myths around the use of STIR/SHAKEN, let’s outline how the protocols work to protect everyone.
STIR - secure, telephony identity revisited is the technology that lies behind the protocols. Through the use of STIR a digital signature is created that provides information about the caller. When a call is made, a SIP invite is created and passed to the originating provider. This SIP is put through an authentication service which creates a SIP header. The header contains information about the caller, and, most importantly, the attestation level that is assigned (more about this later). After this, the information is then compared to the certificate held in the repository before the two are compared and the call is passed to the called party. SHAKEN - secure handling of asserted information using tokens - ensures that the calls that are completed are authentic and not robocalls or calls from spoofed numbers. This all comes together to ensure safer networks for all.
Attestation Levels
STIR/SHAKEN assigns each call an attestation ‘level’ or ‘grade’ that tells the called party to what extent the call should be approved.
The levels are as follows:
A - full attestation is assigned when both the caller and the number are known.
B- partial attestation is assigned when the caller is known, but the number is not.
C- gateway attestation is assigned when neither the caller or the number is known.
The attestation level or grading does not result in the blocking of a call, but it gives an indication of how likely it is that the call is fraudulent and shows whether it is approved and therefore safe for the network. This is not a foolproof system, and there are some problems that will be encountered along the way. Issues with multiple networks, non-VoIP providers and other issues are likely to arise as companies start to implement the protocols. As a result, there has been a lot of discussion around STIR/SHAKEN and there has also been a lot of confusion as businesses try to work out what it means for them. There is a lot of positivity about the possibility of being able to detect and block calls that are designed to disrupt and disturb the running of your business. However, as with all new ideas and implementations, there is a lot of information that has not yet been made clear. There will be a learning process for all businesses as they discover how STIR/SHAKEN will work in their context. As we all get to grips with the operation of STIR/SHAKEN there is a lot of misinformation out there that is leading to misconceptions and myths. Here we take a look at some of the common misconceptions and myths that currently surround STIR/SHAKEN and look at the truth and reality behind them.
STIR/SHAKEN means that all customers will start answering calls again.
Whilst seeing a higher level of successfully connected calls is hoped to be one of the outcomes of STIR/SHAKEN, this is not something that businesses should expect to happen straight away. There is still a lot to do in order to make sure that the system works effectively and also to restore confidence in those who are frustrated by fraudulent calls. In reality, things could get somewhat worse before they get better when it comes to this issue. As STIR/SHAKEN rolls out, businesses could find that callers could be flagged as having low attestation levels even though they are callers that should be given approval. This is likely to happen where the calls originate from carriers from whom STIR/SHAKEN support is not yet fully implemented or supported. Such calls are likely to receive gateway status when it comes to assigning attestation levels, and this may take some time to iron out. There are issues that exist around multiple carriers, calls originating from landlines and calls made from smaller carriers. However, the fact that STIR/SHAKEN is a step in the right direction when it comes to creating safer and more trusted networks that are harder to infiltrate is beyond doubt. In time, as more businesses and individuals understand how to implement STIR/SHAKEN, attestation assignation will be more accurate and the likelihood of legitimate callers being rejected will fall dramatically. As STIR/SHAKEN proves successful in the U.S., it will become desirable to companies around the world, and this is probably going to be one of the biggest factors when it comes to seeing more customers answering your calls because, as we know, there are fraudsters who work in collaboration around the world and they have some very sophisticated ways and means. Everyone wants a safer and more trustworthy network to work from because when it comes to personal and sensitive information being discussed, customers want to know that they are working with businesses who care about protecting them and their data. There is no reason why we won’t see a quick adherence to the protocols. It may just be the case that we need to exercise some patience as the flaws and intricacies are discovered and ironed out.
STIR/SHAKEN will help to identify fraudulent inbound calls.
It is really important for us all to understand that whilst STIR/SHAKEN is a powerful operation, it works only to establish how a call connects into the phone network. It does not provide information about who is on the other end of the line - that is a process that requires a much higher level of authentication. Caller authentication is relied upon by many businesses and can help them to identify fraudulent callers, but this is not something that STIR/SHAKEN itself provides you with the power to execute. When it comes to virtualized calls, there will still be an issue for businesses to tackle. Where people - or usually groups of people - are working to call anonymously from millions of devices stationed around the world there is a high level of threat. Such operations can pose the greatest threat when it comes to account takeover and this is something that worries businesses on a daily basis. Under STIR/SHAKEN these virtualized calls could still be given a high attestation grading and so could pass into the system unless there are other safeguards in place to prevent them from entering and causing damage. As the use of STIR/SHAKEN becomes more widespread and businesses have systems in place that allow for effortless application, its power will grow and it will become more refined. Of course, we must also take into account that those behind spoof robocalls are often highly motivated and also increasingly sophisticated and they will attempt to circumnavigate the STIR/SHAKEN protocols. As such, it is important that companies can rely on the support of those at the cutting edge of understanding when it comes to STIR/SHAKEN so that legitimate businesses can stay ahead of the game when it comes to ensuring the safety and trust of their customers.
STIR/SHAKEN is being adopted worldwide
STIR/SHAKEN is a relatively new system, and is still only just being rolled out in the US. For this reason you cannot expect there to be full support around the world just yet. There is a push to get the protocol adopted globally, but at the moment that is not the case. It is worth remembering that STIR/SHAKEN is only deployed on IP-based services and not on more traditional ones. There is also the fact that whilst large carriers like Verizon and T-Mobile have a lot to gain from implementing STIR/SHAKEN, and can afford to do so, smaller carriers will not have the finances to follow in the footsteps of the market leaders. There is probably less for large businesses to worry about, but there is a great threat to individuals that still exists. Where there are vulnerable people living in disconnected areas of the world and using local carriers and not an IP service, there could be risk of them being isolated as they try to call friends and family members on a larger network and their call receives level C attestation. Clearly there is still a long way to go with this issue, but as the protocol is rolled out and people are educated about it, it should become easier to ensure that it is more accurate when we all use it.
STIR/SHAKEN can be leveraged by businesses to assess calls from customers.
The main concern that impelled the FCC and telecommunications industry to develop STIR/SHAKEN was the reduction of spoofed robocalls to consumers. These are the calls that can be the easiest to make sound authentic and they are the ones that catch many people off-guard and rob them of their money and their time. The people behind these calls are the ones who the STIR/SHAKEN protocol is there to discourage so that we can all have more trust in our networks, and so that customers will answer the calls of the businesses who need to connect with them. STIR/SHAKEN is designed to support call trust indication and no STIR/SHAKEN specification has been developed that allows this to be passed from a carrier to their enterprise customers. There has to be this level of trust if this protocol is to be embraced and used in the way that it is intended. Many companies deal with private and sensitive information, and customers need to know that this information is secure. There may be changes in the future, but, for now, this is how the issue stands.
STIR/SHAKEN will always get it right
This is probably one of the most widely held misconceptions out there. Telecommunication and the networks it relies upon are complex. There are times when STIR/SHAKEN may give trusted callers C grade attestation, and spoof callers A grade attestation - it will not be able to get it right the first time all of the time. Businesses will not be able to rely on STIR/SHAKEN alone to block robocallers. Most calls pass between providers, and this ‘hopping’ is the issue when it comes to authentication of caller intent: there are many steps on the journey from origination caller to the recipient. For example, a call might originate in a rural landline. It then gets passed to a VoIP provider, that VoIP provider then connects the call to a tower owned by the mobile carrier, who then passes the call to the phone at the other end. When you consider that STIR/SHAKEN, as mentioned before, is not likely to be implemented on every step of that journey, you can see how problems can be caused.
STIR/SHAKEN can be used to combat fraudulent SMS and MMS messages.
At the moment, this is not something that the protocol is able to do. The vast majority of business operations are still conducted by telephone and so the need for is seen to be greatest in this area. Data shows that spoofed calls are more effective in meeting their fraudulent goals as they seem to be more official and more believable than an anonymous text message. The information that is contained in the SIP header could, at some point in the future, be applied to SMS and MMS messages, but that is not something that is likely to happen very quickly.
STIR/SHAKEN will not be sustainable
This is one of the things that you may have heard those in the industry say. Whilst many understand that STIR/SHAKEN is very much a gateway to safer operation and a higher level of trust from customers, there are some people who think that it will be difficult for businesses to deal with its implementation and upkeep. This opinion comes from the fear of how much time and effort and money it is perceived to take to get STIR/SHAKEN implemented. Whilst this is a very real fear, it is not one that needs to exist as there are products and services that will not only help with the initial set-up, but also the support that businesses are looking for. There is always worry when something new is introduced, but that worry is often found in those who do not fully understand the thing they are being negative about. STIR/SHAKEN is a good thing for the telecommunications industry and it will be something that is sustainable and useful for us all. The power that it has is still in its infancy and there is every reason to expect that it will develop further and become even more powerful. Once businesses connect with those whose passion it is to understand the protocols, then there will be nothing left for them to fear and only trust and increased performance and profits for them to enjoy.
In its essence, STIR/SHAKEN is actually very simple, even if the processes behind it are somewhat complex and complicated. There is a lot to be gained from STIR/SHAKEN and it clearly has the ability to do something to combat the robocalls that are blighting the telecommunication industry. However, there are some issues that are yet to be ironed out, and these will only really come to light once it is fully implemented across the globe. Hopefully the myths that we have debunked here will help you to stay fully informed about STIR/SHAKEN and will allow you to implement it in your context.
0 Comments