Shaken and Stirred: How telecom industry is dealing with Robocalls
“While there is no silver bullet in the endless fight against scammers, STIR/SHAKEN will turbo-charge many of the tools we use in our fight against robocalls: from consumer apps and network-level blocking, to enforcement investigations and shutting down the gateways used by international robocall campaigns.” Jessica Rosenworcel, acting Chairwoman, FCC (1)
Call spoofing is a menace to phone users across the globe. The intention behind these calls varies from simply maximizing the chances that the receiver will pick up the call to being part of a grander fraud scheme to steal identities, financial details, and more.
Fraudulent robocalls will cost customers US $40 billion in 2022, up from US $31 billion in 2021, according to a study by Juniper Research (2).
The alarm is officially raised. In March 2020, the US-based Federal Communications Commission (FCC) directed the telecommunications industry to actively and innovatively seek ways to combat robocalling.
One of the prominent standards to start with is STIR/SHAKEN. Short for “Secure Telephone Identity Revisited” (STIR) and “Signature-based Handling of Asserted information using toKENs” (SHAKEN), the framework provides mechanisms that avert caller ID spoofing. By verifying caller IDs, the framework helps receivers identify that a robocall is, in fact, a robocall versus a legitimate call (3). The deadline for communication service providers to fully implement STIR/SHAKEN was June 2021.
Curious about the acronym STIR/SHAKEN? Indeed, it is inspired by secret agent 007, James Bond, who famously prefers his Martinis shaken and not stirred. Since the STIR framework was developed earlier, SHAKEN had to be the obvious choice. Jim McEachern, a senior technology consultant with the ATIS, wittily remarks, “We tortured the English language until we came up with an acronym” (7).
How can standards help?
The STIR/SHAKEN framework uses digital certificates based on common public-key cryptography techniques to ensure that the calling number of a telephone call is secure.
Those providers that fail to implement STIR/SHAKEN and register themselves in the robocall mitigation database won’t be able to provide domestic voice traffic services (4).
The protocols themselves reinforce the telco network’s ability to prevent caller ID spoofing. STIR is the actual technology that fights illegal spoofing using digital certificates that cross-check the accuracy and validity of a calling number. SHAKEN guides telcos on how to properly implement STIR technology within their networks.
The STIR/SHAKEN workflow
- The originating telephone service provider receives a SIP INVITE.
- The call source and the calling number are checked by the originating telephone service provider to determine how to attest to the validity of the calling number.
- Full Attestation (A) — The service provider has authenticated the calling party, and they are authorized to use the calling number.
- Partial Attestation (B) — The service provider has authenticated the call origination but cannot verify that the call source is authorized to use the calling number.
- Gateway Attestation (C) — The service provider has authenticated from where it received the call but cannot authenticate the call source.
- The originating service provider creates a ‘SIP identity header.’ This notes details like the dialer’s number, the number being dialed, timestamp, attestation type, origination identifier, etc.
- These two information buckets or digital certificates – the SIP Invite and the SIP Identity header – are sent to the destination service provider that passes it to the verification service.
- The digital certificates are verified against the public certificate repository through a complex process, after which successful verification deems that the dialing number is not spoofed or illegal.
- The call is approved for the destination service provider, and the call completes its journey, reaching the final party.
Shaking up a stir across the globe
STIR is a globally accepted standard that can be implemented in any country. On the other hand, SHAKEN is specific for the United States (6).
America has been enthusiastic about its adoption of STIR/SHAKEN. Verizon, an American telco and one of the largest in the world, implemented the FCC’s industry mandate by March 2019. It has fully upgraded its wireless network to STIR/SHAKEN (5). This move has allowed Verizon to protect more than 78 million customers from over 13 billion spoofed calls!
By 2021, many other top US mobile carriers followed suit in adopting STIR/SHAKEN, such as AT&T, T-Mobile, and US Cellular (1).
At the heels of the US, other countries are evaluating the STIR/SHAKEN standards and their effectiveness in combating illegal call spoofing according to their unique needs.
Take the case of Ofcom, UK’s communications regulator, which plans to fully retire copper lines and adopt VoIP from the PSTN by January 2025 as a step towards implementing STIR/SHAKEN. But since the UK does not have a national telephone number database of assigned numbers, NICC, a UK-based tech forum, has suggested a three-phased approach for transition. Other examples are Canada and France.
Teething troubles with STIR/SHAKEN
While STIR/SHAKEN can be lauded for its advantages, it also has shortcomings.
This is why even though the deadline for implementing STIR/SHAKEN is behind us, completely getting rid of spoofed calls remains an uphill task.
- No compulsion for smaller providers – Small providers having less than 100,000 subscribers are exempt from the FCC mandate; they qualify for a two-year extension. Certain other extensions have also been made for non-IP portions of provider networks, making them the preferred route for scammers now (6).
- Copper landline wires – Landline phone networks have also not been able to deploy STIR/SHAKEN as copper landlines are unable to support this technology (1).
- Not applicable on SMS – STIR/SHAKEN applies to only phone calls and not SMS services. Scammers can still bombard millions of unwitting users with illegally spoofed messages over SMS (9).
- A costly avenue – Implementing STIR/SHAKEN is a costly affair.
More to be done!
Telecom may be far from achieving spoof-free, networks but implementing STIR/SHAKEN standards are a step in the right direction.
Scammers are quick to adapt to obstacles and are constantly seeking clever ways to bypass stronger security protocols. Nations and legitimate providers must work together to create interoperable standards that weed out the menace of illegal and malicious robocalling.
Regulators like the FCC must study the effectiveness of STIR/SHAKEN standards, addresses concerns periodically, and find the right tech partners to make implementation seamless and cost-friendly.
Combating Robocalls with Multi-Tiered Detection and Prevention Approach