If you’re like the rest of us, your phone rings periodically throughout the day receiving calls from numbers that look suspiciously close to your own phone number, or sometimes it is your phone number calling you. Don’t worry, you’re not seeing things, this is robocalling fraudsters trying their darndest to get you to pick up your phone. You’ve most likely blocked many of these numbers, installed apps like Hiya, Youmail, Nomorobo or Robokiller and considered throwing your phone against the wall. We get it, we’ve all been there. However change is on the horizon and it’s coming in the form of SHAKEN/STIR.
How did we get here?
Robocalls didn’t just suddenly appear one day. Robocalls are the byproduct of the evolution of telephony that has been weaponized by scammers to defraud vulnerable populations. When our parents grew up, telephony was highly regulated and people answered the phone because they trusted the caller. The advent of technical innovations such as computerized dialers, and inexpensive IP-based calling on the Public Telephone Network combined with an aging and vulnerable population are key factors in the explosion of robocalls. People who grew up trusting phone calls and still answering the phone, expecting a trustworthy person at the other end have been identified by fraudsters as an exceptionally vulnerable audience for exploitation via robocalls. Imperfect robocall detection methods complicate the issue and allow both good and bad actors to impersonate calling numbers.
Legislation alone can’t and hasn’t solved the fraudulent robocall problem: the 2009 Truth in Caller ID Act prohibits the transmission of inaccurate calling number information with the intent to defraud cause harm or wrongfully obtain something of value. The penalties run in excess of $10,000 per violation. This hasn’t put a dent in the problem and frankly is difficult to enforce. Congress and the FCC recently updated the Truth in Caller ID Act in 2019 to specifically include text messaging and include a prohibition on caller ID spoofing from outside the US.
Bringing Call Authentication To the Telephony Network
SHAKEN/STIR (Secure Handling of Asserted information using toKENs)/STIR (Secure Telephony Identity Revisited) is designed to bring call authentication to the telephony network in order to verify the authenticity of the call being placed. SHAKEN/STIR will have a marked effect on decreasing the volume of unwanted and illegal robocalls which will improve the likelihood that wanted and important calls will get through and be answered. The technology uses JSON Web Tokens (JWT), if you’re a web developer just think SSL, and certificates to authenticate the caller and determine if they are authorized to use the number they’re using to place the call.
SHAKEN/STIR end-to-end
When a call is placed, the originating call provider, let’s say Verizon in this case, receives the call parameters (the from and to telephone numbers) and then uses a signing service to sign the call (for more information on Public Key Encryption check out this blog). The call is now signed with Verizon’s private key and that means that Verizon is standing behind the origination of this call and its parameters. The call traverses the telephony network to the terminating service provider. For the sake of this example let’s say AT&T. AT&T will fetch Verizon’s public key and verify that the call and associated parameters are valid through a certificate authority. SHAKEN/STIR introduces a new trust-anchor into the world of certificate signing: Secure Telephony Identity Policy Administrator (STI-PA). The STI-PA is responsible for selecting the certificate authorities and for providing Service Provider Code token to service providers so they can acquire private keys for signing calls and public keys for verifying calls. Once AT&T has the public certificate from Verizon they can verify calls and assert that the owner of the phone number is the one placing the call through a visual display, such as a green checkmark on Comcast Xfinity VoIP phones or with “Caller Verified” as seen on Android.
SIP and Identity Headers
Standard SIP headers used for passing calls through the telephony network will, in a SHAKEN/STIR world, have an identity field consisting of a Base64 encoded JSON Webtoken (JWT) that will look something like this:
INVITE sip:14151234567@twilio.com:5060 SIP/2.0
Via: SIP/2.0/UDP example.com:5060
From: "Alice" sip:14155555555@5.6.7.8:5060;tag=123456789
To: "Bob" sip:14155550101@1.2.3.4:5060
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
Identity: eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc3Nwb3
J0IiwieDV1IjogImh0dHBzOi8vY2VydGlmaWNhdGVzLnR3aWxpby5jb20vdGVzdGNl
cnQuY3J0In0=.eyJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDE1NTU1MDE
wMSJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTQxNTU1NTU1N
TUifSwib3JpZ2lkIjogImExN2FmY2I1LTI5NjUtNDgzNy1hOWU2LTBlNmIzZjUyMTI1N
CJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7
EZSZwiu0fd4H_QD_9Z5U2bg;info=https://certificates.twilio.com/testcert.crt;alg=ES256;ppt=shaken
The first part of the Identity header contains a number of pieces of information denoting what this token is:
eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc3Nwb3J0IiwieD
V1IjogImh0dHBzOi8vY2VydGlmaWNhdGVzLnR3aWxpby5jb20vdGVzdGNlcnQuY3J
0In0=.e
{
"alg": “ES256", → JSON Web Token / Algorithm**
"ppt": “shaken", → Shaken Passport**
"typ": “passport",**
"x5u": “****https://certificates****.twilio.com/testcert.crt” → Token Signing URL**
}
The next part of the token contains the payload information related to the origination and termination numbers, or what is in effect being signed:
yJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDE1NTU1MDEwMSJdfSwiaWF0
IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTQxNTU1NTU1NTUifSwib3JpZ2lk
IjogImExN2FmY2I1LTI5NjUtNDgzNy1hOWU2LTBlNmIzZjUyMTI1NCJ9
{
"attest":"A", → Attestation Level (See Below)
"dest":{
"tn":[
"14155550101" → Destination Phone Number
]
},
"iat":1548859982,
"orig":{
"Tn":"14155555555" → Origination Phone number
},
"Origid":"a17afcb5-2965-4837-a9e6-0e6b3f521254" → Customer ID
}
The attestation level is a flag set by the originating service provider to denote how confident they are that the number’s owner is truly the one placing the call. In this case the attestation level is A, which means the customer is known and they have the right to use the origination number. The full set of attestations include three levels as defined by RFC STIR draft:
- 'A' represents 'Full Attestation' or Twilio knows the identity of the caller and Twilio knows the caller has the right to use the phone number as the calling number
- 'B' represents 'Partial Attestation' or Twilio knows the identity of the caller but Twilio does not know if the caller has the right to use the phone number as the calling number
- 'C' represents 'Gateway Attestation' - When A or B cannot be satisfied C is given. International calls are given C attestation.
The third part of the token contains the cryptographic signature, certificate URL, algorithm and passport type:
S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7EZSZ
wiu0fd4H_QD_9Z5U2bg;info=https://certificates.twilio.com/testcert.crt;alg=ES256
;ppt=shaken
Shaken Traceback and Law Enforcement
"x5u": “https://certificates.twilio.com/testcert.crt” → Token Signing URL "Origid":"a17afcb5-2965-4837-a9e6-0e6b3f521254"
The token signing URL provides information on who originated the call and is assuming responsibility for placing it. The origination ID is tied to the specific client that is initiating the call thus it creates a chain of trust between call originator and the platform that is placing the call. By being able to determine who is placing fraudulent calls it’s possible to better enforce the existing laws and curb the flood of robocalls.
What do you have to do right now?
Expect to see SHAKEN/STIR rollout in 2020 starting with the mobile operators. If you buy phone numbers from other providers then you can verify your ownership of those numbers on Twilio using the REST API https://www.twilio.com/console/phone-numbers/verified or the Console https://www.twilio.com/docs/voice/api/outgoing-caller-ids
As part of this work we have joined a number of industry organizations including becoming a board member of The Alliance for Telecom Industry Solutions (ATIS), and more recently US Telecom. On the policy and legislative front Twilio attended the FCC Robocall Summit and US Telecom Robocall Summit, demoing Twilio to Congress and supporting the TRACED Act and Stopping Bad Robocalls Act.
Hands on information on how to verify caller IDs at scale.
Stay tuned for more on that in the weeks to come!
Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. He can be reached at lshneyder [at] twilio.com.