Robocalls and spam have reached an inflection point. It was only until recently that consumers were practically defenseless against receiving calls from scammers. Caller ID spoofing, whereby a caller dupes a caller ID display to disguise their identity, is not illegal. And contrary to common belief, the National Do Not Call Registry only helps reduce the number of legal calls that people get from legal marketing firms. Bad actors exploit caller spoofing, most often in the form of neighbor spoofing, which displays incoming calls as though they’re coming from a local number. The net effect? Consumers have a general mistrust of the phone calls they receive, asking themselves, “Is this call actually coming from a real person?”
Why are robocalls on the rise?
Phone spam exploded thanks to two things: One, Voice over Internet Protocol (VoIP) makes international calls, using services like Skype or Google Voice, virtually free, or close to it. Not to mention, open-source software can let a single computer hooked up to the web to make thousands of calls an hour. VoIP providers can set a unique Caller ID number for each call that passes through their gateway — even if all the calls are coming from one party. Second, spoofing a phone number now is easier than ever.
Thankfully, the call for consumer protection against robocalls was recently answered. 2019 saw the U.S. Federal Communications Commission (FCC) propose a rule allowing phone companies to block robocalls before consumers receive them. Secondly, the nation’s first federal anti-robocall law was passed, the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, which mandates all telecom carriers to add an authentication system to ensure an incoming call is real.
What is SHAKEN/STIR?
Secure Handling of Asserted information using toKENs (SHAKEN) and Secure Telephone Identity Revisited (STIR) are telecom industry protocols that enable service providers to indicate when fraud is occurring. STIR refers to telephone identity standards that the phone industry follows, while SHAKEN refers to a token-based signature system -- more on that, below. SHAKEN/STIR implementation only just started in 2019, which is perhaps why it’s no surprise that, in the U.S. alone, 58 billion robocalls were placed in 2019?
How does SHAKEN/STIR work?
When a call is placed, the originating call provider, let’s say Verizon in this case, receives the call parameters (the from and to telephone numbers) and then uses a signing service to sign the call (for more information on Public Key Encryption check out this blog). The call is now signed with Verizon’s private key, meaning Verizon is standing behind the origin of this call and its parameters. On the receiving network’s side, in this example, AT&T, will fetch Verizon’s public key and verify that the call and associated parameters are valid through a certificate authority. SHAKEN/STIR introduces Secure Telephony Identity Policy Administrator (STI-PA). The STI-PA is responsible for selecting the certificate authorities and for providing a Service Provider Code token to service providers so they can acquire private keys for signing calls and public keys for verifying calls. Once AT&T has the public certificate from Verizon they can verify calls and assert that the owner of the phone number is the one placing the call through a visual display, such as a green checkmark on Comcast Xfinity VoIP phones or with “Caller Verified” as seen on Android.
What does SHAKEN/STIR mean for business?
Unchecked call spoofing is dually problematic for brands. If customers don’t trust who is calling, they won’t answer. Research shows three of every four calls go unanswered if the recipient doesn’t know who’s calling, and companies waste money and time if their calls are ignored. To ensure your company’s calls are getting through to customers, it’s important to understand what your carriers can offer. T-Mobile, AT&T, and Comcast are all rolling out implementations of SHAKEN/STIR, assuring customers with call authentication that the calls made and received across their networks aren't from a scammer spoofing a number. There’s now even technology that provides caller ID detailing not just exactly who is calling, but also why they’re calling.