SHAKEN/STIR: What It Is
SHAKEN (Signature-based Handling of Asserted information using toKENs)/STIR (Secure Telephone Identity Revisited) is a framework designed to assign a certificate of authenticity to each phone call for use across the telco network. These certificates will act as a digital signature of trust passed from carrier to carrier. Through the implementation of this framework, it will become possible to identify the originating carrier of a call terminating on a consumer’s device. The absence of this technology in the past is what has allowed illegal robocallers to represent themselves as someone they’re not by illegally spoofing or hiding behind a falsely presented telephone number.
In layman’s terms, SHAKEN/STIR is a framework that can be used to verify the point of origination of a call in order to provide the ability to trace back to this origination should illegal activity be discovered in relation to a phone number’s usage.
SHAKEN/STIR: What It Is Not
Now onto what SHAKEN/STIR is not. While it is a tool to help identify bad actors, it is not a tool to eliminate illegal robocalls all together. It is not a silver bullet solution and it cannot help to determine the illegitimacy or legitimacy of the intent of an incoming call.
What this means is that SHAKEN/STIR will validate that an incoming call is originating from a real phone number, the number is not being illegally spoofed, and the originating calling party is authorized to use the incoming phone number. However, this framework does not have the ability to ‘weigh-in’ on whether or not the content of the call itself is potentially malicious or unwanted.
To put it another way, through SHAKEN/STIR implementation, when an authenticated incoming call is received to a device (the exact presentation of SHAKEN/STIR authenticated calls is still a work in progress) this will mean that the incoming call has originated from a real number that the caller is authorized to use, but no indication will be given as to whether or not the user can trust the caller to be someone they want to speak to or that they’re calling for a legitimate business purpose. Another layer is needed on top of SHAKEN/STIR call authentication in order to deliver this trust, which, in the industry, is referred to as attestation.
SHAKEN/STIR: What It Seeks to Accomplish
For a view on how this will affect the call delivery ecosystem, some of the intended outcomes of SHAKEN/STIR deployment are as follows:
- To address the security of the use of a telephone number for the person or entity who is legitimately associated with it
- To provide a technical framework that supports policy and enforcement goals
- To provide an additional data point to improve the relevance and accuracy of call labeling and identification analytics
As of this July, Vonage, T-Mobile, Verizon, Bandwidth, AT&T, and Comcast have all confirmed that their organizations are in various stages of successful, active deployment. Ongoing testing will continue as SHAKEN/STIR ‘signed’ (originating source validated) traffic continues to be successfully ‘passed’ from service provider to service provider.
FCC Chairman Pai released a recent statement on August 14 addressing the progress made by AT&T and T-Mobile in their efforts toward SHAKEN/STIR implementation. We expect additional announcements from the other Tier 1 carriers to follow; continued support for SHAKEN/STIR deployment is widely received.
Illegal Spoofing vs. Legal Spoofing
As ‘call spoofing’ was identified as the tactic SHAKEN/STIR seeks largely to combat, we wanted to take a moment and provide clarification around illegal spoofing vs. legal spoofing.
Call spoofing is used by a number of legal businesses for legitimate calling purposes as a means to present geographically familiar phone numbers to their consumers. Legal call spoofing will not be interrupted or negatively impacted by SHAKEN/STIR. Organizations using this tool for legitimate business reasons may continue to do so. (In other words, if you are using RCIs, this is outside the purview of SHAKEN/STIR.)
As call spoofing is a tool used by both legal and illegal callers, removing the ability for illegal callers to exploit this tool will reduce a large volume of illegal robocall traffic. However, call spoofing is not the only tool bad actors use, so SHAKEN/STIR will not provide a solution to thwarting all types of illegal call traffic.
Is There Anything I Need to Do?
Implementing the SHAKEN/STIR protocol is the responsibility of carriers and service providers, not the responsibility of an enterprise call originator. As you engage with your originating carrier or telco provider, one thing you can do would be to ask your service provider “what they are doing to ensure your calls will be properly signed, attested, and passed to other terminating carriers once SHAKEN/STIR has been deployed.”
As the industry continues to work toward a solution to stop illegal robocalls while allowing legal, wanted calls to get through, Numeracle provides a path to proactively identify a call originator as a trusted, legal caller in order to improve the likelihood of your calls being properly delivered and answered. We are working in parallel with the implementation of SHAKEN/STIR across the carrier network to apply trust to a call originator’s phone numbers to improve accurate call presentation both today and in a world post-SHAKEN/STIR.
To learn more about how to certify your organization as a trusted calling entity and register your phone numbers across the ecosystem, click the link below!