The name “STIR/SHAKEN” refers to a set of protocols and procedures designed to fight caller ID spooffing. On March 31st, the Federal Communications Commission(FCC) of the United States voted in favor of the implementation of these rules.
Table of Contents
What is spoofing?
Spoofing means faking the identity of a website, a phone number or any other digital identifier (email, IP address…). This practice is made easy by the lack of authentication systems in the set of application protocols coming from the IP layer.
Why spoof a digital ID?
Spoofing can be used to steal sensitive information by pretending to be an authority or a trusted figure (by replicating a bank’s website, for example). But this practice is not always fraudulent, it can also allow to keep the anonymity of a person or a company.
Regarding telephony, this technique is mainly used by cold callers (telemarketers).
Combined with a tool that automates calls (robocaller), it forms the perfect combination for automated mass prospecting. By using a spoofed phone number, these unscrupulous companies ensure that they will not be called back.
Many U.S. companies outsource these telemarketing tasks to foreign contractors, most often in India. To increase their response rate, these companies hide behind American phone numbers.
The STIR/SHAKEN procedures have been developed to address this problem. The Federal Communications Commission has decided that the STIR/SHAKEN procedures should be implemented by June 2021 in the United States and September 2020 in Canada.
How does the STIR/SHAKEN works?
STIR/SHAKEN is based on two sets of rules with a common objective: to build a system of digital certificates issued by certification authorities.
STIR for Secure Telephony Identity Revisited proposes a “grade” (A, B or C) indicating the security level of the calling number. This grade will appear alongside the number displayed on the receiving phone. It will be the responsibility of the telecom service provider to deliver this grade: by crossing pre-established lists of numbers. The STIR system is based on a chain of trust: each operator becomes a certification authority validated by the others. The telephone numbers will then be assigned these notes or digital certificates as it is already the case for websites whose identity is verified and confirmed by the Certificate Authorities. The difference is in the rating system, websites are either verified or not verified, for phone numbers it will be an indicative grade:
-Grade A, the highest level of verification, designates a number whose identity is perfectly recognized by the operator: it has been able to identify the legal entity owning this number and the person attached to the telephone extension.
To obtain this grade, a company (this clause applies mainly to call-centers) will have to make public a number where it can be called back.
-Grade B, meaning a partial verification, the operator and the customer are known but the identity of the person attached to the extension cannot be verified.
-Grade C indicates that the call is from a known operator, but no information on the identity of the caller could be verified.
SHAKEN for Signature-based Handling of Asserted information using toKENs is the alternative for non-VoIP phones that cannot decrypt and display the authentication certificate. SHAKEN is also planned for the early days of STIR when end-to-end verification will not be possible: not all operators will adopt the system at once, but it is necessary that minimal information about the call is transmitted.
STIR/SHAKEN implementation : a challenge for service-providers
The implementation of the STIR/SHAKEN procedures constitutes a challenge for the operators. The attribution of these scores is a great responsibility and implies that the call management procedures be reworked.
The correct application of the system relies on the synergistic capacity of the different operators: the implementation of this chain of trust can only be done if all operators are able to evaluate each number. Once the procedure is adopted and mastered by a majority of operators, latecomers could see their communications fail: without prior transmission of a certificate, a third party operator will be able to refuse to pass SIP packets via its server. In France, voice spam or ping calls are getting the attention of the authorities. These one second calls from foreign codes try to “phish” the recipient to call back, the calling number then turns out to be a premium rate number. The practice is becoming more and more insidious by hiding the premium rate number behind a classic number such as 01, 02, 06. It is therefore highly likely that the STIR/SHAKEN procedures will inspire Europe in the near future.