Get ready to be STIRred and SHAKEN
- Fraud prevention
- 31 May 2021
If you read our blog post from a couple of months ago, you’re already familiar with STIR/SHAKEN — Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN). They’re technical frameworks that fight call spoofing by authenticating the calling number.
The US Federal Communications Commission (FCC) has directed carriers to implement STIR/SHAKEN by June 30, 2021. Plivo will be ready; we’re already running a successful pilot program.
When we roll out STIR/SHAKEN support for inbound calls, we’ll validate attestation of calls to Plivo DIDs and toll-free numbers in the US, irrespective of whether they’re used for Voice or Zentrunk. For calls through the Voice API, we’ll pass the STIR/SHAKEN verification level as part of webhook requests to various URLs — answer_url, fallback_url, hangup_url, etc. For both Voice and Zentrunk calls, we’ll also show verification levels on the Plivo console and in Call Detail Reports.
Going in the other direction, we’ll sign all Voice and Zentrunk outbound calls to the US — unless a customer violates the rules:
- The calls breach the Plivo Fair Usage Policy.
- The calls are identified as unsolicited robocalls.
- Plivo gets a traceback request from the Industry Traceback Group about calls made by the customer.
- The calls have invalid caller IDs — for instance, if they don’t adhere to E.164 format or have too many digits.
In these scenarios, Plivo may stop signing all calls initiated by the customer. That could lead to lower answer rates, because calls won’t be marked as Verified. Worst case, they could be marked as spam by receiving networks.
Verification levels for outbound calls
In the STIR/SHAKEN framework, a secure telephony identity (STI) governance authority issues digital certificates. STIR/SHAKEN provides three attestation levels that can be assigned by an STI authentication service, which represent how confident a service provider is in that the number’s owner is truly the one placing the call.
Plivo will sign outbound calls as Verified (attestation A) for calls that use a Plivo DID as caller ID. The DID used should be rented by the same Plivo account that originates the outbound calls. All other outbound calls, assuming they are signed at all, are signed Not Verified (attestation B or C).
We strongly encourage customers to use Plivo DIDs as caller ID to improve their STIR/SHAKEN verification levels.
How verification status maps to STIR attestations
For both outbound and inbound Voice API calls, Plivo will display the verification status of a call as a parameter called Stir Verification, which can have one of three values:
- Verified means the call is from a Verified caller who has authorized access to the customer’s caller ID, and hence should be treated with confidence. Verified is equivalent to attestation level A.
- Not Verified means that, for this call, either the caller is not Verified, or it’s uncertain whether they have access to the caller ID used, or both. Not Verified means the call received attestation level B or C.
- Not Applicable means STIR/SHAKEN doesn’t apply to this call, as would be the case if a call is not addressed to a US number or if it’s a cloud call (WebRTC or SIP).
How to access verification status
Voice and Zentrunk customers have several ways to access STIR verification statuses.
Plivo Voice customers can access verification values on the Voice > Calls page of the console as part of call logs, as part of CDR exports, and via Voice APIs in several ways:
We’ve added a new STIRVerification parameter as part of status update JSON code sent to these callback URLs:
We’ve also added the parameter as part of call_status_callback_url for multiparty call events:
Possible values: “Not Applicable”
Event: Ringing, Answered, or Hangup
Possible values: Value of the Stir_Verification parameter of CallUUID
Voice API Call Object
You can also access STIR verification as part of the response of the Get CDR API call:
Zentrunk customers will be able to see STIR verification values in the several ways:
On the Zentrunk > Logs page as part of Call Detail Records (CDR).
Custom SIP header
As part of a new SIP header:
Zentrunk customers can also use the SIP verstat parameter as part of the P-Asserted-ID header:
Upcoming attestation refinements
Soon, Plivo will start taking into consideration more factors to determine the attestation level for outbound calls, including (but not limited to):
- Results of Know Your Customer (KYC) validation, a feature coming to the Plivo console and API in the near future.
- Customers’ own DIDs sourced from other providers and whitelisted with Plivo. We plan to enable whitelisting through the Plivo console and the API in the near future.
- The confidence Plivo has in customer traffic patterns not constituting fraudulent and unsolicited robocall traffic.
Looking forward to less spoofing
We believe STIR/SHAKEN will have a big impact in preventing caller ID spoofing and containing unsolicited robocalls, and we’re excited to join the fight. Talk to a Plivo expert for help getting started.