STIR/SHAKEN: Everything You Need to Know
- 22 Mar 2021
The number of unwanted and illegal robocalls in the US continues to rise. According to YouMail, Americans were hit by just under 46 billion robocalls in 2020, with about 40% of those calls thought to be fraud-related. And as annoying as these calls are for people who receive them, they’re even more detrimental for businesses that are trying to reach people with pertinent information. Many of these robocalls use caller ID spoofing to make recipients think they might know the caller. Caller ID spoofing hurts legitimate businesses by making call recipients less likely to pick up any calls.
While historically, telephony was highly regulated, technical innovations such as computerized dialers and inexpensive IP-based calling on the Public Telephone Network has turned robocalling into an everyday nuance. As a result, the US agency in charge of protecting consumers from communication scams, the Federal Communications Commission (FCC), has directed carriers to implement robust call authentication by adopting STIR/SHAKEN standards targeting by June 30, 2021.
What is STIR/SHAKEN?
STIR/SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. They’re technical frameworks that measure trust in the displayed caller name and number by authenticating the calling number. Together they work in a way similar to attesting to the identity of the caller with a digital certificate. In the STIR/SHAKEN framework, a secure telephony identity (STI) governance authority issues digital certificates to carriers, or others who own or are assigned dedicated telephone numbers. The private key associated with a digital certificate is then used to sign a VoIP call, thereby indicating that the calling party number is who they claim to be.
Attestation provides the mechanism for carriers to communicate about a calling phone number’s legitimacy. There are three attestation levels that can be assigned by an STI authentication service, which represent how confident a service provider is in that the number’s owner is truly the one placing the call. A service provider is defined as a business that offers digital telecommunications services based on Voice over Internet Protocol (VoIP) that are provisioned via the Internet.
Full attestation (A) — the service provider has authenticated its relationship with the customer making the call and the customer is authorized to use the calling number.
Partial attestation (B) — the service provider has authenticated its relationship with the customer making the call, but cannot verify that the customer is authorized to use the calling number.
Gateway attestation (C) — the service provider has authenticated that it has placed the call on its network, but has no relationship with the originator of the call (for example, a call received from an international gateway).
When someone receives an authenticated call, they may be notified with a verification keyword or symbol on the incoming call display. If a call cannot be verified (attestation C or no attestation), it may be blocked or the consumer may be warned on their caller ID screen of a potential scam call. The purpose of notifications is to allow people who receive calls to decide whether they wish to answer, ignore, or block a number.
If you’re a business, these changes should help you feel more empowered and increase the chances of your calls being answered by recipients. Businesses that implement STIR/SHAKEN themselves (typically within a private cloud environment) will be held accountable with near-instant traceback by regulatory groups and law enforcement if STIR/SHAKEN is abused. This includes faking attestation levels.
If you’re a direct customer of Plivo’s, we will start signing calls with SHAKEN/STIR protocol on your behalf.
What is Plivo’s plan for STIR/SHAKEN?
Plivo is working on an authentication process to comply with the STIR/SHAKEN protocol, and we expect to have it completed well before the June 30 deadline; we’re already testing calls. This means that we’ll be able to:
- Sign outgoing calls on customers’ behalf and ensure their calls get the right attestation so that call recipients feel confident in answering them.
- Validate the attestation levels on all incoming calls received on the Plivo platform and provide customers with the necessary information so that they and their end users can decide whether to answer the calls or not.
To ensure the right level of attestation, in the coming weeks, our customers can submit their business information and the phone numbers they own and use as caller IDs to Plivo so they can be verified. We’ll determine the appropriate level of attestation depending on the results of the verification and thus the level of confidence Plivo has in the caller ID used on an outgoing call. We recommend that all Plivo customers who use a VOIP phone system register these details as soon as we’re able to receive them in the Plivo Console, in order to comply with the June 30th deadline and avoid noncompliance.
Plivo’s compliance operations team is working to make this process as seamless as possible for our customers. We believe that STIR/SHAKEN is crucial in preventing illegal or deceptive behavior like caller ID spoofing, and we’re excited to join the fight against unwanted robocalls.