What is STIR/SHAKEN?
Spam and illegal robocalls are a significant problem many communications companies struggle with to protect the privacy of their customers. In 2019, phone calls were the most common way scammers got in contact with their victims.
The Federal Communications Commission has been working to educate the public about these unwanted calls, but with mixed success.
However, a communications solution was developed to help combat the abuse. It’s called STIR/SHAKEN — a set of standards to assist communication service providers in preventing unwanted and spoofed calls from connecting with their desired endpoint.
So, why is STIR/SHAKEN quickly becoming the go-to solution for service providers looking to improve the customer experience?
What does STIR/SHAKEN mean?
More and more bad actors are using technology to mask or spoof their real phone number to trick people into answering the phone and revealing personal details. The Federal Communications Commission’s (FCC’s) definition describes it as a “framework of interconnected standards."
STIR stands for Secure Telephone Identity Revisited and SHAKEN stands for Secure Handling of Asserted information using toKENs. Together they’re authentication standards, allowing for verification that calls come from a real caller ID instead of a spoofed or faked caller ID. Call spoofing refers to changing the calling party number (CPN or the from number) on a call for the purpose of ensuring calls back reach a different location than the actual caller. It is important to note that neither of these activities are illegal. Some companies use the technology to send messages about appointment reminders, school closures, prescription reminders, and so on. The purpose of STIR/SHAKEN is to help mitigate spoofed robocalls and in turn, build consumers trust so they’re confident incoming calls will be legitimate.
How does STIR/SHAKEN work?
STIR/SHAKEN assists service providers in combating robocalls and call spoofing on VoIP networks. It allows the service providers to place a digital signature on calls as they originate on their network, which “attests” to the provider’s confidence the call is being placed from someone with the right to use the number.
This digital signature remains on the call as it travels over other carrier networks until it reaches its destination. Once the destination is reached, the terminating carrier can examine the digital signature to determine who the originating service provider is and their confidence about the caller’s right to send from that CPN.
To put this protocol into perspective, let’s take a look at an example call path using STIR/SHAKEN standards.
A SIP INVITE is sent to the telephone service provider of the calling party.
This telephone service provider authenticates the validity of the calling number. Three levels of “attestation” can be awarded to the calling party:
Full attestation. The service provider can identify the caller has permission to use the calling number.
Partial attestation. The service provider can identify the caller but does not know if they have permission to use the number.
Gateway attestation. The service provider cannot identify the caller nor if the caller has permission to use the number.
After the attestation process, the telephones service provider will create a SIP identity header. This header contains the following information about the incoming call:
- Calling number
- Called number
- Attestation level
- Origination identifier
- Digital signature
This SIP identity header is transferred with a SIP INVITE to the recipient telephone service provider. The SIP INVITE and SIP identity header are then passed along the call path until it reaches the terminating service provider, finalizing the verification. The verification service obtains the digital certificate of the originating telephone service provider.
Important terms to know for STIR/SHAKEN
Internet protocol (IP)
IP refers to the way the Internet works. In telephony communications, IP is used in VOIP systems, where calls and networks are run over the internet.
Caller ID spoofing
Caller ID spoofing is the practice of deliberately changing the caller ID information transmitted to a call recipient. Fraudulent callers can use this technology to alter the way their number appears on your phone screen when they call. This type of spoofing can deceive recipients into thinking they are speaking to a trustworthy company or third-party.
The person or organization making a phone call.
The person on the receiving end of a phone call.
SIP stands for Session Initiation Protocol. In telephone technology, it's the protocol allowing a phone call ‘session’ to initiate and run between users.
INVITE is a method used in SIP technology defining the action the calling party is requesting the called party to take. The request is the basis of all SIP calls. The INVITE request will contain several header fields that provide important information allowing the call to go through.
SIP identity header
In the SIP INVITE, this header identifies the calling party.
Origination or inbound calling
The call origination simply refers to the point where the call begins.
Termination or outbound calling
In the flow of a call, termination is the point when the call is received. You need both origination and termination technology to make and receive calls on a device.
Telephone service provider
As you would expect, a telephone service provider is simply the company that provides phone services. There are three main types:
- Landline telephone providers
- Mobile network operators
- VoIP providers
The FCC has been working for several years to encourage all private telephone service providers to use advanced authentication technology. In the U.S. and Canada, legislation has been put in place to ensure the FCC is successful.
The FCC initiated its campaign for the introduction of STIR/SHAKEN in 2017 in response to the general public’s outcry against the rising number of spoofed robocalls. Since then, several pieces of legislation have been implemented to encourage telephone service providers to use authentication technology.
In the United States, the TRACED Act of 2019 raised the fines the FCC can impose on robocalls. The Act also marked the beginning of a task force encouraging service providers to implement a system like STIR/SHAKEN for the safety of their customers.
In Canada, the CRRC 2018-32 required all service providers to use some method of caller ID verification by March of 2019. The STIR/SHAKEN framework is cited as the preferred method in this order.
The FCC continues to take steps to improve the experience of phone users. In March of 2020, the FCC announced a new set of rules requiring all originating and terminating voice service providers to use STIR/SHAKEN standards in their IP networks before or by June 30, 2021.
Learn more about STIR/SHAKEN
The STIR/SHAKEN standards framework has the potential to help protect the average user from spam and robocalls.
Spoofed phone calls can be incredibly dangerous. It’s not uncommon for the average user to fall for money or identity fraud scams from spoofed numbers pretending to be the IRS and other trusted government bodies and companies.
These standards ensure incoming calls are authenticated before the call is delivered. This way, people are alerted to suspect calls, or the calls are intercepted before they come through. For the safety and security of private organizations and the general public, STIR/SHAKEN implementation is essential and mandatory for any provider carrying voice traffic.
Are you interested in learning more about STIR/SHAKEN? Get in touch with a member of the Sinch team to see how our solutions can improve the way you protect your customer’s privacy.