STIR/SHAKEN 2020: Answering the Call from Legitimate Companies
To protect themselves from fraudulent callers, most consumers simply don’t answer the phone if they aren’t certain who’s calling. It’s a big (and growing) problem for legitimate businesses, who find themselves unable to contact customers by phone to relay important or sensitive information.
The issue has been, and remains, a top consumer protection priority of the Federal Communications Commission (FCC). The FCC wants to make sure that self-verified, or so-called “signed” callers can identify themselves to consumers as such. To specifically address unsigned caller ID spoofing, in 2018, the FCC directed carriers to implement robust call authentication by adopting STIR/SHAKEN standards. Through the end of 2019, all the big carriers, from T-Mobile to AT&T to Comcast and more, have spent the intervening months playing nicely in the sandbox, developing and testing interoperability protocols in line with these standards. Looking into 2020, what does all this mean for legitimate businesses and partners who may call consumers on their behalf?
Trust is the name of the game
The FCC’s efforts are a combination of tech, protocols and enforcement guidelines intended to make picking up the phone an action consumers can trust again. STIR (Secure Telephony Identity Revisited) is a set of technical standards developed by the Internet Engineering Task Force (IETF) to certify the identity of originating calls and SHAKEN (Signature-based Handling of Asserted information using toKENs) is a framework developed by the Alliance of Telecommunications Industry Solutions (ATIS) that focuses on the implementation of STIR within IP-based service provider networks.
Legit robo and spoofed calls do exist
Along the way in this discourse, certain words got quite dirty and need to be cleaned up. Robocalls are a programmatic origination of calls, usually done in high volume, which can deliver either a recorded message or a live person on the line. Legal robocalls are used for quickly getting out important messages such as school closures or weather alerts. Call spoofing is when a call originator changes the calling number, for the purpose of hiding or controlling which calling number is shown on the call display. An example of a legal use of spoofing is to present a main callback number for call centers or customer support, or to keep an individual number private for example, when a doctor or therapist contacts a patient from their private phone. However, some bad actors try to avoid detection or trick users into picking up calls that are not legitimate. Currently, the illegal calls causing a big problem in the U.S. are often a combination of automated dialing by spoofing with the specific intent to defraud consumers in some way.
STIR/SHAKEN’s perfect cocktail
STIR/SHAKEN brings together the security that keeps e-commerce safe on the Internet with telephone security that provides a way of knowing whether a caller has the right to use a given telephone number. The most proven way to ‘attest’ to an identity on the Internet is with a digital certificate. In the STIR/SHAKEN framework, digital certificates are first issued to carriers, or others who own or are assigned dedicated telephone numbers. The private key associated with a digital certificate is then used to sign a VoIP call, thereby indicating that the calling party number has been properly attested. Calling numbers that cannot be verified by terminating carriers are ones that may have been spoofed.
That local number trick? Its days are numbered
‘Neighbor spoofing’ is used to make it look like a call is from a local number. While most neighbor spoofing results from caller ID spoofing, some more sophisticated illegal robocallers do acquire legitimate numbers for this purpose. What STIR/SHAKEN adds in this case is a new layer of accountability. Currently, there is no effective way to trace back who the calling entity for these calls is. With STIR/SHAKEN, if a call is ‘neighbor spoofed’, it can be more quickly traced to the carrier signing the call and further isolated within that carrier’s network. We anticipate that more punitive legal and policy measures are likely to be introduced for people who issue illegal robocalls like these using neighbor spoofing.
Flagging vs. blocking calls
Along the way, legitimate businesses (like pharmacies trying to send out prescription information and businesses calling their own customers) have been erroneously identified as spam callers. Consumers and businesses do not want important calls like these being blocked. This can be partly attributed to call analytics programs that just look at volume metrics and crowdsourcing to determine whether a call should be marked as spam or blocked. And with anyone having the ability to mark a telephone number as being ‘bad’ from their mobile device, not all data sources are authoritative. STIR/SHAKEN will ensure that consumers have the information and agency to decide whether or not to pick up a call.
The bottom line
The rise in call fraud has impacted customer engagement in almost every business vertical. Yet, delivering great experiences to customers over the voice channel is still critical. Even in the digital age, phone calls are still an important way for businesses to connect with their customers. In fact, the voice channel is still the second-most widely used communication channel after web self service for customer engagement.
Ideally, new regulations around call authentication will incentivize companies in every business vertical to develop genuine, productive and mutually respectful relationships with customers from the very beginning of the customer journey. In the future, this may even mean that vendors who call customers on a creditor’s behalf (like liquidation partners) will identify themselves on caller ID screens as an extension of an original creditor’s brand.
In the meantime, STIR/SHAKEN protocols, governance and enforcement are still being tested out. As more bad actors are identified and test cases are worked out by the telecom giants, we’ll surely hear more about how these protocols will need to evolve. In the meantime, make sure your company, and the partners with whom you do business, are being proactive about how they plan to increase caller transparency and put more control into consumers’ hands.