STIR/SHAKEN and Call Spoofing: What’s all the Fuss About?

netnumber - TNN Blog

Have you ever picked up a phone call from your area code only to find yourself faced with a robocall or spam message? If so, you might be relieved to know that you are just one of many that received some of the 4 billion robocalls that take place per month in the U.S. At the same time, you might be frightened by that eye-opening statistic. In that case, you’ll probably be pleased to hear that this kind of experience is the exact reason why a framework called STIR/SHAKEN exists.

This suite of protocols and procedures plays a big role in today’s communications, but many outside of telecom may not know much about it — or why there’s so much discourse about it right now. As the influence of STIR/SHAKEN continues to grow in the global communications ecosystem, it’s important to take a look at how and why STIR/SHAKEN came to be — and how it’s currently impacting phone calls across the world.

(Alternatively, if you’re a network operator or communications service provider looking to overcome your STIR/SHAKEN dilemmas, you can stop right here and instead read about our related solutions.)

The Spoofing Story

 With so many individuals on the receiving end of misleading spoofed calls (aka when a call’s origin number is deliberately falsified to get the receiver to pick up), it’s no surprise that this phenomenon has achieved epidemic status. Still, what has now become a significant challenge for end users was first spurred by transformations with far more pure intentions.

When caller ID was introduced — eventually becoming widely implemented in the U.S. in the 1990s and around the world soon after — it was known as a be-all-end-all solution for vetting call communications. Still, bad actors are highly skilled at finding ways of corrupting or distorting security measures for their own benefit. At the same time, in an effort to create an even more advanced global communications ecosystem, the development of global phone calling led to more complex ways for calls to be created and terminated. The result was an unintentional loophole for spam callers.

Voice-over-IP (VoIP or internet-based calls) was introduced to deliver a host of benefits for the communications ecosystem, not the least of which was cost efficiency. Still, it opened the door for bad actors to add incorrect information into the VoIP software. Over time, they became more savvy about how to make their information look legitimate so that end users couldn’t effectively screen their incoming calls any longer. Out of this was born a need to more effectively sift out malicious spoofed calls and better protect the end user. Here we see the origin of STIR/SHAKEN protocols.

Continuing the Story of STIR/SHAKEN

STIR (which stands for Secure Telephony Identity Revisited) and SHAKEN (short for Signature-based Handling of Asserted information using toKENs) together form what is now a mandatory set of technologies that help verify a caller's identity. When these protocols are mutually implemented by both the caller’s and the recipient’s phone carrier, it presents a great way to reduce call spoofing success and give phone users a better chance of avoiding those pesky robocalls. Of course, the good intention behind the mandatory STIR/SHAKEN implementation is clear. However, in practice (especially in an increasingly global phone calling landscape), it presents a number of complications that can be hard to reconcile with new standards.

Unfortunately, the way calling is handled in all countries across the world is not standardized. Differences in models and operations can pose issues when implementing STIR/SHAKEN protocols for terminating calls in the U.S. or Canada. In essence: While the story of STIR/SHAKEN is a relative success in North America, on the global stage, it’s a bit of a different story.

Today, while the spirit of STIR/SHAKEN (and the security goals that create desire for these protocols) are shared globally, every local adaptation comes with differences. Since STIR/SHAKEN was designed to operate within a specific country, when its adoption is expanded to attempt to cover inter-country connectivity (a vital aspect of global communications), it gets tricky. It’s easy to say that we all want safer communications with fewer threats from fraudsters. However, what this simple goal snowballs into is more a discussion about inter-country ‘trust’, how to measure it, and how to implement mechanisms that fortify it. That’s a much more complicated idea to navigate — especially when every country comes to the table with its own local flavor. We’re now realizing as an industry that standardizing security and protocol adoption across regions becomes the snag that prevents an ideal, wholly unified anti-fraud framework. If this need isn’t properly addressed, what we may see are islands of properly verified communications within a sea of improperly regulated messages and calls — and that’s certainly not the ideal outcome.

Of course, the realizations that have occurred in the wake of STIR/SHAKEN implementation have led to some much-needed conversation that is helping these efforts progress. Standardization forums have begun to address the challenge of establishing reciprocal trust, but the world is still seeking ways to build this effectively.

Here’s the bottom line: We live in a wholly connected, richly diverse, and interlinked world. The calling ecosystems that stretch across our globe and its borders are no different. When we place blanket limits in the system, it can sometimes unintentionally inhibit the communications that seek to cross those operational and geographical boundaries. In this way, STIR/SHAKEN is both a step forward and a step back — for now. STIR/SHAKEN is a helpful tool in our global arsenal that can reduce the robocalling issue, and more countries are making plans to implement it. Now, what’s needed is a proper plan to ensure everyone can make it to the end goal of protected communications on equal footing. Only with a truly unified approach can we achieve a fully interconnected fabric, and as we look to iterate and improve on STIR/SHAKEN, awareness of global nuance will be a guiding force.

To learn more about how netnumber’s suite of phone number intelligence data helps operators and providers implement STIR/SHAKEN, click here.