In order to achieve their intentions, dishonest robocallers and criminals will take any means to make it look like your friendly neighbor is calling. They do this to mislead their prey or called-party. The purpose of this type of work is to gather valuable information, most of which is dishonest and unethical.

We are writing this article to inform you how to prevent spoofed robocalls with STIR/SHAKEN, which is an advanced certification followed internationally to prove the caller if read.

Understanding Spoofing

The illegal method of changing a calling number to a reliable telephone number is called spoofing. The chances of answering the automatic scam call increase through spoofing. Such deception may be more malicious in some cases. 

For example, a scammer may try to steal tax refunds by pretending to be an IRS agent through spoofing. 

Custom Spoofed Detection Switch

Monitoring Robocalls Switch System

Custom robocalls detection solution

Understanding STIR/SHAKEN

Since 2014, FCC or Federal Communications Commission has been trying to develop a solution by encouraging the telecommunications industry. The solution must prevent spoofing and automatic scan calls. 

The industry responded by developing a new technical standard. They are – 

1. STIR – Secure Telephony Identity Revisited
2. SHAKEN – Secure Handling of Asserted information using toKENs

The standard defines how the STIR technology should be implemented by the telephone service providers so that it can make sure the calling numbers are not tampered with or spoofed.How to prevent spoofed robocalls with STIR/SHAKEN: The process

To measure the validity of phone numbers, a digital certificate based on common public-key cryptography is used by STIR/SHAKEN. To put it simply, a trusted telephone service certification authority gives this digital certificate to other telephone service providers.     

The called-party can verify whether the calling number is accurate and has not been tampered with or spoofed.

The following illustration of the call flow diagram shows the workflow of STIR/SHAKEN –

Source: https://transnexus.com/

1) The originating telephone service provider receives a SIP INVITE  

2)  To verify the validity of the calling number the originating telephone service provider checks two things – the call source and the calling number. 

• Full Attestation (A) — The calling party is authorized to use the calling number after being verified by the service provider. To give an example of this – when a user is registered on the Softswitch of the original telephone service provider.
• Partial Attestation (B) — The service provider has verified the origin of the call, but cannot verify that the originator of the call has the right to use the number. To give an example of this – when a use case is the phone number behind the PBX. 
• Gateway Attestation (C) — The service provider authenticated where the user received the call but was unable to authenticate the source of the call. To give an example of this – when a call is received from an international gateway.

3) A SIP ID header is generated by the originating telephone service provider. The service provider uses the authentication service that can be a software application integrated into a Softswitch or a session border controller (SBC) from a telephone service provider. It can also be a third-party service hosted in the cloud.

The following data are contained in the SIP Identity header –

• Attestation level
• Calling number
• Called number(s)
• Origination identifier
• Current timestamp

4) The terminating telephone service provider receives the SIP INVITE along with the SIP identity header. Additionally, Out-of-Band SHAKEN can be used to send identification tokens over the internet on non-SIP call segments.

5) The verification service has received the SIP INVITE along with the Identity header 

6) The public certificate repository offers a digital certificate to the original telephone service provider. Then, the certificate is delivered for verification service. Once it receives the certificate, it starts the multi-stage verification process. The calling number will not be considered spoofed if it successfully passes all verification steps.

• The SIP Identity header should be decoded with base64 URL
• Compare the details with the SIP INVITE message 
• The SIP Identity header signature is verified by the public key of the certificate 
• A verified certificate for the chain of trust

7) The results of the verification service are received by the SBC or the terminating service provider’s Softswitch. 

8) After everything, the called-party will end the call.

How telecom companies use STIR/SHAKEN

Telecom companies use STIR/SHAKEN is a provider-based caller ID authentication standard. This can be used to verify that the incoming call has not been spoofed and is indeed from the number specified in the caller ID. In the end, this can reduce the number of fraudulent calls.

Telecom companies make their customers confident that the caller ID information they receive is more accurate. Telecom companies use STIR/SHAKEN technology to update their spam detection algorithm with real-time call filtering. This can reduce the chances of a call being blocked mistakenly or identify “good” calls as “potential spam”.

A brief history that will inform you about identifying scam 

For many years, the industry has been trying to curb phone infiltrators. From the announcement in 2019, the largest telecom suppliers like Verizon, TMobile, and AT&T are experimenting to address spoofing problems with tools such as STIR/SHAKEN or applications such as Robokiller.

However, the scam calls didn’t stop coming.  

All network providers including the smaller regional networks have gone through various networks, between callers and recipients. Therefore, F.C.C. (Federal Communications Commission) hoped for uniting these network providers to reduce the spoofing problem. Because it will be much easier to verify scam calls for these network providers.

In June 2021 around 4.4 billion robocalls were made to consumers inside the United States. From the total robocalls, around 573 million were about health and auto warranty-related scams. This data was collected from a call-blocking company named YouMail.

This indicates that – some robocalls are legal indeed. Yes, that is true because most political campaigns and school closing robocalls are legal as industry estimates.

You should also note that – scam calls often come depending on the seasons or events. On Friday, Miami-Dade County Attorney Catherine Fernandez Randall warned people that the charity took the initiative to call, claiming to help the victims and families of Champlain Tanan, which is a partially collapsed house in Surfside, Florida.

Some related questions 

1) What is STIR/SHAKEN?

We have already mentioned before,

• STIR – Secure Telephony Identity Revisited
• SHAKEN – Secure Handling of Asserted information using toKENs  

STIR/SHAKEN is basically a method to verify the original phone number of a phone so that the voice service provider who is receiving the call knows that the originating phone number is correct.

2) Why is STIR/SHAKEN required?

The FCC works with the telecommunications service providers to respond to robocalling, fraudulent calls, and unsolicited telemarketing calls. One strategy used by these people is to forge the originating telephone number to make the call look more likely a number to be the recipient of the call. STIR/SHAKEN suggests to the voice provider that the call is coming from the originating number.

3) When can we expect STIR/SHAKEN to be implemented?

We can expect the implementation of STIR/SHAKEN by June 30, 2021. This is almost certain and announced by the FCC.

4) What is the impact of STIR/SHAKEN on outbound calls?

Since your outbound calls to the 8×8 service use STIR/SHAKEN, the voice service provider will not treat your calls as unauthenticated. Also, the calls won’t be blocked on the receiving end due to a lack of STIR/SHAKEN authentication. 

However, the FCC also approved voice transmission. By default, the service provider will label or block possible robocalls or unwanted traffic based on appropriate analysis. Therefore, it is possible that the voice service provider marks the received call as spam or blocks it, even if the originating call is signed with STIR/SHAKEN. You should contact 8×8 support if you think your outbound calls are mistakenly marked as spam or blocked by the voice service provider.

Final Words 

We hope you understand how to prevent spoofed robocalls with STIR/SHAKEN. Along with this, we are guessing you have learned many things about the STIR/SHAKEN method. There will be many updates for the rules and policies in the future depending on the accessibility of several facts. It also depends on the region and their governmental rules for preventing scam calls or robocalls. The scammers will not sit back and they will look for innovative ways for spoofing. Therefore, the authority should always remain concerned about updating the STIR/SHAKEN accordingly.