You’ve probably experienced Robocall already, even if you are not living in the US. Those Telemarketing calls (they always come in batches…) where a recorded message or a robot representative tried to sell you something other and other again. Most of us have received this kind of call you probably didn’t ask for.
Cold calling Prospection is fine in most of the countries when it is done with measure and respect but malpractice surged in this domain and took enormous proportion especially in the US where as soon as you activate a Sim card you are flooded by those automated calls. It is ruining the end-user experience, reducing trust in telecoms media, and costing a lot to operators when associated with the fraud. So something had to be made to stop this trend. One of the responses from the telco community and the lawmakers is to increase carrier accountability and transparency on Did users. Transparency on who is behind prospecting calls and who is behind the phone numbers used.
The issue is that the calls usually go through a series of carriers before they reach their destinations. If the information about the legitimacy of the caller can be known by the first carrier the information is usually not disclosed to the other carriers in the chain, especially the last one who is supposed to route the call to the end-user. One way to keep everyone in the chain accountable for the legitimacy of the caller and therefore of the call is to create a certificate with the caller info and to transfer it along with the call. This is what the STIR/SHAKEN protocols do and why it is implemented from the 30th of June 2021 in the US to help enforce caller identification laws, control the caller ID and apply penalties in case of fraudulent use.
What is the issue with an unidentified caller ID?
1) Unsolicited and abusive Calls
Recently, Robocalls, ie calls generated by machines with prerecorded audio or smart IVR, has been under the spotlight as the main threat to the general public trust in the telecom industry. Let’s point out that there are a lot of legit reasons to use smart IVR and machines to generate calls. For instance for general public announcement, or get an automated call back from a client support representative at a said time, or create conference calls by calling the parties on their phone… So the issue is not so much about the automatization of the calls but rather the identification of the person calling you. In a large majority of use cases, you can identify the person who is calling you, even if you don’t know the person. Sometimes you see the info directly on your smartphone or you can find it later on the internet. You can then either answer the call or ask not to be called again if you are not interested. And it is fine because the person calling you is part of a legitimate business and displays its real phone number that you can check and block. When the reason for which someone calls you is less legitimate then this person will probably prefer not to be identified.
When they plan to make abusive or unsolicited calls, scammers usually don’t want to be called back by the persons abused, and they usually don’t want either to have the police knocking at their door. If they indeed get a real phone number then Police can ask the operator that provided to block the Did to give the info to find and prosecute such scammers, but that’s the ideal scenario
So to prevent being called back or giving their local address to be granted a phone number, scammers just use Dids which don’t belong to them and that solves all their problems. By spoofing the Did of someone else they become untraceable, and they can reach out to thousands of people every day without consequences nor contro… so far.
2) Did spoofing
So how can someone become untraceable and use a Did which is not theirs to make calls? It is pretty simple to do that. There is quite a lot of telecom software that just asks upon configuration what Did you want to use as a caller ID and they generate calls with this caller ID. Nothing wrong usually with that. When an operator gets a range from the National regulatory agency, they just receive a list of Dids they can use and configure in their client’s equipment. So in theory you could also set up this equipment with a Did which is not yours. As a regulated operator, you do not want to do that but technically it’s not difficult. And indeed Did spoofing and it is against all the regulations in the world.
Besides using a Did which is not yours to use (and perhaps scamming people in the process…), there are other issues with Did spoofing. First, it is making the life of law enforcer much more difficult as the information attached to the Did is not consistent with the real person using the Did. So even though the rightful user of the Did has given all the information required to use this Did, this is just not the right person behind the fraudulent usage. During an investigation, it is a very serious issue both for police forces and rightful users. Second and consequently, Did spoofing is becoming closer and closer to identity theft, as our use of Did is largely connected with automated identification, in banking, in online shopping, in payment… Therefore using someone else number is the first step toward Identity theft and this is not cool.
3) Telco and operator mistrust
Not only it is not cool for the reasons previously mentioned but it is also not cool for legit calls and the entire telecom industry. In the US less than half of the calls are answered as people are largely mistrusting traditional voice calls which is nonetheless a great communication tool. This is a growing trend all over the world and a big concern for telecom operators. Voice calls remains a big communication media and trust in Dids is increasingly important even when used in alternative telecom solution like VOIP apps or identification scenarios. So to both regain the trust in regular voice calls from the general public as well as reducing phone number-based fraud across all the media, operators had to find a way to collect, store, transfer, and validate information about the phone number and its user. To do so STIR/SHAKEN protocols come in handy.
STIR/SHAKEN is a suite of procedures and protocols created to fight Did spoofing.
1) What is STIR and how does it work?
This is the procedure and protocol for SIP/VoIP calls:
STIR for “Secure Telephony Identity Revisited” is a procedure that adds to the SIP header of a Call a digital certificate that gives information about the Caller, the Callee, and the legitimacy of the Caller to use the Did. The Digital certificate, a JSON Web Token is produced by the Caller Did provider by comparing this Did with its own DID database, when the call is initiated.
If the Did is fully recognized (all the digits), which means the Did provider validates that the originating party is registered in its database as a known customer, then the call receives the highest degree of verification or “Full attestation” which is indicated in the SIP header with an “A”. If the Did is partially recognized (several first digits for instance) as part of a Dids list the provider assigned to a client, the call receives a “Partial Attestation”, which is indicated with a “B” in the header. Finally, if the call carrier is only able to validate that the call is coming from a trusted gateway, when a Call is transiting through several providers for instance, then the call receives the “Gateway Attestation” which is shown in the header with the “C” letter.
The Call token is encrypted with a private key and decrypted with a public key by the operator at the called endpoint. This means that all the “legit” operators will have to register to a certificate authority to get this public key. All the calls that are failing the endpoint checks, ie unknown public key, inconsistency in the caller Did present at the endpoint and the caller Did used at the starting point will end up being considered as not validated and may be blocked before reaching the end-user.
2) What is SHAKEN and how does it work?
For non-VoIP calls using SS7 like cell phone calls or analog landline calls (POTS), the SIP header cannot be used, and therefore neither is the STIR protocol. To provide an alternative to STIR with an increased level of security compared to the current situation the SHAKEN or “Signature-based Handling of Asserted information using toKENs” system has been introduced. It is not yet finalized and therefore can’t be fully discussed but this system consists in adding additional information to the caller name presented to the end-user by the last SIP operator able to certify the STIR certificate. So in the chain of operators handling the call, the first SIP operator will generate the STIR certificate and the last SIP operator will have to read the certificate and add either “Verified” or “Non-verified” to the caller name presented to the end-user. Which will help this user to choose to answer or not.
What does it means for voice operators?
The following do not apply for local traffic transit in countries where the STIR/SHAKEN protocol is not applied. But as the number of countries considering this identification framework is growing, let’s put us in the shoes of operators having to comply with this framework. This might also soon apply to foreign operators wishing to send calls to STIR/SHAKEN-ready countries.
1) Be able to generate certificates for your calls
As an operator enabling your customers to use Dids and generate calls, you will be the one starting the process and you will have to be able to generate the STIR certificate. it means that you may have to register to the Certificate authority to which your Dids belong. In the US you have to register to the Secure Telephone Identity Policy Administrator (STI-PA) which approves voice service providers to participate in the STIR/SHAKEN framework. Once you have been validated you will be able to access the certificate repository and generate or read the STIR certificate. The STIR/SHAKEN system is implemented in the US since the 30th June 2021, but it does not mean that all the operators are all ready able to use it neither does it mean that all the countries in the world will soon implement it, but as the fraudulent use of Dids increase more and more countries will implement it in the future so if you are managing Dids in your country you might want to stay updated on local STIR/SHAKEN initiatives.
2) Be able to carry the certificates to your interconnection providers
If you are carrying the calls from one operator to another operator, your job is to carry the certificate along with the call. May you modify the certificate for the call risk to be considered fraudulent and be refused by the endpoint operator. We, therefore, advise you to be able to transfer certificates or at least to be prepared to do so and to ensure that your local partners do the same, especially those originating the calls who must be able to provide the appropriate certification for the calls made.
Many unclear situations and unanswered questions nevertheless remain when it comes to carrying certified calls.
For instance, how do you carry calls between two countries which different certification agencies and therefore different certificate depository? Does it mean that this framework will just not apply on international calls or does it mean you will have to be registered to all the national certification agencies of countries you are sending calls to?
There is a beginning of an answer in the US with the case of foreign operators having US Dids. Indeed the proposal of the US authority is for the US carrier and the foreign operator to work together to validate the legitimacy of the calls and for the US carrier to generate a certificate. It is a customized process is to be built, for each partnership and in each country so it is not a real global solution.
3) Be careful with your STIR/SHAKEN “reputation”
If you are providing Dids to end users, you will be literally signing every call with your public key and therefore an increased responsibility regarding the legitimacy of those calls will fall on you. If you allow Did spoofing or scamming activities as part of your service, you will end up having your key revocated and you won’t be able to send your calls in the network anymore. You don’t want to have your key blacklisted by most of the major national or international operators. It might then lead to you reassessing the opportunity of providing your service to clients with the traffic you are not comfortable with. Also, it might be a very dangerous game to start reshaping certificates of known-bad calls to “A” calls with your brand new provider certificate. Because even if you might have a good short-term gain or even if you are doing that for a small amount of traffic, you risk a key revocation or blacklisting by the endpoint operators which means jeopardizing your entire voice business. Truth be told this is one of the main objectives of this process, it will be hard to not know the quality of the traffic routed. Therefore the choice will be on the carrier and operator side either to authorize fraudulent traffic or stop routing it for good.
Local enforcement of the STIR/SHAKEN framework in the world
The US already started to enforce this mechanism from the 30th of June 2021 for big carriers with an extension of the deadline to the 30th of June 2022 for the smaller carriers. If you are a US carrier and you missed the bus, there are multiple resources to bring you up to speed, especially the US authority website. Canada will follow with a Deadline set for the 30th of November 2022. The UK is looking at implementing it as well after the full PSTN network replacement in 2025. France worked both on a law to strengthen the supervision of telephone marketing and to fight against fraudulent calls (Naegelen law) and on a simplification of its national numbering policy. This has lead to introduce in the legislation a mechanism to certify caller IDs. A dedicated range of Mobile Dids has even been dedicated to starting the implementation of the system even if there are no further details about the implementation framework (Read our article on the subject). So, in conclusion, the trend is going global and it will take some years but additional countries will follow and it is a good opportunity for legitimate carriers and operators to improve the local and global voice quality of service and to participate in increasing public trust in voice service.
Tell us may you see other aspects to consider in the implementation of the STIR/SHAKEN for operators and we will make sure to update this page to help other fellow operators. Also, let us know what is your opinion and your experience on using this framework! We would be very happy to discuss it with you.