STIR/SHAKEN: The Ultimate Guide

Will STIR/SHAKEN stop all robocalls?‍

While STIR/SHAKEN will help identify harmful robocalls, it will not completely eliminate all illegal robocalls for good. It's important to note that not all robocalls are bad. Many legitimate companies communicate all sorts of information via 'robocalls’ especially automated communications such as appointment reminders, delivery notifications, school closures, etc.

While the STIR/SHAKEN framework allows authentication of call originators and their numbers, it is not a silver bullet solution and it cannot determine the illegitimacy or legitimacy of the intent of an incoming call. It can validate that an incoming call is originating from a real phone number, which is not being 'made up' or stolen from a legitimate business, organization, or consumer.

The STIR/SHAKEN framework does not have the ability to weigh in on whether or not the content of the call itself is potentially malicious or unwanted, making call blocking and labeling analytics are still relevant despite the framework.

How does STIR/SHAKEN stop illegally spoofed calls?

The absence of this technology in the past is what allowed bad actors to represent themselves as someone they’re not by illegally "spoofing" or hiding behind a falsely presented telephone number. With the improved ability to trace back to the origination of illegal activity, STIR/SHAKEN will assist government and telecom entities' ability to identify and stop the source of the illegal robocalls.

Whose responsibility is STIR/SHAKEN?

The logistics behind implementing STIR/SHAKEN do not fall to you, but to your telco provider. That said, we recommend you keep pace with your service provider’s progression toward STIR/SHAKEN implementation so you can ensure your calls will be given the greatest opportunity to be successfully 'authenticated.'

With much still in the works behind the scenes with STIR/SHAKEN, it's also very important for you to voice your opinion and weigh in on policies that will impact your business. Also, be wary of solutions with ‘guarantees’ on STIR/SHAKEN, especially those with promises for 'enterprise signing' or 'attestation. It's impossible to predict exact outcomes with 100% certainty as the technology is in the early stage of widespread adoption.

What is the June 2021 STIR/SHAKEN Deadline?

As defined in the TRACED Act, the June 2021 deadline requires any provider of voice service to implement the STIR/SHAKEN authentication framework in their voice IP networks and requires voice service providers to take reasonable measures to implement the effective call authentication framework in the non-IP portions of their networks.

The First Order mandates that it is the responsibility of originating and terminating voice service providers to implement STIR/SHAKEN Standards, or the BASE STIR/SHAKEN, in the IP portions of their networks by June 30th, 2021.

Will my calls get blocked if I do not implement STIR/SHAKEN by the June 2021 Deadline?

Your calls will not be automatically blocked as the result of partial or incomplete STIR/SHAKEN implementation by the carrier network on which your calls terminate. Call blocking and labeling analytics, however, will remain in place and continue to influence call treatment and delivery display on the terminating (device) side. If your calls are currently being labeled as “Scam” or “Fraud,” they will still be able to be blocked as the result of this analytics and reputation-based classification which occurs outside of the STIR/SHAKEN framework.

How is that different than the full STIR/SHAKEN implementation? What is BASE STIR/SHAKEN?

What is expected for the June 2021 deadline, is the implementation of the BASE STIR/SHAKEN, or STIR/SHAKEN Standard, which is targeted at the internet IP-based service providers (non-IP providers will not be implementing) to address Enterprises.

This means a SIP infrastructure is needed to add the certificate to attest the call, assigning a telephone identity that gets attached to the SIP invite which gets transported over the SIP network to the terminating service provider, who does the reverse. The certificate is then validated and signed by the relevant key that has been attested, and they can choose how to terminate the call.

What are the top three points businesses should be aware of and should do by June 2021 to be prepared for STIR/SHAKEN?

In no particular order:

Get an assessment of where your service provider is. You need to be aware of what your service provider is doing, whether they’re the BPO, the CPaaS, or UCaaS, or direct carrier, to prepare for the June 2021 deadline. Have they filed for an extension or are they going to meet the timeline on time?
Inquire how their compliance with the law is going to impact your current contract. Whether that results in an increase in cost or a service-level agreement change, you should be made aware of any contractual impacts on the services that they provide based on STIR/SHAKEN.
Analytics are going to continue to exist to determine if calls are wanted or unwanted, legal or illegal. So you will still have to address your call blocking and labeling issues.

‍

What is Attestation?

When a STIR/SHAKEN call certificate is received, it will include a call’s Attestation Level, as signed by the originating service provider. This establishes the relationship with the caller and their right to use the calling number.

There are 3 Levels of Attestation:

Full or Attestation “A”: the service provider knows the call source or identity of the caller as well as has the right to use that number. Example: The carrier issued the number for a customer so the call originated in their network.

Partial or Attestation “B”: The service provider knows the customer, but not the source of the phone number. Example: When third-party call centers are originating the call, the service provider may not know if they have the right to use that number.

Gateway or Attestation “C”: The service provider places the call into their network, but does not know who the originator of the call is. Example: If a call originates from outside of the country and is coming through an international gateway.

‍

How does this translate to a call’s trustworthiness?

The level of Attestation is not a direct correlation to the trustworthiness of the call. Analytics will still be in place for call validation treatment to ensure that unwanted, scam, or illegal calls will still be labeled accordingly.

Attestation works to help establish the authenticity and identity of inbound callers but is not a substitution for call authentication solutions.

What is the Enterprise Challenge?

One of the key things that goes on the STIR/SHAKEN certificate is the Attestation Level (A, B, or C). The gap occurs in complex scenarios where a call center of BPO is making calls on behalf of multiple clients, or where in some cases there could be two or three parties involved during a call path. The end client could be someone who is not even making the call but has outsourced the call to another call center that could be using a different platform or CPaaS provider. In these scenarios, enterprises or service providers may not be able to validate and get their calls signed, which is the Attestation Gap.

‍

Will A-Level Attestation guarantee that my calls will not be marked as ‘Spam’?

A Level Attestation is coming in through the SIP network and terminates at the device. A Level Attestation is one of many data points that terminating providers take into consideration when displaying a call. Another data point taken into consideration comes from the analytics level, which is a separate layer outside of STIR/SHAKEN attestation, and influences call display on mobile devices. These external analytics are assessing the reputation of your phone number outside of the STIR/SHAKEN framework, this is where Spam or Scam labeling comes from. A Level Attestation does not currently influence the presentation of Spam or Scam labeling as the technologies are not currently integrated.

Can anyone guarantee A-Level Attestation?

An originating service provider can if they have a direct relationship with you, as their client and have issued the numbers to you. In any other situation, in order to facilitate A-Level Attestation, the OSP needs to have a process to have validated the enterprise in question’s identity and validate that the phone numbers being used belong to that identity, from wherever those numbers were procured from (if outside of the OSP).

Is there a way to test? How is it working so far?

Numeracle has a client currently using a wide provider that has implemented the BASE STIR/SHAKEN and we had them call our number to see how those calls were displayed, keeping in mind that our number is on one of the three major carriers. What we found was the calls came through as we would make any other calls without attestation.

It also depends on the terminating service provider and how they’re accepting certificates. Call validation treatment and analytics will continue to play a role in the solution and they are still on the network. How the actual call gets displayed on the device is based on how the CVT is done by the terminating service provider.

Attested calls currently do not show an attestation level, but we expect this will change over a period of time as more begin to implement the standards.

Can less than A-Level Attestation be remediated or appealed or corrected?

At this point, it is unclear what the remediation process will be for calls that are signed with levels B or C. It will require a feedback loop to be put into place and processes that still need to be defined based on the Standards.

Is there a “Registry” or “Database” for callers to get A-Level Attestation?
What is that, is it real, and is Numeracle a part of it?

There are multiple models that are currently being discussed to address Attestation and the Attestation Gap. One of the proposed models is the centralized registry or database model which is similar to a traditional CNAM database. This repository will have all the information related to numbers stored, including who owns the number, who has access to the number, or who is making calls on someone else’s behalf.

Having this database would allow for the retrieval of any of this information, however, this is just one of the proposed models by the Standards Group. There are still questions around how this data is updated, who has access to it, and who controls that access, or what happens if the database gets compromised?

‍

From the carrier perspective, how does Numeracle act as a Local Policy solution for the service provider looking to ensure its clients’ calls can be signed as A-Level Attestation, whether or not the phone numbers were provisioned by the service provider?‍

This can be validated through Numeracle’s ‘Number Profile’ item within its Entity Identity Management platform. When a service provider needs to validate ownership of phone numbers provisioned outside of the service provider, a request is sent to the entity to complete an LOA (Letter of Authorization) via a digital process, which confirms the entity’s authorization for use of the phone number. That LOA is then used to form the baseline of truth for A Attestation to take place based on this authorized use of the phone number.

‍

What happens when a call originator makes a call through a carrier with a number they acquired from another different carrier in regards to:
A) the level of attestation they can get?
And B) if they do get a B level versus an A level, how will that impact what subscribers experience on the terminating side when called?

It depends on the carrier that is being used to originate the call. It comes back to the local policy they implemented and how they are treating that Enterprise as well as that number. If the carrier believes they already know the customer/client/call originator and they have a good KYC policy in place, it could theoretically be attested with A. However a different carrier can take a different approach and always attest calls as B is the number wasn’t acquired from them.
If it gets a B-level attestation, thus far we have not seen any difference between how the terminating carrier treats a B and A level as far as the presentation to the subscriber. As implementation continues, different visual displays such as a verification check may be used for only A-level attested calls.

How does the Numeracle platform prepare me for STIR/SHAKEN?

Numeracle’s Entity Identity Management™ platform allows an organization to manage its Verified Identity status as a legal business calling consumers based on an existing relationship or prior express written consent. This Verified status is governed by a compliance-based Know Your Customer vetting process.

The Platform also enables entities to identify the phone numbers used to engage with clients and subscribers and associate those phone numbers to Verified calling brands via “Number Profiles.” This platform prepares entities for STIR/SHAKEN by creating the authenticated relationship between Verified Identity and phone number usage which is what service providers are required to verify in order to attest to the fact that each brand originating traffic on their network is authorized to use the phone numbers being displayed to the end user.

Will Numeracle’s Entity Identity ManagementTM Platform take care of STIR/SHAKEN certification for me?

While the Platform itself does not ‘attest’ or ‘sign’ calls, it can be used to implement a local policy solution for Service Providers to manage the verification of calling identity + authorization of phone numbers in order to elevate an enterprise brand into the STIR/SHAKEN framework.

What do I need to do external to Numeracle to fully prepare?

Your service provider will need to verify the relationship between your Verified Identity and authorized phone numbers (including optional rich call data, or branded information) to enter them into the STIR/SHAKEN call authentication model.

You can find out from your service provider what kind of model they will be using to sign calls (i.e. Delegate Certificates, Centralized Registry/Database, Distributed Ledger Model), and what stage of development they are in. From there, we can work with them to ensure you’re prepared for the STIR/SHAKEN Deadline.

Should I be budgeting for some STIR/SHAKEN costs to come into play in 2021?

It is going to depend on the service provider you are using and what costs they are going to associate with call signing. One proactive approach would be to have this conversation with your service provider and ask if they’re planning on passing along additional costs to facilitate call signing on their platform/network.

How does Numeracle help you fulfill your traceback requirements as a service provider?

Requests from the traceback group (run by US Telecom) can be verified by the Numeracle platform. The platform validates the identity of the entity and the authorized use of the entity’s phone numbers.