FCC STIR/SHAKEN Policy
Criminals often spoof or manipulate the calling numbers of different outbound telephone calls to deceive the other party. The deception often involves altering calling numbers to make the call appear genuine for the called party to answer. The deception can sometimes be malicious, for instance, when fraudsters impersonate IRS agents intending to steal tax funds from unsuspecting victims. This practice is referred to as spoofing, where unscrupulous robocallers alter the calling numbers of telephone calls.
Since 2014, the telecommunication sector has seen a sudden increase in robocalls and spoofed calling numbers targeted at businesses, as well as individuals. To resolve this concern, the Federal Communications Commission (FCC) introduced new technologies to stop these spoofed numbers and robocalls: STIR and SHAKEN. But what exactly does FCC’s STIR/SHAKEN policy entail? Read on to find out.
What Is STIR/SHAKEN?
STIR is an acronym for Secure Telephone Identity Revisited, while SHAKEN is an acronym for Signature-based Handling of Assets Information Using toKENs. STIR/SHAKEN is a framework that involves interconnected standards, ensuring that carriers validate calls traveling via interconnected networks before reaching the called parties. Put simply, STIR/SHAKEN are protocols that digitally validate the hand-off of phone calls traveling through a sophisticated web of interconnected networks. This allows phone companies to verify that calls originate from the displayed caller ID to prevent spoofing.
STIR focuses on SIP headers, where the system adds critical information that ensures the endpoint positively identifies the phone call’s origin. This does not prevent criminals from spoofing a caller ID directly but promotes upstream points as to whether to trust the caller ID or not. Suppose a business has a VoIP-based PBX and connects to an extensive telephony network via a SIP service provider. When providers receive a SIP packet, they will include additional data in the header to show whether the caller originates from a known customer or the caller ID is known to the system.
The STIR protocol includes three levels of verification; Full Attestation, Partial Attestation, and Gateway attestation. Full Attestation is represented by an “A,” signifying that the provider acknowledges the whole phone number and is registered with a known subscriber. Partial Attestation is represented by a “B,” indicating that the call originates from a known customer, but the whole phone number cannot be validated. Gateway attestation, represented by a “C,” shows that the call can only be validated as originating from a recognized gateway, a connection from other service providers.
Since STIR is based upon SIP and only works with calls routed via VoIP, it does not validate telephony networks that rely on standards like SS7. Besides, STIR does not address authentication failures within the network and does not block calls if the system fails to assign STIR information on each call. To solve such issues, SHAKEN works jointly with STIR to offer a practical mechanism that verifies information from the calling party and that of call origin: Attestation.
STIR/SHAKEN offers service providers tools to authenticate and validate call numbers, enabling businesses and individuals to differentiate between spoofed and legitimate calling parties. Regarding robocallers calling end-users on landlines and mobile phones, STIR may authenticate the call, but the caller ID a user sees may either be appended with “verified” or denoted as “spoofed” or “no verification.”
How STIR/SHAKEN Works
STIR/SHAKEN is a digital framework that uses advanced certificates, ensuring the calling numbers of any telephone calls are secure. The certificate adopts standard public key cryptography practices, facilitating the validation of calling numbers. Telephone service providers acquire these digital certificates from licensed and trusted certificate agencies, allowing the called party to verify the calling numbers accurately. Here is a summary of how STIR/SHAKEN works:
- The originating telephone service provider obtains a SIP INVITE from the calling number.
- The provider confirms the call source, including the calling number, to assign the correct Attest based on the validity of the calling number. This may either be Full Attestation (A), Partial Attestation (B), or Gateway attestation (C).
- The provider uses the authentication service to come up with a SIP Identity header, whether hosted on the cloud or Session Border Controller (SBC). The SIP identity header usually includes the caller number, current timestamp, origination identified, and attestation level.
- The SIP INVITE, together with the SIP Identity header, is sent to the terminating service provider or might be redirected across the internet or non-SIP call segments and later forwarded to the verification service.
- The verification service receives the digital certificate of the provider from the public certificate source and launches a multi-step validation process. If the SIP header is base64 URL decoded, the public key verifies the SIP Identity header signature and the certificate chain, which means the calling number isn’t spoofed.
- The verification service returns the outcome to SBC or Softswitch to complete the call.
The Role of FCC In The STIR/SHAKEN Policy
The Federal Communications Commission (FCC) regulations require all voice call providers to have STIR/SHAKEN integrated into their communication networks’ Internet Protocol (IP) portions. This ensures phone calls are secure and users only receive genuine calls from known callers. Besides, the FCC introduced a Congressional directive and additional policies in 2020, ensuring providers who are incapable of implementing STIR/SHAKEN instantly protect their customers against illegal robocalls.
In Q2 of 2021, the FCC required all providers to declare in the Robocall Mitigation Database that they fully adopted STIR/SHAKEN or integrated a robocall mitigation program to prevent illegal robocalls in their networks. Besides, they should also submit their countermeasure steps against illegal robocalls to the database, proving that voice call providers are taking steps to prevent and mitigate robocalls.
Corptek STIR/SHAKEN Solutions
At Corptek, we understand the value of preventing spoof calls that often lead to fraud and cases of stolen sensitive data. As a leading IT services provider, we remain committed to delivering exceptional IT solutions and services related to FCC STIR/SHAKEN policies. Besides, our solutions are unique and flexible, ensuring comprehensive portfolio solutions like fraud prevention. For more information, chat with us or contact us to learn more today!