An Overview of STIR/SHAKEN: What it is and Why it is Important
Receiving a phone call from an unfamiliar number—and deciding whether or not to answer that call—has become an increasingly pervasive problem for nearly everyone. Sophisticated robocalls and Caller ID spoofing are now a regular (albeit frustrating) part of consumers’ daily lives.
Of course, not every robocall or caller ID spoof is unlawful. But for the call recipient, robocalls and Caller ID spoofing made with malicious intent have the potential to waste their time, put them at risk for exposing their personal information, and can even result in monetary loss. It is for precisely these reasons that the FCC has issued clear mandates for how voice service providers in the United States should handle calls; among them a requirement to implement STIR/SHAKEN.
Here, we’ll take an in-depth look at STIR/SHAKEN, including how it works, why it’s important, its key capabilities, and how it contributes to the prevention of illegal robocalls and caller ID spoofing.
What is STIR/SHAKEN?
STIR/SHAKEN is a framework of technical protocols and implementation procedures that is used by the originating service provider to authenticate an originating caller's identity (Caller ID). STIR/SHAKEN also enables the terminating service provider to verify the Caller ID to reduce the chance of fraudulent robocalls. This practice reduces the chance of illegal Caller ID spoofing which helps restore the call recipient's trust in the phone.
It’s important to note that STIR and SHAKEN are, by nature, two separate entities—a technology and a policy—that work together to achieve one common goal. Let’s take a look at each in more detail.
Secure Telephony Identity Revisited (STIR), which was developed by the Internet Engineering Task Force (IETF), is a protocol for providing a digital signature with the right calling party credentials. These digital signatures (sometimes called digital certificates) are embedded in the Session Initiation Protocol (SIP) messages used to route calls and carry calling and called party information.
Secure Handling of Asserted Information Using Tokens (SHAKEN) is the applied framework for deploying STIR technology within carrier networks. SHAKEN was developed in conjunction with STIR and the implementation of this technology helps service providers authenticate and verify calls made/received over an IP network.
Watch this easy-to-follow explanation video of how STIR and SHAKEN work together.
How Does STIR/SHAKEN work?
At a high level, the STIR/SHAKEN process works by way of key cryptography standards, which enable service providers to authenticate IP phone calls.
At a more detailed level, the STIR/SHAKEN process follows 8 distinct steps:
Step 1: Receiving the SIP Invite and the Need to Assign the Attestation Level
At the onset of a call, the VoIP provider receives a SIP INVITE which includes the origination and the number of the person making the call. The originating provider will use this information to determine the proper attestation level for the caller, for this specific call.
Step 2: The Attestation Level is Assigned
The caller’s originating service provider must assign an attestation level to said caller. In simpler terms, if Melanie initiates a call, her service provider must categorize that call in one of three attestation level buckets:
- Level A, Full Attestation - Melanie’s provider knows who she is and verifies that she is allowed to use the phone number from which she’s calling.
- Level B, Partial Attestation - While the service provider knows who Melanie is, they cannot confirm whether or not she’s authorized to make phone calls from that specific number.
- Level C, Gateway Attestation - Melanie’s service provider can not authenticate the originator of the call, or the original source.
Step 3: The Originating Service Provider Adds Certificate Information to the SIP Identity Header
The Identity Header in the SIP INVITE is then augmented to include service provider origination identifier, the attestation level, and an encrypted digital certificate of authentication.
Step 4: The Terminating Service Provider Receives the SIP INVITE with Augmented Identity Header Information
Next, the terminating service provider (the recipient's provider) receives and decrypts the certificate information, examines the SIP identity header data, and can see that Melanie’s service provider has provided an attestation level. Importantly, if Melanie’s call passes through one or more intermediate service providers between the call origination and the call termination, the additional SIP Identity Header information is passed along without any changes.
Step 5: The SIP Identity Header Information Is Sent for Verification
To obtain further proof of the validity of the Caller ID, the terminating service provider sends the SIP Identity header information to a STIR/SHAKEN verification service.
Step 6: The Verification Service Validates the Certificate Information
The verification service receives the digital certificate in SIP Identity header from the terminating provider and uses certificate repositories to verify the call’s certificate information.
Step 7: The Verification Service Returns the SIP Identity Header Information to the Terminating Provider
After verifying the digital certificate, the verification service sends SIP Identity header back to the recipient's provider indicating its validity and the call process keeps moving.
Step 8: The Intended Recipient Receives the Call
Finally, the STIR/SHAKEN protocol has been completed, Melanie’s identity has been authenticated and verified and intended recipient receives the call.
The highly technical STIR/SHAKEN process might seem excessive, but the defense it offers against bad actors with illegal, malicious intentions is both necessary and advantageous for service providers and consumers alike.
Gain an even deeper understanding of STIR/SHAKEN protocol, framework, and technology.
Why is STIR/SHAKEN Important?
The significance and value of STIR/SHAKEN cannot be overstated, especially as robocalls and caller ID spoofing continue to grow in sophistication and their potential risk. The intricate process however, does offer businesses an extra layer of protection along with a few other benefits.
- Minimizes potential fraud - STIR/SHAKEN was born out of a need to protect consumers’ personal information and funds, as some of the fraudulent activities include spoofing credit card validation services. Posing as legitimate organizations, bad actors were getting through blocked caller lists and potentially coercing victims into sharing their financial information. In fact, Americans are projected to lose nearly $40 billion to robocall scammers by the end of 2022, a year-over-year increase of 108%.
- Reduces robocalls - STIR/SHAKEN is designed specifically to reduce the number of robocalls made with spoofed Caller ID, thereby decreasing the likelihood of a consumer answering a spam phone call. Spammers and robocalls get in the way of legitimate business productivity, costing time and money because customers chose not to answer phone calls.
- Protects business reputation - Service providers benefit from STIR/SHAKEN, too, since the associated technology and framework enable them to offer safer, more controlled, transparent services to their customers.
Of course, STIR/SHAKEN doesn’t eliminate the robocall / fraud problem altogether, but it is a step in the right direction in terms of reducing illegitimate, potentially harmful robocalls and Caller ID spoofing efforts.
Find out what other steps you can take to combat robocalls and spoofing.
What STIR/SHAKEN Can and Can’t Do
The fight against robocalls and call spoofing is ongoing. There isn’t a ubiquitous, foolproof solution for identifying and eliminating bad actors. While STIR/SHAKEN can reduce the number of robocalls made using spoofed caller IDs, service providers should take further action to protect their consumers.
For instance, while STIR/SHAKEN make it harder for scammers to steal information from you by validating phone numbers, it cannot legally punish scammers, nor can it offer consumers a guarantee that a specific robocall doesn’t have malicious intent. Because of this, providers should apply other levels of security—including personalized call screening tools, and call blocking lists —to gain even more control over how calls are handled.
STIR/SHAKEN is a jumping-off point, but it will not eliminate the chance of malicious calls made by bad actors. Service providers should also offer additional network security and monitoring services that help them authenticate caller identity and reduce the risk of cybercrimes.
As FCC mandates evolve, bad actors will seek new ways to circumvent network security measures in place. Service providers will need to manage evolving threats with a foundation of strong technology solutions and implementation practices.
Mitigate Robocalls with Ribbon’s STIR/SHAKEN Solutions
Protecting consumers from unlawful robocalls and caller ID spoofing requires a proactive strategy and advanced technology. With the right STIR/SHAKEN solution service providers can move closer to restoring their end customer’s trust in the “validity of caller ID.”
Service providers can choose between two Ribbon STIR/SHAKEN solutions: a hosted STIR/SHAKEN as a Service (S/SaaS) where Ribbon takes care of all the STIR/SHAKEN authentication, signing, verification, and certificate management services. Or they can choose the Ribbon Secure Telephone Identity solution that is deployed by service provider in their own network – this solution encompasses all the components that are integral to, and required for, caller identity authentication, signing, verification and certificate management.
Remedy your robocall situation with STIR/SHAKEN and satisfy your subscribers. Learn which Ribbon solution is right for you.