Identity Assurance in Real-Time
The good news is there is a tremendous amount of information available that can be used to determine identity. These include sources such as:
- Known subscriber numbers - identified by the originating network operator
- Do Not Originate Lists – known numbers that will never originate calls
- Un-assigned numbers - from industry databases and from individual network operator databases
- Invalid calling numbers – based on national/international telephone numbering plans, these are numbers that can be screened out in call processing
- Known fraud and spam numbers - from 3rd party databases and from individual network operator databases (blocked numbers)
- STIR/SHAKEN attestation – information provided by the originating network provider signing the identity of originating caller
The bad news is caller identity does not address caller intent, so it is possible to have legitimate numbers with a valid identity, but still have calls with malicious intent.
In the United States, everyone with a US-issued credit card has likely heard of a FICO score, a measure of consumer credit risk that is a fixture of consumer lending. Imagine a reputation score that measures caller intent, that would be the equivalent of a FICO score. The better the score, the more reputable the call is likely to be.
To use a reputation as part of identity assurance, it is paramount to be accurate. If you get the reputation of caller wrong, the value of the score might be worthless. This applies in both directions – too good and too bad. What happens when the reputation is too good, but it should be worse, you might not know when to reject calls from that source? Or what happens when the reputation is too bad, but it should be better, so the terminating end knows they want to accept calls.
Simply put, trust context is a measure of the match between the call origination information how the call enters the terminating service provider’s network. To understand trust context you need to know about the originator’s location, where the call enters your network, and what information you have about the originating caller.
For example, is the call coming from:
- A known subscriber on a local network interface? These should always be verified as trusted
- A known subscriber from a peering partner? These might be trusted or they might be spoofed
- An unknown subscriber from an international carrier? This will not be verified and could be spoofed
Ribbon Call Trust Video
Ribbon Call Trust
As part of Ribbon Call Trust, our session border controllers, gateways, centralized policy server, and our call controllers have additional features to support STIR/SHAKEN. In addition, one new product and two new Ribbon hosted services have been introduced:
- Ribbon Secure Telephone Identity (STI) This is a complete call authentication, signing, and verification solution to prevent caller ID spoofing in real-time. It is compliant with ATIS-1000082 and RFC8224/8225/8226 that can be deployed in a service provider’s network
- Ribbon hosted services for STIR/SHAKEN and Reputation Scoring. Both of these services are enabled by Ribbon Identity Hub, our cloud-native SaaS platform.
- STIR/SHAKEN as a Service. A complete call authentication, signing, and verification solution to prevent caller ID spoofing in real-time. It is compliant with ATIS-1000082 and RFC8224/8225/8226
- Reputation Scoring. Provides multi-dimensional reputation scores and guidance for call treatment in real-time, on a per-call, basis to mitigate telephony fraud, nuisance, and robocalls. Reputation scoring can be provided for call termination in both IP and TDM networks
- These hosted services are offered by Ribbon in a standard SaaS model where the service is consumed on a usage basis