US telcos are employing a cross-network number verification approach to fight phone scam and robocalling, but the solution is far from a silver bullet.
Employing protocols called Shaken (Signature-based Handling of Asserted information using toKENs) and Stir (Secure Telephone Identity Revisited), this new approach aims to authenticate calls and deter illegal caller ID spoofing, in which a call appears to be from a legitimate phone number but is not.
AT&T and T-Mobile US are the latest carriers to announce Shaken/Stir initiatives, disclosing in mid-August that they are now delivering this technology across both their networks.
Shaken/Stir (also called Stir/Shaken) represents a milestone toward protecting consumers from scam and fraud robocalls. Robocalls and spoofing are the top complaints made to the US Federal Communications Commission (FCC) and Federal Trade Commission. YouMail, a developer of robocall-blocking software, said about 47.8 billion robocalls were made in 2018.
The problem is not just that these calls are unwanted. Scammers use the phone to prey on the elderly and vulnerable, defrauding them of their money and valuables. Individuals from all walks of life are increasingly unlikely to answer the phone if they aren’t 100 per cent sure of who is calling – a growing problem that further isolates people and prevents them from receiving important and even emergency calls.
Shaken/Stir is designed to deter spoof calls and reassure the public that incoming calls are validly identified, ensuring the number appearing on their caller ID is truly the one from which the call was placed. This is done by having telcos attach a “digital signature” to caller ID information that accompanies every call originating on their network, allowing the network operator delivering the call to verify that it is from the identified party. That information is then passed along to the call recipient on their caller ID display.
The hope is that consumers will be able to trust the caller ID information they see. However, the reality is that problems will remain.
Calls whose originating number is not confirmed through Shaken/Stir will still be delivered, alongside a caller ID notification indicating the lack of authentication. Consumers will have to assess whether to answer each call based on the verification information they receive from their network provider.
Phone customers can employ call blocking tools, often available on an opt-in basis from their carrier, but those are separate from Shaken/Stir. The FCC voted in June to let carriers proactively block identified robocalls by default based on reasonable call analytics. Shaken/Stir, because it provides more information about a call’s point of origin, will be key to these evolving default blocking efforts.
The largest US telcos are quickly deploying Shaken/Stir, in part to pacify the FCC, which is pressuring them to voluntarily deploy the technology by the end of the year. However, their networks are not the biggest source of spoofed calls and robocalls.
Earlier this year, networking services firm Transaction Network Services reported that just 10 per cent of “high risk” robocalls originate from tier 1 carriers (AT&T, CenturyLink, Comcast, Sprint, T-Mobile and Verizon), even though they account for 75 per cent of total call volume. Instead, hundreds of smaller, non-tier 1 networks are the source of most robocalls.
Unfortunately, those are also the least likely to implement Shaken/Stir technology because it requires carriers to use compatible digital technology on their network – something in which many smaller carriers have not invested. Besides, calls that originate internationally will bypass Shaken/Stir validation.
Despite these drawbacks, the advent of Shaken/Stir provides hope that carriers finally have useful technological tools at their disposal to protect their customers from the relentless spoofing and robocalling scourge.