What is STIR/SHAKEN and how does it impact robocalling?Follow
If you’ve followed the communications industry at all over the past few years, you probably heard about STIR/SHAKEN. It's a technology framework that seeks to reestablish trust in voice communications by taking a stronger stance against practices like illegal spoofing for malicious robocalling to help protect consumers against fraud and abuse.
What is STIR/SHAKEN?
The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act was signed into law on December 30, 2019, to address the problems of robocalling and illegal phone number spoofing. The FCC’s implementation of this law includes requirements for Service Providers to implement robocall mitigation solutions within 18 months of the passage of the law, or June 30, 2021.
Secure Telephone Identity Revisited (STIR) and Secure Handling of Asserted information using toKENs (SHAKEN) are telecom industry standards designed to enable service providers to cryptographically sign (or attest) calls in the Session Initiation Protocol (SIP) header.
The process uses a trusted public key infrastructure to enhance the integrity of the originating call identifying data sent across networks. With STIR/SHAKEN, SIP headers will include a level of confidence indicator from the originating service provider to signal whether the party originating the call has the right to use the number via the attestation field.
There are 3 levels of attestation that can be indicated by the originating service provider:
- Full (A) Attestation - the service provider has authenticated the customer originating the call and they’re authorized to use the calling number.
- Partial (B) Attestation - the service provider has authenticated the customer originating the call but can't verify they’re authorized to use the calling number.
- Gateway (C) Attestation - the service provider has authenticated from where it received the call, but can't authenticate the call source (e.g., International Gateway call).
In addition to the attestation level, the originating service provider provides data in the header to facilitate traceback identifying where the call entered their network.
What is the driving force behind STIR/SHAKEN adoption?
Fraud and abuse in the form of robocalling and, in particular, illegally spoofed robocalling, is the number one consumer complaint to the FCC. STIR/SHAKEN is just one tool in a broader industry initiative that seeks to prevent bad actors from exploiting businesses and consumers.
At the same time, consumers expect and demand the successful delivery of relevant communications, such as school closure notifications or prescription reminders.
Bandwidth is actively engaged in efforts to implement the most robust call authentication framework possible, while also working diligently to stop the transmission of illegal robocalling on our network holistically. We continue to lead industry efforts and best practices, including a three-pronged operational approach (prevent, detect, and mitigate) to stopping illegal robocalls.
Read more about Bandwidth's approach to fighting telecom fraud.
What is the difference between STIR and SHAKEN?
STIR is a working group within the Internet Engineering Task Force (IETF), an organization that develops and promotes internet standards. STIR produces the internet standards that form the basis of what is referred to as STIR/SHAKEN, including:
SHAKEN defines the extensions and industry framework for the deployment and interworking of the technology in service provider networks. Additional draft standards are currently being developed to target use cases beyond the scope of those addressed by SHAKEN (ATIS-1000074.v002).
How does STIR/SHAKEN work in a call path?
When originating a call on the network, the originating service provider’s Secure Telephone Identity Authentication Service (STI-AS) creates an encrypted SIP identity header that includes the following data:
- Attestation level
- Date and time
- Calling number
- Called number
- Orig ID for analytics and/or traceback
- Location of certificate repository
- Encryption algorithm
The SIP INVITE with the SIP Identity header is sent by the originating service provider and received by the terminating service provider.
The terminating service provider invokes an STI Verification Service (STI-VS) to decode the SIP identity header and perform verification of the data transmitted in the call. Depending on the results of the verification, information can be passed in a verification status or verstat parameter indicating the results of the verification step.
The call is completed to the receiving party with potentially some optional treatment like a display that is dependent on the level of attestation and the resulting verification. For example, this could be “valid number” or green checkbox for a fully attested call, or labeled as “possible spam” for a gateway-attested call without full attestation.
The following diagram shows the high-level call flow for SHAKEN calls:
- SIP INVITE is received by the originating service provider who looks at the call source (customer) and calling number to determine the level of attestation to provide for the call.
- The originating service provider sends SIP INVITE to the authentication service.
- Authentication service returns SIP INVITE with SIP Identity Header containing PASSporT header, PASSporT payload, PASSporT signature, encryption algorithm, and location of certificate repository.
- SIP INVITE with Identity header is sent to the terminating service provider.
- Terminating service provider sends SIP INVITE with Identity header to Verification Service.
- Verification Service obtains the digital certificate with the public key, decodes the identity header, and verifies that the originating service provider is authorized to originate calls for the calling number.
- Verification Service returns results indicating whether the Identity Header was valid and whether TN Validation passed, failed, or wasn't performed.
- The terminating service provider completes the call to the called party.
How is Bandwidth signing calls?
- Outbound calls from Bandwidth customers using U.S. phone numbers in their account are signed with “A” or full attestation.
- Outbound calls from Bandwidth customers using phone numbers that are not in their account are signed with “B” or partial attestation.
- Bandwidth doesn’t currently sign any calls with “C” or gateway attestation.
We strongly recommend that our customers consult legal counsel to determine if the above, combined with the filing of a robocall mitigation plan with the FCC, satisfies their regulatory requirements for STIR/SHAKEN.
What can I do to prepare for STIR/SHAKEN?
- Consult with your attorney to understand your regulatory obligations as a service provider.
- Consult with your equipment vendor to understand its readiness for receiving additional SIP headers that will result from STIR/SHAKEN.
- We recommend this guide containing the SHAKEN Policy Administrator Secure Telephone Identity (STI) Service Provider Methods and Procedures.
- All service providers must file a robocall mitigation plan with the FCC by June 30, 2021. Starting September 28, 2021, Bandwidth will not accept traffic from any provider not listed in this database.
What’s next for STIR/SHAKEN?
There are some use cases in which SHAKEN, as written, needs to be augmented. Examples of this include call forwarding or the ability to ring multiple devices simultaneously, which changes the destination called number and breaks the STIR/SHAKEN authentication process. The ATIS standard for Divert PASSporT (diversion) allows the originating service provider to add a second identity header to the call so that the inbound verification service can confirm the call has been legitimately retargeted. Another case is when a customer gets a number from one carrier and originates a call on a different carrier.
Both of these cases, among others, are being debated in the industry forums and may result in a customer needing to generate an Identity Header (or for Bandwidth or a third party to generate one on the customer’s behalf).
How will STIR/SHAKEN impact a call flow incorporating multiple carriers?
Authentication and signing of a call (STI-AS function) are done by the originating service provider, and verification of a call (STI-VS function) is done by the terminating service provider. The transit networks (intermediate service providers) in between should pass the identity header without modification.
Service providers that have implemented STIR/SHAKEN and are authenticating and verifying their own traffic can use Bandwidth as an intermediate service provider at no charge. You can enable our Transit Identity Service directly in the Bandwidth Dashboard. Bandwidth will convey the SIP header information with attestation for both inbound and outbound traffic.
Bandwidth International (formerly Voxbone) customers who are also approved STIR/SHAKEN service providers should contact their Account Manager or reach out to the Bandwidth Support Team to migrate their accounts to the Bandwidth Dashboard in order to enable this service.