SHAKEN/STIR — It’s not just for Robocall Prevention

Written by Donald St. Denis, TransNexus

Telemarketing has been around a long time. It surpassed direct mail in 1981. When VoIP (voice over internet protocol) became widely used in the early 2000s, robocalling, or auto dialing, took off. Some of these calls are telemarketing, but fraudsters and scammers also got into the act.

Efforts have been made in legislation and regulations to solve the problem of scam robocalls. One of the most promising is SHAKEN/STIR, a technique for authenticating caller ID information and digitally signing an outbound call, then verifying this information when receiving the inbound call.

This paper will demonstrate how SHAKEN/STIR isn’t just for robocall prevention. It will also be a valuable tool for telecom fraud prevention.

SHAKEN/STIR Overview: The Big Picture

SHAKEN/STIR doesn’t prevent robocalls. It prevents caller ID spoofing, a tactic used with scam robocalls. It’s an important part of a larger effort to provide robocall relief.

The originating service provider uses an authentication service to generate and digitally sign an Identity token. The token is put into the SIP signaling as the call makes its way to the terminating service provider, who uses a verification service to evaluate the legitimacy of the Identity token. No more spoofing.

Triangle of Trust

So, what prevents a spam robocaller from signing their calls with SHAKEN/Stir? A governance structure, which we call the “triangle of trust.”

Rules are established by a Governance Authority in advance. Then, members of the triangle of trust follow the rules as they work together to sign calls on a daily basis. Members of this triangle of trust include:

● Policy Administrator, which enforces the rules as it approves Certificate Authorities and authorizes telephone service providers. (iconectiv has been chosen as the Policy Administrator.)

● Certificate Authorities authorized to issue certificates for signing calls. (Certificate Authorities have not yet been announced.)

● Telephone service providers authorized to sign calls.

● Authentication Identity Token (PASSporT)

The attestation level reflects the originating provider’s knowledge of the authenticity of the caller ID information:

A. Full attestation. The provider knows the customer, knows the number, and knows the customer has been assigned that number.

B. Partial attestation. The provider knows the customer but is not sure that that customer is entitled to use that specific number.

C. Gateway attestation. The provider cannot attest either the customer or number. They are simply signing the call to provide traceback information. 

Telecom Fraud Prevention

Telecom fraud prevention experts will recognize how useful the information in the PASSporT would also be for researching calls in a telecom fraud attack, especially:

● Carrier that signed the call

● Attestation level

● Time of attestation

● Origination ID, a unique identifier used for traceback.

Let’s look at some of the ways a fraud analyst could use this information. Here are three use cases.

Use Cases

1. Call origination with unknown caller ID. The originating provider knows the customer and the numbers assigned to the customer. They see a call being set up with a caller ID that doesn’t match the customer’s assigned number. The provider wouldn’t want to sign the call with full attestation A. They’re using a number they shouldn’t be using. This is the whole point of SHAKEN/STIR. They may wish to sign the call with partial attestation B to indicate they can vouch for the customer, but not the calling number. If the provider uses a switch that allows unregistered numbers, the provider may wish to block the call. In doing so, they may have prevented a fraud attack. 

2. Aggregator observes an IRSF attack. This is a somewhat complicated attack profile that we have observed. A fraudster hacks into a subscriber’s account and begins pumping traffic in an IRSF (International Revenue Sharing Fraud) attack. The calls may be spread across many intermediate carriers, perhaps as a result of a least cost routing algorithm. An intermediate carrier, or aggregator, can be able to see a larger portion of the distributed fraud attack. If these calls were signed using SHAKEN/STIR, the aggregator could use the certificate subject to find the common originating carrier. The aggregator could then contact the originator directly to find out what’s going on. This is a huge advantage over going back through the chain of carriers to trace back the call to its source. With SHAKEN/STIR, the aggregator can go directly to the originating carrier. It’s a tremendous leap forward in understanding a telecom fraud attack profile.

3. Call termination with invalid token. This use case would arise if a fraudster tried to hijack a call or change call information somewhere along the call path. As a result, the caller ID would fail verification. The terminating provider may wish to provider their subscriber with options to block or divert such calls. And since they have the origination ID, they can contact the originating carrier directly to find out what’s going on.

Great! So, when can we start?

FCC Chairman Ajit Pai called on voice service providers to implement SHAKEN/STIR in 2019, and many have announced they plan to meet this deadline. Some voice service providers are performing SHAKEN/STIR in their production networks today, so they’ll be ready on day one when the Policy Administrator and Certificate Authorities are up and running. These carriers also can use SHAKEN/STIR information in their telecom fraud prevention efforts today.

It’s not just for preventing caller ID spoofing and unwanted robocalls. SHAKEN/STIR is a powerful tool in the arsenal of fraud specialists too.