Thinking beyond STIR/SHAKEN. What can enterprises do today to fight robocalls?

Almost 3,000 robocalls take place around the world every second. The size of the issue is unprecedented. Robocalls and other unwanted calls (phishing calls, Wangiri, or spam calls) impact the whole telco ecosystem, from businesses to individuals, which is driving the launch of different regulatory initiatives globally to mitigate the impact of unwanted communications, including robocalls.

These uncoordinated regulatory initiatives are proving insufficient, and robocalls still pose a significant risk for telco parties and individuals worldwide, causing network overload, poor customer experience, and, most importantly, a severe impact on end-users (financial losses or personal data exposure). The fragmented regulatory environment creates confusion, complexity, slow adoption, and inefficiencies that generate loopholes in the protection measures and opportunities for fraudsters.

Let’s look at one of these regulatory approaches: the one proposed by the US regulator, American Federal Communications Commission (FCC), including STIR/SHAKEN among other components, to learn from its limitations.

Much has been written on STIR/SHAKEN since it was introduced by the FCC in 2019. In short, it is a set of protocols and governance intended to prevent CLI spoofing and determine the likelihood of a CLI being valid and non-spoofed. Since the Caller ID is spoofed in most robocalls to deceive the end-user and make the call look legitimate, STIR/SHAKEN was part of the FCC initiative to mitigate robocalls in the US.

STIR stands for “Secure Telephony Identity Revisited,” and SHAKEN stands for “Signature-based Handling of Asserted information using toKENs.” The framework uses cryptographic techniques to validate the authenticity of the caller ID information. The originating service provider digitally signs the calling number with a certificate from a trusted authority. Afterward, the destination service provider verifies the signature and ensures the call is safe.

Four years after the launch of STIR/SHAKEN, the results are far below what was initially expected and not in line with the efforts and investments consented to by the carriers. Indeed, end-users keep on being spammed daily; their experience remains poor. Several lessons should be learned from this initiative.

One of the main challenges with unwanted communications is that many of these originate internationally. The robocall mitigation regulatory initiative was not conceived to consider international communications nor STIR/SHAKEN.
For example, no telcos outside of the US implement STIR/SHAKEN. They don’t need to do so. Why would they spend money and effort on implementing it? At worst, the only traffic that may be affected is when US citizens travel and roam abroad.

Through several reviews of the initial robocall mitigation regulation, FCC is attempting to stretch the reach and impose the implementation of STIR/SHAKEN to the international intermediate gateway providers (FCC, page 3, note 4). FCC has finally acknowledged that international traffic is an essential piece in the puzzle but integrating retrospectively is complicated, and the chances of success are slim:

• The international intermediate gateway providers do not originate the calls. Trying to solve or even mitigate the robocalls problems from the termination side while the root cause of the problem is on the originating side does not work. The terminating National Regulatory Authority (NRA) cannot solve the problem alone.
• International intermediate gateway provider attestation of a CLI only proves that the CLI is not manipulated from the moment the international intermediate gateway provider receives the call. It does not guarantee that the CLI was not spoofed earlier in the chain.
• The best STIR/SHAKEN attestation level for a CLI that an international intermediate gateway provider can use is ‘C,’ representing the lowest trust level (FCC, p.5 note 24). Indeed, all calls rendered by an international intermediate gateway provider will be attested to ‘C.’ What is the value of it versus no attestation at all? The benefits of such attestation are null regarding the safety of consumers, but the cost of implementing STIR/SHAKEN will be heavy.

The consequence of all this is that international robocalls remain untapped by STIR/SHAKEN and the FCC regulation, and instead, we see genuine international traffic that is unduly blocked, impacting businesses and end-users globally. For example:

• The cloud-based communications traffic and local DIDs traffic may show a particular profile that, if not understood correctly, may lead to having it blocked or flagged as malicious. These genuine traffic blocks impact businesses globally.
• the US end-user may not accept international roaming traffic unless the calling number is well-known.

It seems clear that coordination is the key, that international communications must be watched from the beginning, and that we should aim for end-to-end approaches.

STIR/SHAKEN can only be used on IP technology. The CLI attestation is encrypted in the IP headers. STIR/SHAKEN doesn’t work on legacy technology networks. Some US carrier ecosystems do not run on IP networks and cannot implement STIR/SHAKEN. Any attested-CLI traffic that goes through one of the non-IP networks loses the attestation.

This means that some carriers’ investment and effort in deploying STIR/SHAKEN loses value as soon as the calls reach a non-IP network. STIR/SHAKEN cannot be considered a standalone component for international communications, where legacy technologies remain very present.

To be effective, all technologies need to be considered to avoid having malicious communications shift to the areas that are less protected (international traffic streams, non-IP networks, etc.). A set of solutions and components that can address the varying reality of each Telco party should instead be considered. Each party should then be able to implement the most relevant component.

STIR/SHAKEN is complex and requires a digital signature to be integrated into the SIP signaling and robust security. The deployment is also complex and has a significant cost not all carriers and parties in the ecosystem may afford.

As mentioned previously, the ecosystem of fighting international fraud is fragmented, with various rules emerging worldwide that don’t communicate with each other. Like FCC, the European Telecommunications Standard Institute (ETSI) works on regulations close to STIR/SHAKEN applicable to the European market. There are other nascent initiatives within EU to stablish a regulatory collaborative framework. A cohesive international ecosystem would be developed in an ideal world to fight fraud successfully.

Currently, there is no coordination or regional alignment in the strategies that NRAs are taking globally to mitigate the impact of unwanted communications. Some regulations may even be in conflict with each other (for example, one regulation obliges to share data while another may prohibit it; one regulation pushes for overblocking while another does not allow it).

This disparate approach has limitations as every international carrier is left to interpret and implement, at best, the different regulatory strategies. This lack of consistency creates gaps and loopholes that fraudsters can exploit and creates a whack-a-mole dynamic situation where fraud only shifts from one angle to another.

NRAs should globally seek for cooperation and coordination to build a more robust strategy to fight unwanted communications where international carriers can work consistently as partners actively fighting fraud.

What steps can companies take?

There are examples of several tools that can already be used to act, including in the international space, and fight unwanted calls:

• Basic CLI validation techniques are available such as validation against detailed national numbering plans, knowledge of the use cases that a number is allocated to (for example, cloud communications, contact centre, etc.), validation of the traffic profiles (if the scale of the traffic carried by the company allows for it.) and adoption of DoNotOriginate (DNO) lists in the countries where these are available.
• Collaboration to traceback activities to identify the rogue parties.
• Vetting processes that consider fraud to accept new partners, either customers or suppliers.
• Apply KYC (Know Your Customer) and KYT (Know Your Traffic) principles to assess the validity of the calls
• Build tools with technology that allows for an agile approach, optimal traffic validation, and immediate active protection.

Thanks to these techniques, BICS constantly identifies and blocks robocalls to protect its customers and end-users globally.

Industry players also need to develop solutions that address the challenge. If STIR/SHAKEN is the only or the main element in a robocall mitigation strategy, an asymmetry in the market is created and a significant portion of the issue is not addressed (international traffic, traffic originated with wrong CLIs but still validated by the origin, etc.)

While STIR/SHAKEN could be one of the components of an end-to-end approach to mitigate robocalls, other components should be considered as alternatives or even additions to allow as many parties as possible to participate in fighting unwanted and malicious communications, including the international carriers who can help make a difference.

Learn more about the need for cohesion and building trust across the industry in our recent podcast with the Cloud Communications Alliance. Please also check out the i3 Forum initiative to bring Trust into Communication through the One Consortium initiative. Undoubtedly, all industry players must cooperate to achieve this common goal, making it a highly challenging but still tangible mission.