All you need to know about Stir/Shaken

Introduction

Table Of Contents
  1. Introduction
  2. What is the FCC doing about spoofing?
  3. When did the FCC adopt STIR/SHAKEN?
  4. Can spam calls hack your phone?
  5. What is the best robocall blocker?
  6. Conclusion

Spam calls have gone far enough. Out of the billions of automated calls made every month, at least 40% are fraudulent. There are tons of phone calls out there, fueled by a thriving scam business. Not only are these calls disruptive and annoying, but they are deceiving. There are enough people who fall for these calls that scammers keep making money from them. It’s embarrassing and horrifying to lose money because you unknowingly gave away personal information over the phone. People have a right to privacy in their own homes, and that includes privacy over channels of communication.

On top of that, some people need to expect phone calls from strangers all the time. If your cell phone is also your work phone, you’ll probably be expected to answer it at a moment’s notice. Without your phone, you’ll lose business because people won’t find your services. But what happens when your phone is assaulted by constant spam calling? How do you deal with answering the phone when any inbound calls could be unwanted robocalls? It’s difficult to maintain your peace of mind when any call could either be a legitimate client or a scammer. Such calls make relaxation difficult since scammers could contact you at any time. Their illegal communications tie down your resources that should be used for real clients.

The difficulty lies in the number itself: scam calls can mimic real numbers. Without this ability, you could almost always tell a scammer just by looking at the number. If your phone suspects something, the caller ID display will tell you “Unknown Number,” or even “Scam Likely.” Indeed, some calls don’t even make it that far; phones can block them before they ever come through. But that’s where scammers have adapted to an environment of suspicion and distrust by using your own instincts against you.

Robocalls are able to trick, or “spoof,” communications software into believing that their call is legitimate. They do this by masking their signal with a false area code. If scammers get your number, they most likely know your area code and geographical region. With that information, it’s easy to piggyback that code onto their original outbound scam call. It’s very difficult for phone companies to tell the difference between legitimate calls and “spoofed” calls from another region (especially in real time). This advance in scammer software has made adaptation necessary, which is where STIR/SHAKEN’s software comes in.

What is the FCC doing about spoofing?

But first, what is spoofing? Spoofing is when spam calls try to mask their signature of origin. They feed the wrong phone numbers to a telephone network and try to slip in with other outbound calls. If you want an analogy, imagine your service provider as a strong castle. There are guards on the walls to prevent thieves and enemies from attacking. But what if a thief disguised as a guard and walked right through the gate? That’s how spoofed robocalls work: they spoof the guards and sneak into your voicemail. The same goes for text messaging and holds true for both landline phones and cell phones.

Because of how easily unwanted calls can “sneak past” your telephone service provider, fraudulent robocalls continue to infiltrate millions of phones across the world. If spoofed calls use your area code, your caller ID can’t distinguish between illegal robocalling and regular incoming calls. It’s as if the guards are wearing blindfolds.

For a more in-depth discussion on caller ID spoofing, check out our recent article here:

While the FCC serves many purposes, a lot of its potential is eaten away by scammers. Because of the rampant scamming problem (the number one consumer complaint at the FCC is illegal robocalls), it’s difficult to focus on other aspects of their duties. By solving the caller ID spoofing problem, the FCC hopes to stop a huge chunk of illegal robocalls—and a huge chunk of their problems, as well. It’s like cleaning up your house before holding an important event. Before getting to more important things, you have to take out the trash.

For years the FCC has provided several measures to prevent and prosecute unlawful robocalls. One such act was the TCPA, or Telephone Consumer Protection Act. It allows authorities to take strict actions against fraudulent robocalls and even outlines regulations on legal businesses’ actions. For example, one provision of the act prevents telemarketers from calling you before 8 AM and after 9 PM.

Don’t want telemarketers to call you at all? The FCC also set up the Do Not Call list. As the name implies, putting your phone numbers on this list makes it illegal for businesses to cold-contact you. That’s it. And there are some strong measures to take against businesses that don’t respect the registry.

The most recent step in preventing illegal robocalling began in 2018, when the FCC and Chairman Ajit Pai came down hard on telephone network providers to set up some kind of authentication network, like a service checkpoint calls have to stop at before reaching their destination. By June 30th, 2021, every originating and terminating voice service provider must have certified caller ID authentication technology in place. 

This technology will check each calling number and ensure that it comes from the place it claims, instead of whatever area code the scammer might attempt to spoof. It’s a tool that will allow the FCC and TCPA to enforce the legislation they’ve had in place for years. Authentication will help phone security systems to catch up to the modern era, preventing unwanted calls from taking over the phone lines. It will also hold phone service providers accountable for how well they provide reliable caller ID information and what they do to prevent illegal robocalling. The name of this legislation and its accompanying program is STIR/SHAKEN.

What is STIR/SHAKEN?

STIR/SHAKEN is a program designed to authenticate scam calls before they even reach you. It stands for Secure Telephone Identity Revisited and Signature-based Handling of Asserted information using toKENs. Note that only the capitalized words made it into the acronym since STIRSBHoAIUT isn’t nearly as catchy (even if it has almost every vowel in the English language).

STIR/SHAKEN intends to shake up the game against scam calls and robocalls. For decades, unwanted calls have fooled every service provider with ease, ruling phone lines like bandits in the wild west. Illegal robocalls use spoofing to mimic local signals, disguising themselves as phone calls from a trusted business or local authority. STIR/SHAKEN’s goal is to run the digital signature of incoming calls through a stringent verification system. This verification will confirm whether the calling party’s asserted information is true, or if the originating service provider is masking unlawful robocalls with illegal spoofing. With caller ID authentication, STIR/SHAKEN will block anything it detects as an unwanted robocall before you even hear the phone ring.

When announcing the program, FCC Chairman Ajit Pai said, “American consumers are sick and tired of unwanted robocalls, this consumer among them. Caller ID authentication will be a significant step towards ending the scourge of spoofed robocalls. It’s time for carriers to implement robust caller ID authentication.”

When did the FCC adopt STIR/SHAKEN?

Although scam calls have been a nuisance since, practically, the dawn of time, it’s only been in recent years that STIR/SHAKEN has been considered as a solution. The biggest reason for its implementation is that scammers are adapting as new technology becomes available to them. It’s easy for scammers to change the appearance of an outbound call. While there are systems in place to detect tricky calls, there hasn’t been much progress in the coding/hacking realm of scams.

So in July of 2017, the Federal Communications Commission opened discussions on how best to combat robocalls. The most agreeable solution was some way to prevent ID spoofing. Since so many scam robocalls use spoofing, stopping the spoof could also stop a lot of the calls.

About a year later, in 2018, Chairman Pai enacted measures to have phone companies adopt security protocols that meet STIR/SHAKEN’s standards. That way, consumer phone protection will be uniform across a diverse field of competing companies. After a few years summits, committees, and discussions later, STIR/SHAKEN will finally launch this year on June 30th, 2021.

How does STIR/SHAKEN work?

STIR/SHAKEN uses a multi-point authentication system to pinpoint a call’s origin. It’s kind of like having multiple people watching the same target. These authentication “checkpoints” create individual confirmations of the call’s origin by tracking its digital signal. The first step is issuing each call a digital certificate, which ensures the security of the call itself. The digital certificate is issued by a trusted system that has verified the call with their software.

STIR/SHAKEN also makes sure that the digital certificate is verified at each step of the way. Three primary attestations can be made when verifying a call:

-Full Attestation, in which the calling party has been identified and legitimized. This is the first “checkpoint,” in the sense that STIR/SHAKEN will attempt to halt any calls that do not meet this checkpoint’s requirement.

-Partial Attestation, which means that the call is verified, but not the source. In other words, an authenticated call may have the same level of trust as a regular call, but it shows something that needs to be investigated. The whole point of spoofing is to pretend your call is coming from somewhere else. Therefore, any call whose origin is uncertain comes under suspicion. When partial attestation is passed on inbound calls, those calls are classified differently than those that can be fully proven.

-Gateway Attestation, which means that a call’s origin is confirmed, but not the exact source. In other words, the phone company’s system is confident they know where the call comes from, and is still looking to find who made the call. If the calling party isn’t immediately known, that raises a few red flags. Phone companies are great at bringing the world together with each phone call (or text message), but they don’t want to have scam callers going out of their country (or coming in). Therefore, they set up gateway attestation to prevent misunderstandings from arising even with a partially authenticated call. By the way, the term “gateway” refers to the possibility that such an unconfirmed call might possibly come from an international gateway.

It should be noted that calls without any authentication don’t have any kind of classification at all. As soon as STIR/SHAKEN detects a problem in the spam call, it blocks the number and prevents it from reaching any sort of destination. No use wasting a classification system on an illegal robocall you’re just going to delete, after all. The idea is that such calls should be stopped wherever they “check in” with the phone company. And because many scam calls are, unfortunately, international, prioritizing international calls is a reasonable step. After all, those calls have to meet certain requirements before passing through, anyway, so why not have them authenticated before sending them on their way?

Can spam calls hack your phone?

It is possible to have your phone compromised by a hacker. The encouraging thing is, there are ways to prevent being hacked. First, keep your phone right by you at all times (which is what most people are doing already!). Next, enable encryption or data protection on your phone, and turn off WiFi and Bluetooth when you’re not using it. Because most of a phone’s identification and information are locked in the SIM card, put a passcode on any SIM card functions. Lastly, keep up to date, and don’t allow any business to take your personal information. Most hacks and scams go after low-hanging fruit because it’s easier and faster. Like pack animals, scammers will hunt the herd members who have fallen behind and haven’t taken steps to protect themselves. The good news is that a few simple measures can make you much less likely to be scammed or hacked. Making yourself a well-defended target reduces the risk significantly, as even the threat of a proper defense deters most scams and hacks.

What is the best robocall blocker?

While there are many apps, programs, and other methods of protecting yourself against robocalls, the best robocall blocker is yourself. Just hang up whenever you think you’ve received a scam call. It’s not like the people on the other end can actually enforce what they’re saying. If it’s suspicious, hang up immediately.

But other programs can help prevent robocalls from even reaching your phone. Neustar and Nomorobo (“No more robo”) are two good ones. There’s also the national DNC list. The DNC (Do Not Call) list makes it illegal for any business to cold contact you, regardless of whether it’s a scam or not. There are heavy fines for those who disregard the DNC list and call anyway. Please keep in mind that even with protective programs in place, you may still occasionally get a scam call that breaks through. Downloading a program doesn’t mean you should drop your common sense. Hang up on any scam calls you receive. If the problem is getting bad enough, feel free to submit a complaint to the FCC. Outside of the US? Contact your local government or communication authority and ask for help dealing with nuisance calls.

Conclusion

STIR/SHAKEN will help keep our phone lines safe. Its multi-point authentication system, as well as its ability to track a call’s digital signature, will put the FCC on par with scammers’ abilities. While the ultimate goal is to find scam farms and arrest those responsible for running frauds, another helpful measure is to reduce their call’s effectiveness. If the calls don’t reach anyone, then people can’t be scammed by them. Robocalls have become such a huge problem, and few developments have been made recently, that STIR/SHAKEN helps us all take a huge sigh of relief. It reinstills our confidence that the US Government is handling this frustrating problem.

With new measures in place, consumers will have greater peace of mind when it comes to phone privacy. Not only will their livelihoods be less affected by fraudulent phone usage, but it also means they’ll have more time to answer other calls. While the occasional robocall may still break through the system, there are simple ways to defend yourself. Hang up the phone, don’t give in to any demands, and don’t press any buttons or give them any information. By being careful on the phone, or over text messaging or email, you protect yourself and others. The fewer people who fall for these scams, the less capable scammers will be.