SHAKEN/STIR authentication and verification of secure caller ID
Unwanted robocalls have infected the telephone network. In December 2018, an estimated 4.7 billion robocalls were made to subscribers in the U.S. That’s 14.3 calls per person affected. Many of these unwanted calls are intended to defraud those who answer these calls.
Unwanted robocalls are the leading consumer complaint to the FCC in the U.S. and the CRTC in Canada.
Because of this flood of unwanted robocalls:
- Customers are reluctant to answer their phones
- Businesses struggle to reach their customers
- Telephone service providers see lower call completion rates
- Wholesale service providers must invest in more network capacity to handle the flood of robocalls—many are not answered
Robocalls perpetrators use fake caller ID to trick subscribers into answering calls:
- Sometimes they use a number from a government agency or utility company to con people into sending money to the fraudster.
- Others use a number that resembles the called party’s number, a technique called neighbor spoofing, to make people think a neighbor is calling.
Solution: secure caller ID with SHAKEN
To give customers relief, the telecom industry has developed a way to secure the caller ID information so that people will know if the caller ID is either spoofed or legitimate. It’s called SHAKEN/STIR.
Fans of James Bond movies may recognize “stir” and “shaken” as alternative ways to mix a martini. SHAKEN/STIR advocates borrowed the idea to come up with memorable acronyms to describe the framework:
- STIR: Secure Telephony Identity Revisited. A framework for authenticating and verifying caller ID.
- SHAKEN: Secure Handling of Asserted information using toKENs. A specific framework built on top of the STIR framework that details how tokens should be used.
The initiative to design, agree, promote and adopt SHAKEN/STIR is called Secure Telephone Identity (STI).
Because SHAKEN is the more thorough culmination of the specification, the initiative is often simply called “SHAKEN” in conversation. Besides, that’s how Bond prefers his drink.
How SHAKEN works
Although the SHAKEN technical details are involved, the general idea is simple:
- An originating service provider puts the call on the network. Using SHAKEN, that provider also authenticates the caller ID information. They know their customers, so they’re well-positioned to do that. And they secure their authentication by signing the call using public key infrastructure, which is also widely used with the internet.
- A terminating service provider delivers the call to their customer. Using SHAKEN, that provider also verifies the caller ID information in the call using the public key infrastructure to confirm the information and signature still match, that is, they were not tampered with or replayed in transmission.
Frequently asked questions
Network engineers often have technical questions about implementing SHAKEN in their network. Here are a few questions we often hear:
- How would SHAKEN affect my network? It depends upon how you implement it. Different providers are taking different approaches. TransNexus SHAKEN solutions can perform authentication and verification services at any point in the call flow to minimize network impact.
- Would SHAKEN services disrupt call flow through the network? Setup options enable you to define actions to be taken in response to service outcomes. Unless you set up call blocking in certain scenarios, which is a policy option you can choose, your calls will continue to flow through your network. We will work with you to tailor the implementation to your network requirements.
- What about certificates? Our SHAKEN solutions provide complete certificate management capabilities.
- Can we start now, before the Policy Administrator is in place? Yes, absolutely. You can begin authenticating and signing outbound calls now, and verifying any calls you receive that were signed. You can make arrangements with other carriers that are beginning SHAKEN. Some have already announced plans to implement SHAKEN this year, and T-Mobile has already started.
- If we start now, will we have to redo things when the Policy Administrator comes online? No, not at all. We have set up a TransNexus Certificate Authority for our customers to use now, just like you will do when the Policy Administrator comes online. When that happens, you will establish trust relationships with new Certificate Authorities, but otherwise your SHAKEN setup will continue to work seamlessly.
- Why implement SHAKEN now? First mover advantage. Customers are desperate for robocall relief. Don’t lose your customers to the competition—win their customers instead!
A better SHAKEN solution
TransNexus was an early frontrunner in developing SHAKEN solutions in our ClearIP and NexOSS software products. We created code in these products and successfully tested it with the ATIS test bed, an industry-sponsored method to check basic functionality.
Our solutions perform the requisite authentication, verification and digital signature functions. And we have created a Certificate Authority structure for our customers to use until the STI Policy Administrator comes online later this year, to support realistic SHAKEN processing now.
TransNexus SHAKEN solutions also provide capabilities not found in other SHAKEN solutions, such as policy management and an integrated portfolio of services in one package. These additional capabilities give TransNexus solutions unique advantages over other SHAKEN solutions.
Imagine flexible, precise controls that let you to enable/disable SHAKEN by service provider, trunk group, inbound-or-outbound call, subscriber, or telephone number.
Have you been wondering how you’re going to manage attestation levels for calls you authorize? Our SHAKEN solutions give you the controls you need to set attestation levels appropriate to the circumstances.
TransNexus SHAKEN solutions:
- Provide flexible, precise controls
- Include authentication, verification and certificate management
- Enable/disable SHAKEN by service provider, trunk group, inbound-or-outbound call, subscriber, telephone number
- For example, you could set up one customer to block calls with invalid signatures, another customer to divert such calls to CAPTCHA gateway or voicemail, and another customer to accept these calls.
- Establish attestation levels with flexibility and precision by the same call groups (service provider, trunk group, etc.)
No other SHAKEN solution comes with this level of policy management capabilities out-of-the-box.
Portfolio of services
Our SHAKEN solutions are delivered in software products that provide a wide array of other services, such as:
- Fraud prevention
- Unwanted robocall blocking
- Detection of invalid and high-risk calling numbers and flexible call handling
- Call diversion to CAPTCHA for IVR screening or to voice mail
- Intelligent least cost routing
- Location Routing Number (LRN) dip service (U.S. only)
- CNAM (caller ID name) identification
- Flexible blacklists, including call forward blacklisting, for calling/called numbers, countries and user agents
No other SHAKEN solution offers such extensive service capabilities from just one dip.
Let us show you
Our SHAKEN software products give you a complete end-to-end solution with policy management and an integrated portfolio of services.
Contact us today to learn how we can help you deploy SHAKEN in your network.
This information will only be used to respond to your inquiry. Transnexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.
If you would like more information on how SHAKEN works, we have this series of whitepapers:
- STIR and SHAKEN overview. Basic introduction
- Understanding STIR/SHAKEN. Slightly more technical overview
- Certificate management for STIR/SHAKEN. In-depth coverage of how digital signatures and certificate management systems are used to sign calls in SHAKEN
- SHAKEN authentication service. Detailed overview of the SHAKEN authentication service performed by the originating service provider or authentication gateway service
- SHAKEN verification service. Detailed overview of the SHAKEN verification service performed by the terminating service provider