Illegal robocalls and call spoofing create significant headaches for consumers. In addition to the annoyance of frequent unwanted calls and the time spent resolving identity theft and account takeover issues, the losses from phone scams cost U.S. consumers an estimated $30 billion in 2021.
Enterprises suffer as well — not only from the considerable direct and indirect costs of fraud but also from consumers’ lack of trust in the phone channel. Close to 90% of business calls in the U.S. go unanswered, largely due to consumers’ inability to know and trust who is calling, which leads to a poor customer experience, missed connections and lost revenue for legitimate businesses.
Legislators and regulators have taken a variety of steps to try to combat the growing scourge of illegal robocalls and call spoofing. In the U.S. and Canada, STIR/SHAKEN call authentication is a key component of these efforts.
The STIR/SHAKEN call authentication model is even more effective when implemented with complementary tools, such as robocall mitigation analytics, and in phases, with room to grow and respond to the changing needs of the industry and shifting fraud patterns.
Although implementation is still ongoing and the process continues to evolve, the STIR/SHAKEN initiative is further along than most other nations’ programs (many of which are limited to attempts to reduce unwanted calls through do-not-call registries), and international regulators are watching closely to see what they can learn from the North American experience.
STIR (Secure Telephone Identity Revisited) is a suite of protocols defining how to cryptographically sign calls. This universal standard was created by the Internet Engineering Task Force (IETF) and can be implemented in any country to help authenticate calls using SIP-based services. STIR has been extensively tested by domestic and international carriers and equipment manufacturers in the ATIS Robocalling Testbed.
SHAKEN (Secure Handling of Asserted information using toKENs), in contrast, is a governance framework designed specifically for the North American context, to guide implementation. While the elements of this model may not be directly applicable to other nations, it does provide an example of a model that complies with domestic law, meets the needs of domestic operators, and allows for interoperability with the rest of the world.
Two key developments will strengthen the implementation of STIR/SHAKEN, filling any gaps. First, enterprises in the U.S. have been given the ability to digitally sign and authenticate their own calls. That enables them to ensure calls are treated favorably - and are not mislabeled as spam and blocked - so they can take back control of their own call experience. Terminating service providers (call recipients’ telcos) currently struggle to discriminate between legitimate and spoofed calls, but by extending the trust chain to enterprises, it ensures end-to-end call authentication and deterministic call treatment that will stop spoofed calls in their tracks.
Second, adoption of Out-of-Band (OOB) solutions. STIR/SHAKEN currently applies only to calls made over the internet protocol, or Session Initiation Protocol (SIP) portions of carriers’ networks, and many calls still transit legacy systems such as the Public Switched Telephone Network (PSTN) which do not support STIR/SHAKEN. Fortunately, solutions are in the works to make call authentication technology compatible with legacy networks which are very prevalent throughout the world.
STIR is spreading internationally
North America is currently the leading target of fraudulent robocalls (accounting for 44% of global fraud losses to robocalls in 2021, according to Juniper Research).
As STIR/SHAKEN adoption increases, the problem is rapidly spreading around the globe. The fraudsters will follow the money, attempting to maximize profits for their illegal operations. It follows that regulatory bodies throughout the world are assessing STIR-based solutions as a potential model for (and point of departure from) their own call authentication initiatives. International expansion and interoperability are critical to addressing fraud. Without international call authentication standards, carriers struggle with confirming the validity of international calls.
In the U.S., for example, inconsistency in how carriers treat international calls means that legitimate international calls may be mislabeled as spam or blocked by large carriers because the originating network cannot be authenticated. At the same time, phone scammers are shifting their focus to sending robocalls through small or mid-sized U.S. carriers, who may not have fully implemented call authentication.
No single solution for every country
While the interoperable STIR standard may eventually be widely adopted, countries’ governance frameworks and implementation processes will likely vary widely based on their unique infrastructure, laws, business environment, social norms, and regulatory traditions.
Countries will differ, for example, in terms of the degree to which standards organizations, regulators, and enterprise and industry players are involved in crafting the relevant legislation; the types of regulatory agencies or certification authorities that control access to the ecosystem of authenticated calls, and how they do so; whether implementation takes place in phases or involves a single deadline for complete adoption; and how carriers handle the tracing of illegal calls back to the sender. Normalization and globalization of these efforts will expedite the identification and neutralization of fraudsters.
While the U.S. and Canada have taken the lead in introducing call authentication standards, other countries have also taken steps, and they may be able to move more quickly as they draw on learnings from the STIR/SHAKEN implementation. As more and more regulators join the global effort, the industry’s ability to combat robocalls and call spoofing will continue to improve.
The broader implementation of effective, globally interoperable call authentication standards will reduce the exposure of consumers and businesses to illegal and fraudulent activity and help restore trust in the vitally important phone channel.
