Caller ID spoofing often makes it possible for scammers to trick consumers into providing sensitive information that gets used to commit identity fraud. The FCC takes spoofing so seriously that it fined a telemarketer $225 million for placing a billion spoofed robocalls over five months.
A call authentication standard known as STIR/SHAKEN has the potential to prevent caller ID spoofing. Unfortunately, STIR/SHAKEN cannot work 100% of the time until every service provider agrees to follow a standard that includes a call authentication chain of trust. STIR/SHAKEN stands for “Secure Telephone Identity Revisited” and “Signature-based Handling of Asserted information using toKENs.”
The call authentication chain of trust could improve security for American consumers while making it easier for legitimate businesses to contact their customers. Many people don’t understand how call authentication works. Here are the basic concepts that could make it possible for consumers to trust information from all of your call center’s outbound calls.
Parts of the Call Authentication Chain of Trust
The STIR/SHAKEN standard gets referred to as a “triangle of trust” because it employs three active entities that generate signed tokens and validate SIP (Session Initiation Protocol) identity headers. Every part of the triangle of trust must work before STIR/SHAKEN can ensure a caller’s identity.
The three active entities involved in a call authentication chain of trust include:
- Policy Administrators (PA) – The policy administrator establishes and maintains the integrity of certificate authorities used in the SHAKEN framework.
- Governance Authority (GA) – The governance authority coordinates with the PA to creates rules that control how certificates get generated.
- Certificate Authority (CA) – The certificate authority issues secure telephone identity (STI) certificates to service providers that have been approved within the SHAKEN network.
Call Authentication Grades
Service providers also play a critical role in the call authentication chain of trust since they issue attestation ratings with “SHAKEN PASSporTs” that let associated parties verify authentication. The service provider needs to know the VoIP Entity of telephone numbers for the process to work. Attestation ratings fall into three grades:
- A – Full attestation that ensures the phone number comes from the real caller instead of a scammer.
- B – Partial attestation that means the caller has been identified but cannot completely authenticate the caller’s phone number.
- C – Gateway attestation that means the carrier cannot authenticate the call’s origin or the caller ID.
A low rating doesn’t necessarily mean that a phone number has been spoofed. A C-rating can occur when a call center uses legacy systems or directs calls through an international gateway.
Regulating and Improving the Chain of Trust
Currently, the Alliance for Telecommunications Industry Solutions (ATIS) makes the GA and selects the PA, two critical aspects of ensuring the success of STIR/SHAKEN. The North American Numbering Council (NANC) plays a central role in advising ATIS and service providers. It is also working to improve the process’s number administration for better security and caller ID authentication.
Summarizing Caller Authentication
Even from a basic perspective, the chain of trust can look confusing. If the above seems difficult to understand, just keep the following steps in mind:
- Your call agent places an outbound call to a customer.
- Your call center’s carrier sends your number to the customer for authentication.
- The carrier generates and assigns an attestation rating to the authentication attempt.
- Your customer’s service provider reads the attestation rating to complete the chain of trust.
If any part of this process fails, then the customer’s carrier cannot authenticate your number.
Not All Carrier Providers Participate in the STIR/SHAKEN Network
Telecommunication security specialists have developed an impressive way to authenticate a call’s origin through the chain of trust. Despite technological improvements, spam calls are a growing concern. The number of spam calls worldwide in 2019 increased by 18%, from 17.7 billion to 26 billion. Within the United States, robocalls grew by 35% during the same period, a problem that contributed to $10.5 billion of money lost to scams.
Considering how well call authentication chain of authentication can work, it seems that every carrier would want to participate.
In fact, most major carriers do participate, including Verizon Wireless, T-Mobile, and AT&T. Several factors, however, can affect whether the chain of trust produces a reliable result. Some problems that can prevent A-level attestation include:
- How calls get routed from the call center to the end user.
- Whether the call center uses an upstream approved provider that signs signatures.
- Where call centers purchased their DIDs.
Anything from using a foreign service provider to configuring a router improperly can result in failed authentication.
Further Hurdles for Call Authentication
These aren’t the only hurdles that make call authentication difficult for every call center to achieve. In 2018, T-Mobile discovered that criminals were trying to hijack smartphone SIM cards. Hijacking the cards would make it possible for scammers to impersonate phone numbers. It’s unlikely that a scammer would steal one of your call center numbers, but they could steal the numbers of people consumers trust. Imagine getting a call from your best friend. You would answer without thinking twice. Criminals wanted to take advantage of that vulnerability.
Inconsistent laws also make it difficult for regulators to ensure call authentication. While the United States and most European countries want to solve this issue to protect consumers, the governments of many countries seem unconcerned about the situation. A call originating from other countries, therefore, could potentially reach an American consumer without going through the entire chain of trust.
Authorities and criminals play an unending game of cat-and-mouse. With each step that authorities take toward ensuring caller authentication, criminals scramble to evade the regulation. With the potential to defraud people of billions of dollars, scammers will always search for ways to commit their crimes.
Monitor Your Numbers for Flags so You Can Reach Customers
Regulatory agencies and service providers may eventually find ways to authenticate all calls. The achievement would benefit consumers, businesses, and call centers. Until then, service providers and call-blocking apps have decided to take a different approach that helps protect consumers but poses a potential problem for businesses.
Service providers and call-blocking apps use a variety of techniques to detect potential number spoofing, robocalls, and spam. They might flag a number because a call center uses it too many times within an hour or day. Numbers can get flagged because consumers feel annoyed and report calls without any evidence of wrongdoing.
This puts you in a difficult situation. You can’t always rely on the chain of trust to authenticate your calls, and you don’t know whether your outbound numbers have been flagged.
Caller ID Reputation lets you take control of your outbound numbers. Caller ID Reputation monitors your numbers to check them for flags. If it looks likely that your number has been reported, the software will notify you so you can choose a different outbound number.
Make sure you have a large pool of numbers so you can rotate them frequently to avoid flags. Since your call center’s success depends on reaching customers, contact Caller ID Reputation to learn more about how you can protect your outbound numbers.