Easy As ABC? Attestation Story Still Unfolding
Businesses influence $1 trillion in consumer spend by making 8 billion consumer calls each month. But with over 1500 robocalls made every second, and more than $10 billion lost to call scams in 2018, consumers are getting wary of picking up phone calls from unknown callers.
However, our research shows that customers prefer using the phone for issue resolution more than 2.5 times over other channels. To continue to improve the customer experience and sustain revenue levels, restoring consumers' trust in the telephony network is of paramount importance to enterprises leveraging outbound calling strategies.
Fortunately, the TRACED Act and the FCC have outlined regulations mandating that carriers implement caller ID authentication using the STIR/SHAKEN framework to combat spoofed calls. All service providers must implement this framework by June 2021 at no extra costs to subscribers.
How does STIR/SHAKEN affect business’ outbound calling practices?
As more and more service providers implement the STIR/SHAKEN authentication framework, there’s a greater risk that authentic business calls from carriers that have not implemented STIR/SHAKEN will be blocked.
STIR/SHAKEN uses vital information about the originating caller into three levels of “attestation” for the call. It does this by digitally assigning an attestation rating to a call, indicating whether the originating carrier has authenticated the right of the caller to use the phone number. The receiving carrier uses a decryption key and the attestation rating to validate the caller’s number and help identify spoofed calls.
Essentially, these levels of “attestation” are flags set by originating service providers indicating how certain they are that the outgoing call is made by the owner of the number.
To be trusted by their customers, businesses must prepare to route their calls through carriers that can protect their brand reputation by providing the highest level of attestation to their outgoing calls. Depending the call treatment algorithm used by your service provider, you’ll be notified with a symbol, verification keyword, or some form of alert indicating that the incoming call has been validated. If the call cannot be verified, the carrier may block the call and/ or alert the call recipient to a potential scam call.
To help businesses understand why their outgoing calls may not be authenticated and potentially blocked, let’s explore the levels of attestation under the STIR/SHAKEN framework. The Originating Service Provider (OSP) uses three criteria to determine the level of attestation:
- Do I have a direct business relationship with this customer?
- Did I give the telephone number (either from my block or a TN have leased from another carrier) to this customer?
- Did the call originate from my network?
This represents “full attestation” and indicates that the OSP has the highest level of confidence in the caller. It means that the OSP has verified the caller’s right to use the number and origin of the call.
This is a partial attestation, indicating that the carrier knows the caller’s identity but hasn’t verified the right of the caller to the calling number. In this case, the originating carrier has no verifiable relationship with the phone number. Telephone numbers behind an enterprise PBX system will be given a B-attestation.
Also known as a gateway attestation, this is the lowest level of attestation. It’s given to calls that do not satisfy the requirements for A and B attestations. It’s usually assigned to calls received from an international gateway or legacy systems. As such, the service providers can ascertain where the call came from but can’t authenticate the caller ID or the caller’s right to use the originating phone number.
The attestation gap for enterprises.
Enterprises that have simple implementations, typically purchase services from single provider and use that numbers from that carrier will likely get an “A” attestation. However, those businesses with more complex architectures that use multiple carriers may have issues getting Full attestation. This “attestation gap” includes enterprises with common scenarios, including businesses that:
- Have legacy TDM telecom infrastructure that do not support STIR/SHAKEN
- Get SIP trunks from carriers and manage their own numbers
- Receive number blocks from multiple carriers, and use Least Cost Routing (LCR) for outbound traffic
- Use “legitimate spoofing” to provide alternate callback numbers
- Make outbound calls from toll-free (8XX) numbers
- Outsource to call center providers
These issues are actively being tackled by the companies like Neustar as part of Policy Administrator subcommittees. We expect enhancements to be put forward by the end of 2020.
As usual, knowledge is power.
In the meantime, no matter how complex your situation, you can and should take action. First, it’s important that businesses acquire a detailed understanding of the calling environment and practices to provide the strongest assertions for their carriers to assign their calls the highest level of attestation. Some enterprises are exploring signing calls themselves, in partnership with their TNSP(s) and OSPs.
While STIR/SHAKEN specification does improve the ability to screen malicious robocalling, it does have its limitations. In addition to currently being a carrier framework only, STIR/SHAKEN does not:
- Address international gateway calls.
- Properly authenticate calls made using legacy non-IP systems or equipment because the framework only works with IP-based telephone networks.
- Indicate whether an incoming call is illegal or unwanted…it only authenticates the caller ID has not been spoofed by authenticating the caller’s right to use the phone number.
As the STIR/SHAKEN implementation deadline draws near, we expect to see stakeholders and regulators take proactive steps to evolve the framework and continue to address these issues.
As an approved Certification Authority and co-author of the STIR certificate management standards, Neustar plays an integral role in the governance structure for the Calling Number Verification Service to mitigate illegal robocalling and call spoofing.
Download the infographic to learn How STIR/SHAKEN Works.