Four Steps to STIR/SHAKEN Certification – Don’t Get Left Behind!
An estimated $10 billion was lost to fraud from illegal robocalls last year and it remains a favorite tactic of bad actors. One common maneuver used by fraudsters is to spoof (change the caller ID) to enhance the credibility of their use. The impact of all these nuisance and sometimes criminal calls is that many subscribers have lost trust in the phone as a key communication channel, with 76% refusing to answer a call if they’re not certain who’s on the other end of the line.
Faced with this epidemic, in 2019 Congress passed the TRACED Act, mandating that voice service providers offer call-blocking services and call authentication‒at no cost to consumers. And, in March 2020, the Federal Communications Commission (FCC) jumped on board, adopting rules requiring providers to deploy STIR/SHAKEN call authentication by June 30, 2021.
Participating in the STIR/SHAKEN ecosystem requires carriers to obtain the SHAKEN digital certificate and credentials that enables them to sign all originating calls with the appropriate authentication information so that legitimate calls get through.
It’s critical that service providers correctly implement STIR/SHAKEN‒to meet regulatory requirements and reduce robocalls‒but also to put control back in consumers’ hands so they have the information they need to determine if they want to answer the phone, and regain their trust in a vital communication channel.
View our STIR/SHAKEN infographic here.
But implementation of STIR/SHAKEN is a multi-step process that can take up to a year to complete – so carriers need to start now. Since most of the major voice carriers have already implemented STIR/SHAKEN, 70 percent of phone numbers in the U.S. are already in the ecosystem. For carriers that delay, their subscribers’ calls may be mistakenly labeled as spam, and possibly blocked as these calls will not include an attestation.
There’s a lot of information out there, and it’s difficult to know how and where to get started. Here are four key steps to get you on your way:
Step 1: Register with the Policy Administrator.
Policy Administrators evaluate and authorize certain trusted third parties to act as Certification Authorities and issue SHAKEN digital certificates to service providers. This both protects the authenticity and validity of the certificates and prevents people who shouldn’t be signing calls from getting a certificate.
As the Policy Administrator in the U.S., iconectiv is responsible for coordinating, registering, and verifying Certification Authorities through a closely controlled process outlined by the Secure Telephone Identity Governance Authority (STI-GA). ATIS manages the STI-GA, defining the rules governing the certificate management infrastructure to ensure effective use and security of SHAKEN certificates.
Step 2: Get a token from the Policy Administrator.
Carriers must request a service provider code or token from the Policy Administrator. If the PA validates the service provider and approves the request, they then provide a token to the service provider with contains the carrier’s identifier (SPID) or operating company number (OCN), and authorizes the service provider to request a certificate from a Certification Authority.
Step 3: Select a Certification Authority.
Secure Telephone Identity Certification Authorities (STI-CAs) are critical to call authentication. CAs will be responsible for assigning digital certificates to authorized service providers that will be used to ensure calls get proper caller ID.
The Policy Administrator maintains an up-to-date list of all authorized certificate issuers, which is available to all service providers. Every Certification Authority must be authorized by the PA to issue SHAKEN certificates, and they are the only means through which service providers can obtain STIR/SHAKEN certificates and comply with the TRACED Act.
During the process of call authentication, the terminating service provider checks that the originating service provider’s certificate was created by a PA-approved certificate authority.
Step 4: Request a Certificate.
To get a certificate, service providers need to submit a certificate signing request (CSR) and send it with their token to Certificate Authority. If the application is approved, the CA issues a certificate to the service provider.
Certification Authorities responsibilities include:
- Validating Service Provider Code (SPC) token issued by the STI-PA
- Accepting Certificate Signing Requests (CSRs) for SHAKEN certificates
- Issuing standards-compliant SHAKEN signing certificates, including the Telephone Number Authorization List (TNAuthList) extension
- Publishing certificates to a hosted STI-Certificate Repository (STI-CR) for relying parties
- Revoking certificates if needed and notifying the STI-PA
- Accepting Certificate Signing Requests to renew them before they expire
- Sharing the Neustar root STI-CA public certificate to support SHAKEN call verification and chain validation
Count on a neutral expert for help.
As an approved Certification Authority and co-author of the STIR certificate management standards, Neustar plays an integral role in the governance structure for STIR/SHAKEN. We are at the forefront of the industry's quest to mitigate illegal robocalling and call spoofing.