STIR/SHAKEN: Attestation Is not Authentication
On July 1, 2021, when STIR/SHAKEN begins to make it harder for illegal spoofed calls to trick consumers, it could provide enterprise contact centers with an additional data element to establish trust in callers. That element is the phone number’s attestation level. While attestation could provide enterprise contact centers with valuable information to help establish the identity and authenticity of inbound callers, it is not a substitute for an inbound caller authentication solution.
Attestation drives STIR/SHAKEN
Attestation provides the mechanism for carriers to communicate about a calling phone number’s legitimacy. There are three levels of attestation: A, B, and C. The levels summarize three characteristics of the calling phone number: whether the caller is a customer of the carrier originating the call (the “originating carrier”), whether the originating carrier assigned the caller’s phone number, and whether the call originated on the originating carrier’s network.
- A. Full attestation. An A-level attestation conveys a strong level of trust. With this level, an originating carrier is saying, “The caller is my customer. I gave them this telephone number. This call originated on my network.”
- B. Partial attestation. By assigning a B-level attestation, an originating carrier is communicating, “The caller is my customer and this call originated on my network. However, I do not know who assigned the number to the calling device.”
- C. Gateway attestation. In this case, the originating carrier is the entry point of the call into its VoIP network and has no relationship with the initiator of the call. This will often be the case with international gateways. A C-level attestation communicates, “This call originated outside my network.” The call’s phone number might be spoofed—a potential risk signal.
Knowing how a call originated in the network is a useful signal of trust. However, the value of this signal depends on many factors, including the competency of the originating carrier, the type of device making the call, and recent usage patterns. The attestation is one part of asserting the calling phone number’s legitimacy, but it’s not enough to assert the authenticity of the caller. Any organization that attempted to rely only on an attestation level for inbound caller authentication would invite risk of fraud loss, account takeover attacks, and associated financial and reputational damage.
Authenticate inbound callers with their phones
Forward-thinking enterprises are inspecting callers’ devices to authenticate their identities. The contact center can determine that it is engaged in an authentic call with the customer’s unique, physical, legitimate phone when the calling phone is confirmed as authentic and the ANI matches the reference phone number on file. (This is the same process with which credit cards enable cashless transactions.) If the caller’s device is not unique and physical, then other signals (e.g., the calling history, call routing, and line type) can be used for a probabilistic risk assessment.
Device-based authentication completes pre-answer, making it faster and more secure than knowledge-based authentication (KBA), the current de facto method of authenticating callers. Trusted callers experience a better authentication experience and can be offered self-serve options that are too risky with KBA—account transfers, contact information updates, and PIN resets. Shielded from social engineering attacks, agents can focus on speedy resolution of more complicated matters. Only the smaller remaining pool of unauthenticated callers experience friction or diversion to the fraud department. Combined, this optimizes expensive fraud-prevention personnel and resources, sends a reassuring message to trusted callers, and focuses agents on helping callers.
How Neustar can help
Neustar Inbound Authentication establishes an optimal level of trust for each caller by combining a deterministic inspection of the caller’s device with a probabilistic risk assessment of the call’s signaling data. Callers that pose a risk of third-party fraud are never deterministically authenticated in error. They cannot manipulate or bypass the process.
Initial support for STIR/SHAKEN was integrated into Neustar Inbound Authentication in 2019. When an inbound call’s SIP header data includes an attestation level, Neustar Inbound Authentication will include that data element in a probabilistic risk assessment. However, SIP header data analysis is one part of the process Neustar Inbound Authentication follows to determine a call’s legitimacy. It can be valuable to monitor for other risk signals, even in calls with an A-level attestation.