STIR/SHAKEN Best Practice: Define Your A-level Attestation Approach
With the STIR/SHAKEN standard just six months away from activation, some enterprise contact centers are beginning to wonder how to access* and make use of the attestation levels that will be transmitted with some inbound phone calls in July, 2021. A-, B-, and C-level attestations can be useful signals for determining a calling number’s trustworthiness.
It may be tempting to assign trust automatically to inbound callers whose calls arrive with an A-level attestation. With this level, an originating telephone carrier is saying, “The caller is my customer. I gave them this telephone number. This call originated on my network.” It conveys a strong level of trust.
However, “A-level” calls can still pose a risk, even if they come from a trusted carrier and attest that the call is not spoofed or manipulated. Inbound contact centers that extend trust to callers solely based on calls’ A-level attestation invite undue risk of millions of dollars of fraud loss.
A-level is not A-grade
For inbound contact centers to benefit from STIR/SHAKEN, those organizations must determine for themselves how best to treat A-level calls. They could begin by focusing on trusted carriers, reducing trust weighting for other carriers, deciding how to treat high-risk A-level calls, and treating virtual calls with caution.
- A-level attestations from the big four mobile carriers will be the most consistent and useful signals of call legitimacy. Mobile carriers are especially trustworthy. They have a good command of the numbers that they provision, as well as certainty in the identities of their customers. A-level calls from these carriers may serve as the basis for an initiative to add attestation levels to an internal risk-analysis framework.
- However, attestations from smaller phone companies may merit caution. These carriers may take longer to implement the infrastructure necessary to support STIR/SHAKEN and to establish procedures to determine attestation levels accurately. Some carriers may feel pressured to assign A-level attestations more freely, fearful of frustrating customers by assigning B- or C-level attestations that may be filtered by destination carriers more frequently. If all calls receive an A-level attestation, then the attestation framework will lose its intended value.
- Before STIR/SHAKEN activates, enterprises must plan how to recognize and escalate riskanalysis of A-level calls. Some calls from trusted carriers with A-level attestations can still harbor risk. These calls may be placed by burner or prepaid phones, which are known to be riskier than subscription phones. Also, calling numbers that were recently reassigned may indicate risk. Unauthorized number reassignment is an effective account takeover (ATO) vector. Finally, questionable activity levels—such as recent or recurring changes to the caller name or unusually high call volume—could indicate risk.
- Virtual service calls with an A-level attestation offer bad actors a side channel into the phone network. VoIP call providers may lobby for their calls to receive A-level attestation, despite the fact the originating carriers may not know the users assigned to the VoIP numbers. The 2020 State of Call Center Authentication survey found that virtual calls were recognized as the fastest-growing ATO threat—70 percent of survey respondents saw “somewhat” or “much more” threat activity toward the call center as coming from virtualized call services than from call spoofing.
Knowing which calls receive A-level attestation from originating carriers is a useful signal of trust. However, the value of this signal depends on many factors, including the carrier’s discipline with assigning attestation levels, the type of device making the call, and recent usage patterns. While attestation helps assert the calling phone number’s legitimacy, it is not enough to assert the caller’s authenticity. Any organization that attempted to infer an inbound caller’s authenticity solely from the call’s attestation level would invite risk of millions of dollars of fraud loss, more frequent ATO attacks, and associated financial and reputational damage. Enterprise contact centers need to find additional ways to authenticate callers safely and efficiently.
Authenticate inbound callers with their phones
Whereas an A-level attestation can help to indicate a calling number’s trustworthiness, an inspection of caller’s device can fully authenticate her identity. When the calling phone is indeed confirmed as authentic and the ANI matches the reference phone number on file, only then can a contact center determine that it is engaged in an authentic call with the customer’s unique, physical, legitimate phone—similar in concept to the way that credit cards work. If the caller’s device is not unique and physical, then other signals can be used for a probabilistic risk assessment, such as the calling history, call routing, and line type. This hybrid approach to inbound caller authentication establishes for callers what attestation levels were designed to establish for phone numbers.
Device-based authentication represents the gold standard for security and customer convenience. Consumers’ calling devices are uniquely attached to their owners and are likely to be replaced quickly if lost or stolen. They are trustworthy proxies for establishing confidence in callers’ identities. Device-based authentication is imperceptible to customers and minimizes false positives for fraud.
This device-based authentication approach helps to mitigate the uncertainty of how to treat A-level calls and expands the core value of stratifying calls by attestation level. Completing authentication before callers hear "hello" is much faster and more secure than post-answer authentication strategies, like knowledge-based authentication (KBA), the current de facto method of authenticating callers. Deterministically authenticated callers receive an authentication token and may be routed into a Trusted Caller Flow™ for faster service and offered self-serve options that are typically too risky with KBA: account transfers, contact information updates, and PIN resets. Shielded from social engineering attacks, agents can focus on speedy resolution of more complicated matters.
Call centers can refocus valuable fraud-fighting resources by stratifying non-authenticated callers into “trust levels” using probabilistic risk assessment. Moderately trusted callers receive faster-than-normal authentication. Unknown but credentialed phone numbers can be added to the caller’s account to streamline authentication of future calls from that device. Less-trusted callers experience standard KBA questions and IVR permissions. Only risky callers encounter stepped-up authentication or the full focus of fraud-fighting resources. This reduces the fraud department’s search for “a needle in a haystack” into a more efficient search in a much smaller population. Combined, this optimizes expensive fraud-prevention personnel and resources, sends a reassuring message to trusted callers, and focuses agents on helping callers.
How Neustar can help
Neustar Inbound Authentication establishes an optimal level of trust for each caller by combining a deterministic inspection of the caller’s device with a probabilistic risk assessment of the call’s signaling data. The process takes full advantage of the unique power of physical calling devices as ownership-based authentication tokens to improve fraud detection rates, customer experience, and operational efficiency.
Initial support for STIR/SHAKEN was integrated into Neustar Inbound Authentication in 2019. When inbound contact centers begin receiving calls' attestation levels, Neustar Inbound Authentication will incorporate that data element in a probabilistic risk assessment. This approach can also support treatment of calls with B- and C-level attestations or no attestation. These calls should not be classified as risky or fraudulent simply because of their lesser attestation levels—just as A-level calls should not be trusted without additional verification.
STIR/SHAKEN affords enterprise contact centers an opportunity* to access more data for risk analysis of inbound calls. However, call centers should not make the fatal error of assuming attestation is the same as authentication. They first need to ask themselves, do originating carriers have the infrastructure and processes in place to determine calls’ attestation levels accurately? Do the calls harbor risk signals that fall outside the scope of STIR/SHAKEN? A defined approach to A-level calls will help enterprise contact centers to accommodate the ambiguity when STIR/SHAKEN activates. Neustar Inbound Authentication mitigates that ambiguity altogether.
* Attestation levels will not be delivered by default to enterprises when STIR/SHAKEN is activated. Enterprises will have to arrange for that separately.