STIR/SHAKEN Best Practice: How to Evaluate STIR/SHAKEN Attestations
STIR/SHAKEN attestations help establish a calling number’s trustworthiness. A-level attestations convey a greater level of trust than lower-level attestations. The approach makes it harder for fraudsters to take over consumer accounts via call spoofing.
However, inbound call centers face multiple fraud vectors that revolve around the identity of the caller. That threat must be addressed by other analytics tools, without adding friction to the authentication experience. In those cases, attestations serve as an important input to existing call analytics tools, and they also provide incremental benefits.
An attestation about a phone number’s legitimacy does not equate to a risk assessment of the person involved in the call. Inbound contact centers require more signals and analysis to determine caller treatment and reduce risk of fraud loss, customer frustration, and operational waste.
How attestations complement inbound caller authentication
As STIR/SHAKEN improves detection of spoofed calls, fraudsters will likely adopt other phone-fraud tactics that do not rely on call spoofing. Of the phone-fraud vectors available—including burner or prepaid phones, unauthorized number reassignment, or other questionable activity—fraudsters will likely adopt virtual call services most frequently.
Virtual calls—enabled through web-based calling services (e.g., Skype and Vonage), Google Project Fi (routed through T-Mobile or UScellular), or a business PBX—are anonymous and inherently impervious to spoof-detection technology. Leading virtual call service providers require some identifying information to create an account—a potential risk factor for criminals. However, hundreds of lesser-known virtual call services preserve anonymity during account creation. Criminals can call from anywhere in the world, from any internet-connected device, with little risk of being caught. Because calls from virtual apps are not spoofed, they receive a high-level attestation.
According to Neustar internal data, virtual calls represent approximately two percent of all call volume today. Half of inbound call center leaders observed an increase of fraudsters using virtual call services to launch anonymous attacks in 2021.
Conversely, most calls with lower-level attestations likely harbor legitimate callers expecting efficient service. Subjecting callers to slow and cautious treatment solely due to a lower attestation level adds undue friction to the customer experience and degrades operational efficiency. Callers with lower-level attestations require additional signal and analysis for optimal caller treatment, just like callers with A-level attestations.
The inability to determine each caller’s trustworthiness pre-answer jeopardizes multiple inbound call center performance metrics. Risk of fraud losses persist because some fraudsters succeed at impersonating legitimate customers. This risk limits options in the IVR to those that are of low value, leaving agents to service an excessive portion of call volume. While agent-led authentication may be shortened somewhat for callers who appear trustworthy, most callers must still endure 30 to 90 seconds of identity interrogation before they can get to the reason for their calls.
Authenticate inbound callers with their phones
Whereas an attestation can help to indicate a calling number’s trustworthiness, an inspection of caller’s device can fully authenticate her identity. When the calling phone is indeed confirmed as authentic and the ANI matches the reference phone number on file, only then can a contact center determine that it is engaged in an authentic call with the customer’s unique, physical, legitimate phone—similar in concept to the way that credit cards work. If the caller’s device is not unique and physical, then other signals can be used for a risk assessment, such as attestation level, calling history, call routing, and line type. This hybrid approach to inbound caller authentication establishes for caller identity what attestation levels establish for phone numbers.
Device-based authentication represents the gold standard for security and customer convenience. Consumers’ calling devices are uniquely attached to their owners and are likely to be replaced quickly if lost or stolen. They are trustworthy proxies for establishing confidence in callers’ identities. Device-based authentication does not require caller engagement, minimizing time spent authenticating and mistakes that lead to false positives for fraud.
This device-based authentication approach expands the core value of stratifying calls by attestation level. Caller treatment cascades from each caller’s trustworthiness. Deterministically authenticated callers receive an authentication token and may be routed into a Trusted Caller Flow™ for faster service and offered self-serve options that are typically too risky with knowledge-based authentication (KBA): account transfers, contact information updates, and PIN resets. Shielded from social engineering attacks, agents focus on speedy resolution of more complicated matters. Completing authentication before callers hear "hello" is much faster and more secure than post-answer authentication strategies, like KBA, the current de facto method of authenticating callers.
Call centers can refocus valuable fraud-fighting resources by stratifying non-authenticated callers into “trust levels” using a risk assessment. Moderately trusted callers receive faster-than-normal authentication. Unknown but credentialed phone numbers can be added to the caller’s account to streamline authentication of future calls from that device. Less-trusted callers experience standard KBA questions and IVR permissions. Only risky callers encounter stepped-up authentication or the full focus of fraud-fighting resources. This reduces the fraud department’s search for “a needle in a haystack” into a more efficient search in a much smaller population. Combined, this optimizes expensive fraud-prevention personnel and resources, sends a reassuring message to trusted callers, and focuses agents on helping callers.
How Neustar can help
Neustar Inbound Authentication establishes an optimal level of trust for each caller by combining an inspection of the caller’s device with a risk assessment of the call’s signaling data. The process takes full advantage of the unique power of physical calling devices as ownership-based authentication tokens to improve fraud detection rates, customer experience, and operational efficiency.
When inbound contact centers receive attestation levels, Neustar Inbound Authentication can incorporate that data element into risk assessments. This approach optimizes treatment of calls with all levels of attestation.
STIR/SHAKEN was conceived of, designed for, and implemented to benefit consumers. The framework will help increase consumer trust in the phone calls they receive. When legitimate consumers call into inbound call centers, they expect treatment founded on their trustworthiness. That expectation begins with the authentication experience, which sets the tone for the rest of the interaction. Inbound call centers that filter out spoofed calls with STIR/SHAKEN, and identify and authenticate callers before they reach the IVR or an agent, restore trust in the inbound contact center experience.