STIR/SHAKEN: The Role of Attestation in Authentication
STIR/SHAKEN makes it harder for illegal spoofed calls to trick consumers. It also provides inbound contact centers with an additional data element to establish trust in callers: the phone number’s attestation level. Attestations provide an additional signal for identifying good callers and determining treatment logic, but they do not substitute for an inbound caller authentication solution.
Attestations drive STIR/SHAKEN
Attestations provide the mechanism for carriers to communicate about a calling phone number’s legitimacy. There are three levels of attestation: A, B, and C. The levels summarize three characteristics of the calling phone number: whether the caller is a customer of the carrier originating the call (the “originating carrier”), whether the originating carrier assigned the caller’s phone number, and whether the call originated on the originating carrier’s network.
A. Full attestation. An A-level attestation conveys a strong level of trust. With this level, an originating carrier declares, “The caller is my customer. I gave him or her this telephone number. This call originated on my network.” Spoofed calls should not receive an A- or B-level attestation.
B. Partial attestation. By assigning a B-level attestation, an originating carrier communicates, “The caller is my customer, and this call originated on my network. However, I do not know who assigned the number to the calling device.”
C. Gateway attestation. In this case, the originating carrier is the entry point of the call into its VoIP network and has no relationship with the initiator of the call. This will often be the case with international gateways. A C-level attestation conveys, “This call originated outside my network.” The call’s phone number might be spoofed—a potential risk signal.
Knowing how a call originated in the network is a useful signal of trust. However, a low-level attestation does not automatically indicate a threat—it just means that the call merits additional analysis. Likewise, high-level attestations assert the calling phone number’s legitimacy, not the authenticity of the caller. Organization that confuse an attestation level for inbound caller authentication increase risk of fraud loss, account takeover attacks, and associated financial and reputational damage.
Authenticate inbound callers with their phones
Forward-thinking enterprises inspect inbound calling devices to authenticate caller identities. The contact center can determine that it is engaged in an authentic call with the customer’s unique, physical, legitimate phone when the calling phone is confirmed as authentic and the ANI matches the reference phone number on file. (This is the same process with which credit cards enable cashless transactions.) If the caller’s device is not unique and physical, then other signals (e.g., the attestation level, calling history, call routing, and line type) can support a risk assessment.
Device-based authentication completes pre-answer, making it faster and more secure than knowledge-based authentication (KBA), the current de facto method of authenticating callers. Trusted callers—the 75 percent of inbound call volume using a mobile phone, landline, or cable landline—breeze through authentication and discover self-serve options that are too risky with KBA, such as account transfers, contact information updates, and PIN resets. Agents can focus on speedy resolution of more complicated matters, confident they are shielded from social engineering attacks. Only the smaller remaining pool of unauthenticated callers experience friction or diversion to the fraud department. Combined, this optimizes expensive fraud-prevention personnel and resources, sends a reassuring message to trusted callers, and focuses agents on helping callers.
How Neustar can help
Neustar Inbound Authentication establishes an optimal level of trust for each caller by combining an inspection of the caller’s device with a risk assessment of the call’s signaling data. Callers who pose a risk of third-party fraud are not authenticated.
When an inbound call’s signaling data includes an attestation level, Neustar Inbound Authentication incorporates that data element in a risk assessment. However, SIP header data analysis is one part of the process that Neustar Inbound Authentication follows to determine a call’s legitimacy. Monitoring for other risk signals helps to protect organizations and consumers.