STIR/SHAKEN Is a Trust Signal, Not a Panacea
On July 1, 2021, STIR/SHAKEN will begin to make it harder for illegal spoofed calls to trick consumers. Consumers will have more reason to trust the phone numbers they see on their devices.
In the short term, enterprises’ calls to consumers may benefit from this restoration of trust. In the medium term, STIR/SHAKEN can provide enterprise contact centers with valuable information to help establish the identity and authenticity of inbound callers. Contact centers still need a complete inbound caller authentication solution that mitigates fraud and improves customer experience.
STIR/SHAKEN versus inbound caller authentication
STIR/SHAKEN brings to the phone channel one of the internet’s bedrock principles: digital certificates. In the internet’s early days, users could be tricked into thinking that they were visiting one website when they were in fact visiting another. Users needed assurance that they were browsing the website they’d intended to visit.
Digital certificates solved that problem. They attest to the user’s browser that the correct website is being visited. This assures the user that, for example, her browser is in a legitimate session with her bank’s website.
However, digital certificates do not authenticate users to websites. That is left up to each website.
STIR/SHAKEN uses the principle behind digital certificates to indicate whether a caller has the right to use a given telephone number. Calling numbers that cannot be verified may have been spoofed and are flagged as risky. The standard focuses on restoring consumers’ trust in the phone numbers that appear on their devices.
When consumers call into an organization’s contact center, STIR/SHAKEN could provide an additional data element to evaluate the authenticity of a calling phone number. However, it would be up to the contact center to authenticate callers. Any organization that attempted to rely only on STIR/SHAKEN for inbound caller authentication would invite risk of fraud loss, account takeover attacks, and associated financial and reputational damage.
Authenticate inbound callers with their phones
Forward-thinking enterprises are inspecting the caller’s device to authenticate their identity. When the calling phone is confirmed as authentic and the ANI matches the reference phone number on file, then the call center can determine that it is engaged in an authentic call with the customer’s unique, physical, legitimate phone. (This is identical to the way that credit cards facilitate cashless transactions.) If the caller’s device is not unique and physical, then other signals can be used for a probabilistic risk assessment such as the calling history, call routing and line type.
Device-based authentication completes before the caller hears "hello," making it faster and more secure than knowledge-based authentication (KBA), the current de facto method of authenticating callers. Trusted callers experience a shorter authentication experience and can be offered self-serve options that are too risky with KBA: account transfers, contact information updates, and PIN resets. Shielded from social engineering attacks, agents can focus on speedy resolution of more complicated matters. Only the smaller remaining pool of unauthenticated callers experience friction or diversion to the fraud department. Combined, this optimizes expensive fraud-prevention personnel and resources, sends a reassuring message to trusted callers, and focuses agents on helping callers.
How Neustar can help
Neustar Inbound Authentication establishes an optimal level of trust for each caller by combining a deterministic inspection of the caller’s device with a probabilistic risk assessment of the call’s signaling data. Callers that pose a risk of third-party fraud are never deterministically authenticated in error, because they cannot manipulate or bypass the process.
Initial support for STIR/SHAKEN was integrated into Neustar Inbound Authentication in 2019. (Neustar is a co-author of STIR, contributor to SHAKEN, and exclusive host of the ATIS Robocalling Testbed for validating STIR/SHAKEN implementations.) Because STIR/SHAKEN will be delivered in a phone call’s signaling data, it is a perfect complement to Neustar’s pre-answer authentication approach. When the FCC begins enforcing use of STIR/SHAKEN on July 1, 2021, Neustar Inbound Authentication will be prepared to incorporate the standard’s attestation signal.