International Call Authentication (STIR/SHAKEN) FAQs

While phone calls remain one of the most preferred communications channels, close to 90 percent of business calls go unanswered, because customers don’t trust the phone anymore, and can’t determine who is really calling―leading to missed appointments, lost revenue, and critical information not getting through.

That’s largely due to robocalls, call spoofing, and fraud. In 2020, there were 45.9 billion robocalls in the U.S., and 45 percent of those were scams. In fact, the Federal Trade Commission (FTC) received more than 2.2 million reports about fraud in 2020, with losses nearing $3.3 billion.

U.S. regulators and service providers are working hard to solve the massive problem of illegal robocalls. But a significant percentage of outbound calls are mistakenly being blocked or mislabeled as spam in the process.

The impacts are far-reaching including reduced revenues, inefficiency, poor customer experiences, the inability to deliver vital healthcare and government services, and an overall lack of trust in a vital communications channel.

Visit our Trusted Call Resource Hub to learn about tools, tips, and solutions for CSPs.

The attack on robocalls and call spoofing by the U.S. has been multi-faceted, by regulatory bodies, legislators, Communications Service Providers (CSPs), and industry organizations like the Industry Traceback Group | The Broadband Association. We also collaborate with regulatory bodies and organizations across the globe to help promote call authentication standards that benefit all countries, enterprises and consumers. Those include the IETF, ATIS, SIP NOC, the Network Working Group, GSMA and NICC.

The Federal Communications Commission (FCC) has played the greatest role. In 2019, Congress passed the TRACED Act, mandating that service providers implement STIR/SHAKEN call authentication or robocall mitigation programs – at no cost to consumers. The TRACED Act directed the FCC to take numerous steps to promote and require that carriers implement STIR/SHAKEN in the IP portion of their networks, along with reasonable analytics tools to mitigate and track robocalls. Over the past two years there have been many additional regulations and requirements as shown below.

Here is a summary of the various players:

The Federal Communication Commission (FCC): Primary authority for Communications law, regulation, and technological innovation. Composed of 5 members who are appointed by the President and serve a 5 year term.

Governance Authority (GA): acts as a board of directors that influences policies and standards. The GA is made up of industry representatives from carriers (large and small) and equipment manufacturers.

Policy Authority (PA): The PA is a trusted steward selected by the governance authority that manages the enforcement of issuing tokens to carriers. To enable STIR/SHAKEN, a carrier needs to first obtain a token from the PA to prove it is an authorized service provider.

Certificate Authority (CA): The certificate authority are trusted third parties approved by the PA that issues certificates to carriers wishing to originate calls. To ensure the requestor is eligible for a certificate, the CA first validates the credentials of the organization requesting the certificate with the PA.

STIR/SHAKEN are technology standards that define how to digitally sign phone calls to verify caller identity and prevent spoofing. STIR/SHAKEN utilizes a combination of technical, legal, and behavioral solutions; it’s an evolving process that continues to be refined to address the dynamic needs of the marketplace. Expected upcoming improvements include the support of non-IP networks, enterprise multi-carrier implementation, and standardizing how attestation is displayed on devices.

• STIR: Secure Telephony Identity Revisited. Protocol suite; defines how to sign calls
• SHAKEN Secure Handling of Asserted information using toKENs

STIR (Secure Telephone Identity Revisited), a standard created by the IETF is considered a universal standard that can be successfully deployed in any country to help authenticate calls using SIP-based services. STIR has also been tested extensively in the ATIS Testbed, by domestic and international carriers, for numerous years.

SHAKEN, on the other hand, was designed specifically for the U.S., and deals with governance issues in how the STIR efforts should be managed.

Here’s how STIR/SHAKEN works:

1. A user wants to originate a call
   • Calling party dials number of called party they wish to reach
   • Calling party device sends request to their service provider
2. Originating Service Provider (OSP) invokes authentication service. The OSP is the service provider that attests to ownership of a phone number that originated from its network. This enables the terminating service provider to “trust” that the call was originated from a valid source and was not spoofed.
   • Authentication service validates the relationship with calling party
   • Assigns attestation level (A, B, C) § Generates SIP Identity Header (PASSporT) using authentication service and private key, obtained from SKS, to sign (authenticate) call
3. Originating service provider sends SIP INVITE to terminating service provider
4. Terminating Service Provider (TSP) invokes its verification service. The TSP is the service provider that has a relationship with the call recipient. The TSP:
   • Validates that the call information has not been tampered with and completes the call.
   • Initiates a service request to the OSP’s certificate repository for a certificate and public key
5. Originating Service Provider returns certificate and public key
   • Verification service validates the call is from an authenticated source
   • Examine certificate issuer to ensure it’s from originating service provider
   • Validates CA that issued certificate is from the list in Trust Store approved by PA
6. OSP examines robocall analytics to determine if TN is known spammer
7. TSP sends attestation level (A,B, or C) and completes call
   

   How attestation works.

   STIR/SHAKEN uses vital information about the originating caller to assign an attestation rating of A, B, or C to each call. These “ratings” set by originating service providers (OSP) indicate how certain they are that the outgoing call is made by the owner of the number and that the OSP has authenticated the right of the caller to use the phone number.

   The receiving carrier (a.k.a. the terminating carrier) uses a decryption key and the attestation rating to validate the caller’s number and help identify spoofed calls.

   Depending on the call treatment algorithm used by your service provider, customers will be notified with a symbol, verification keyword, or alert indicating that the incoming call has been validated. If the call cannot be verified, the carrier may block the call and/or alert the call recipient to a potential scam call.

   • A - Full: The carrier originated the call from a known customer, using a phone number they provided to the customer.
   • B – Partial: The carrier knows the caller’s identity but hasn’t verified the right of the caller to the calling number.
   • C – Gateway: The carrier received a call originated elsewhere and cannot verify the caller or the phone number. This is a common scenario for international calls.

   Read the eBook: Overcoming the Attestation Gap

Neustar is a pioneer in call authentication as the co-author of STIR standards and early contributor to the SHAKEN framework, and we play an ongoing leadership role in defining industry standards with ATIS, IETF, and CRTC.

We provide the industry’s reference implementation of STIR/SHAKEN as the exclusive operator of the ATIS Robocalling Testbed, where real world STIR/SHAKEN implementations are being tested for interoperability, and Neustar leads the industry in commercial call authentication deployments.

In addition, Neustar offers a suite of Trusted Call Solutions that comply with the STIR/SHAKEN standards, including Certified Caller, Certificate Manager, Vetting, and others.

Visit the STIR/SHAKEN Resource Hub to learn about insights, resources, and solutions.

Robocalls are a global problem – and are not isolated to the US. In countries such as the Netherlands, intra-country robocalls are not an issue. The source of robocalls is from outside their borders where it is often more difficult to identify and prosecute bad actors.

In the US, many small to mid-sized carrier were given an extension to implement STIR/SHAKEN. However, the FCC recently announced that it is considering shortening that extension to one year for a subset of these providers in light of new evidence indicating that they are originating a high and increasing quantity of illegal robocalls.

This finding is tied closely to the issue of robocalls initiated by international carriers, who then leverage small carriers to complete the calls here in the U.S. There have been several legal cases highlighting this issue. And, FTC data and government officials show that scams originating overseas accounted for at least $38 million in losses by U.S. consumers in 2019.

Because the business model used by these small domestic telecom carriers can support fraud on a massive scale and US law enforcement cannot pursue outside their jurisdiction, authorities are now targeting these small US carriers for investigation.

In addition, the problem of robocalls is international. Canada is mandating STIR/SHAKEN to address nuisance calls by November 2021. Other countries are also interested in learning more about how to mitigate the scourge of robocalls.

Read the eBook: Robocall Mitigation FAQs for CSPs.

Numerous countries are investigating STIR/SHAKEN as a viable solution to stopping robocalls. Canada has perhaps made the most progress to date.

Canada

The Canadian Radio-Television and Telecommunications Commission (CRTC) is key communications regulator in Canada. It issued compliance and enforce and telecom decision CRTC 2018-32 on 25 January 2018, which requires Canadian Communications Service Providers (CSPs). The original 9 December 2019 was pushed to November 2021.

Key Dates:

2018: CRTC mandates Caller ID authentication via STIR/SHAKEN by December 2019. Since updated to November 2021

2019:

• CRTC establishes the Canadian Secure Token - Governance Authority‎ (CST-GA). The CST-GA is responsible for directing the Secure Telephone Identity Policy Administrator (STI-PA) and Certification Authorities (STI-CA) in Canada. All Canadian carriers who wish to implement STIR/SHAKEN must be a member of the CST-GA.
• The FCC Chairman in the U.S. and Canada's CRTC Chairman Ian Scott reported that they had completed end-to-end international authenticated calls using STIR/SHAKEN through Xfinity Voice and Telus wireless phone services.

2020:

• In July, the CST-GA and their shareholders partner with Neustar to stand up both the STI-PA and STI-CA by September 30, 2020,comprehensive governance solution support to CST-GA, enabling STIR/SHAKEN protocols across the Canadian telecommunications industry. As an STI-CA, Neustar will issue digital STI certificates to be used by service providers to authenticate and verify calls.
• Then in October, the CST-GA engaged Neustar to help launch the Canadian-based infrastructure and website for eligible carriers to register and join CST-GA and to participate in the Secure Telephone Identity (STI) call authentication ecosystem using STIR/SHAKEN.

Read the blog: Canada Mandates STIR/SHAKEN to Battle Nuisance Call Epidemic.

U.K.

Ofcom is the main regulator in the United Kingdom. Published in 2019, their report, Promoting trust in telephone numbers, explores the prospects for leveraging STIR/SHAKEN in the UK. In the report their definition of Caller ID notes that that a phone number is the ‘address’ that identifies both the called party (the dialed number) and calling party (the Calling Line Identity or CLI) and conveys information to callers about the price of the call and the nature of any service provided.

The UK, which is moving towards copper retirement, hope to migrate the telephone network to VoIP and retire the PSTN by January 2025, making it simpler to implement STIR/SHAKEN. However, the UK doesn’t have a national telephone number database of assigned numbers that shows what numbers have been assigned and if they’ve been ported to another provider.

NICC, a technical forum in the UK for telecom notes in their Report into Implementation of Secure Telephone Identity Revisited (STIR) in the UK, without an IP network and a central database of numbers, STIR wouldn’t help. While it’s possible to launch STIR without a numbering database, it would only be capable of providing an indicator back to the network that originated the call, rather than whether they had any rights to use the associated CLI.

At the recent SIPNOC STIR/SHAKEN Virtual Summit, it was noted that NICC is suggesting a three-phased approach. The first phase would focus on resolving the issue in the U.K. around network numbers vs presentation number and which gets the attestation level. The second phase is the implementation of a central database, and the third phase will be based on success of the first two.

Ofcom plans to develop a numbering database which would go live in 2022. CLI authentication could begin in 2022, with the hope that it would expand over time until PSTN switch-off is complete sometime in 2025. Ofcom is in talks with the FCC, the CRTC in Canada, ACMA in Australia and ARCEP in France to share learnings.

Key Dates:

1999:

• Launched Telephone Preference Service (TPS) Do Not Call Registry

2013:

• Ofcom launches action plan to prevent nuisance calls

2020-2021:

• Ofcom and NICC exploring STIR implementation framework targeted for late 2021

France

ARCEP is the main regulator in France. In 2019, they adopted a decision to amend the French national number plan to:

1. Relax geographical restrictions attached to TN prefixes to enable portability, in two stages:
   • As of 1 January 2020, operators were able to offer users the option of keeping their 01 to 05 number when moving within the area that corresponds to the first two digits in their phone number (01: Ile de France; 02: North-West; 03: North-East; 04: South East; 05: South-West). This means that a consumer or an enterprise located in the Hazebrouck (North) dialing code, for instance, would be able to keep their number starting with 03 if they move to Beauvais, Strasbourg or Besançon.
   • As of 1 January 2023, the geographical restrictions attached to numbers starting with 01 to 05 will be aligned with those attached to mobile numbers (starting with 06 or 07) and numbers with the 09 prefix. This means that operators will be able to offer their business customers in Metropolitan France the option of keeping their 01 to 05 number when moving to any other location in mainland France.
2. Allow the introduction of authentication to enable operators to introduce related solutions if they wanted to do so

ARCEP also proposed an anti-spam measure to forbid automated systems that make more calls and transmit more messages than they receive from using specific geographical numbers, which was met with resistance by market players concerned about blocking legitimate calls.

Market players responded with concerns that the filtering solutions are not yet mature enough to handle this second requirement. They were concerned about blocking false positives. The measure was postponed.

Key Dates:

2020:

• France passed Loi Naegelen anti-canvassing law
• French Parliament passes law imposing harsher penalties for those caught cold calling people living in France who are signed up to Bloctel, an anti-cold-calling list, outside specified hours.

At present, Neustar collaborates with the IETF, ATIS, SIP NOC, the Network Working Group, GSMA and NICC. We continue to reach out to organizations and regulatory bodies across the globe to help promote call authentication standards that benefit all countries, enterprises and consumers.

Neustar’s Trust Lab serves as the industry’s virtual testbed for Communications Service Providers (CSPs), equipment manufacturers, and software suppliers across the globe to remotely test call authentication solutions like STIR/SHAKEN.

Neustar is also the exclusive provider of the ATIS Robocalling Testbed. Launched in 2017, the industry interoperability test facility helps validate the effectiveness of caller authentication standards and solutions that combat illegitimate call spoofing.

The testbed has helped carriers and suppliers meet the June 2021 deadline for STIR/SHAKEN implementation, and continues to provide support to carriers on an ongoing basis. While there have been estimates that STIR/SHAKEN implementation will take 10 years for full deployment – we believe we have accelerated adoption via the testbed and are discussing setting this up for other countries.

Currently, we’re migrating to flexible, cloud-based infrastructure and expanding the Trust Lab to support emerging standards including:

• Delegate Certificates
• Out-of-Band for TDM
• Rich Call Data
• International interoperability

We have already performed testing with carriers from the following countries, who terminate calls in the U.S. using U.S. numbering resources:

• Canada
• China
• Malaysia
• Mozambique
• South Africa
• Singapore

For more information, email Bob Olson, or Anthony Cresti. If you have any questions about the Neustar Trust Lab, contact trustlab@neustar.biz. Contact Brent Struthers with questions about the ATIS testbed.