Q&A: STIR/SHAKEN for Businesses
Regulators and legislators continue to enact new rules to ensure service providers implement effective ways to combat illegal robocalls. In response, phone companies are deploying Caller ID authentication with the STIR/SHAKEN standard. But what does this mean for businesses and how they connect with customers through calls?
In a recent webinar, STIR/SHAKEN for Businesses, we shared how illegal robocalls are impacting businesses today, what STIR/SHAKEN addresses (and what it doesn't), complexities of implementing call authentication across networks and what it means for business calls.
Below are questions we had from webinar attendees across many different industries who are experiencing challenges with their outbound calling programs. Neustar is a pioneer in call authentication, co-author of the STIR/SHAKEN standards and market leader and neutral trusted provider of caller ID services in the U.S.
CALL AUTHENTICATION STANDARDS
1. Is it STIR/SHAKEN or SHAKEN/STIR?
While the term “shaken, not stirred” is most commonly used for cocktails, both STIR/SHAKEN and SHAKEN/STIR are used to refer to call authentication standards. Secure Telephony Identity Revisited (STIR) is a set of technical standards developed by the Internet Engineering Task Force (IETF) to provide a means to certify the identity of originating calls. Signature-based Handling of Asserted information using toKENs is a framework developed by the Alliance of Telecommunications Industry Solutions (ATIS) focused on the implementation of STIR within IP-based service provider networks.
2. What types of calls does STIR/SHAKEN address?
STIR/SHAKEN was developed to stop illegal call spoofing. Call spoofing is when a call originator changes the calling number to hide or change which calling number is shown on the call display. An example of a legal use of spoofing is to present a main callback number for customer support or to keep a calling number private such as when a doctor contacts a patient from their private phone. Illegal spoofing of numbers is done to avoid detection or trick users into picking up unwanted calls. Illegal spoofed calls are a big problem in the U.S. are often a combination of automated dialing with spoofing for the intent to defraud consumers.
3. Do the regulations and fines apply to businesses – or just service providers?
The most current federal legislation – the Pallone-Thune TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act outlines regulations for service providers to implement effective caller ID authentication and allows the blocking of unauthenticated calls but at no extra costs to subscribers. While it ramps up penalties for robocall offenders, it does not provide updates to the Telephone Consumer Protection Act (TCPA) that outlines regulations for businesses. As federal regulator for the communications industry – the Federal Communications Commission (FCC) has directed service providers to put call authentication in place by the end of 2019 but has yet to implement fines for non-compliance for carriers.
While the federal legislation and regulations are focused on service providers and robocall offenders, many states are increasing consumer call protection laws that may include specific regulations relevant for the way businesses conduct their outbound calling practices in those states.
4. How will consumers be impacted by STIR/SHAKEN?
As more carriers roll out STIR/SHAKEN, phone numbers and source of calls will be verified. Carriers are experimenting with various alerts, but to date there is no standardized way of notifying consumers of verified calls. If the call can be validated, the consumer may be notified with a verification keyword or symbol on the incoming call display. If the call cannot be verified, the call may be blocked or the consumer notified on their caller ID screen warning of a potential scam call. The purpose of notifications is to allow consumers to decide whether they wish to answer, ignore or block the number. With STIR/SHAKEN and other anti-robocall protections in place to stop scam calls, consumers should feel more confident and empowered about answering the calls they do want to receive.
5. Does STIR/SHAKEN apply to SMS/text messaging?
Currently STIR/ SHAKEN applies to phone calls only. However, work is on-going in the communications industry to evaluate the best authentication method for SMS / text messaging.
6. Are calls and/or numbers going to drastically increase in cost due to per call validations?
The FCC and the TRACED Act have regulated that carriers offer anti-robocalling solutions free-of-charge for subscribers and not institute separate billing for consumers and small businesses customers for these services.
HOW STIR/SHAKEN WORKS
7. Can carriers verify outbound calls without the business having to implement STIR/SHAKEN? Will every outbound number from business be authenticated – or only ones businesses select for validation?
Yes originating and terminating carriers that have STIR/SHAKEN enabled on their network will evaluate all calls from every outbound number without the business having STIR/SHAKEN implemented.
8. Will STIR/SHAKEN protect our phone numbers and brand name from being abused by spoofers?
Yes STIR/SHAKEN will help prevent illegal call spoofers from abusing brand reputations and unlawfully utilizing phone numbers on the Caller ID that are not registered to them.
9. As a technology provider for legitimate outbound calling (polling, market research, etc.), how can we help our customers prepare for STIR/SHAKEN? As a company that make calls through third-party call centers and vendors, how do we prepare/plan for STIR/SHAKEN?
Call center operators should prepare to implement the ability to sign outbound calls as per STIR/SHAKEN standards and test STIR/SHAKEN capability in the ATIS Roboccall Testbed. When looking for a third-party vendor, make it a requirement to have STIR/SHAKEN capability so outbound calls can be signed.
10. Does the STIR/SHAKEN verification process apply to all of North America?
Yes both Canadian and U.S. legislators and regulators have required that carriers adopt STIR/SHAKEN call authentication solutions. However, each country has different legislative timelines for implementation. Tier one carriers in the US have begun rolling out STIR/SHAKEN capabilities and leading Canadian operators are testing STIR/SHAKEN implementations.
11. How will STIR/SHAKEN impact legitimate use cases of call spoofing, such as wanting to display a toll-free number for calls from the marketing, sales, or service departments?
With STIR/SHAKEN, legitimate use cases of call spoofing can still be verified if the carrier knows the customer has the right to spoof that number.
12. Why should a carrier ever sign a call with an attestation level other than "A" ?
STIR/SHAKEN has a three-level system to categorize the essential information about the caller into levels of “attestation” for the call. These attestation levels characterize a caller’s right to use a particular number. Full attestation, also known as “A-attestation,” has several requirements but provides the highest level of confidence by the originating carrier. These calls must originate on the carrier’s own network, as opposed to originating from another carrier or a VoIP provider. The carrier has also directly authenticated the caller and verified the caller’s right to use the number. If the signing provider has not established a verified association with the telephone number or has no relationship to the initiator of the call (i.e. international gateways) the call will be attested at a “B” or “C” level.
13. Can we assign Caller Name and Number (CNAM) to Toll Free Numbers? Where can we upload CNAM to Toll Free Numbers?
Neustar offers Caller Name Optimization which allows access to the caller identity database to manage both Toll-Free and non-Toll-Free telephone numbers. Neustar runs the largest caller identity database in the United States that acts as a hub to over 800 carriers, including mobile network operators, cable companies, and analytics providers. This allows businesses to update the name that they want the consumers to see, and that data is then distributed from our hub position out to the ecosystem. With Neustar Caller Name Optimization you can manage and customize Caller ID for outbound calls through a centralized online portal.
14. We have phone numbers in inventory that have a bad reputation as a result of external spoofing. What can we do to assess our phone numbers' reputation and address issues to ensure customer-facing spam indicators are no longer flagged on our outbound calls?
With Neustar Caller Name Optimization, we can help assess and protect verified phone numbers from call blocking, spoofing and spam tagging and deliver an accurate and consistent call display to increase contact rates and engagement while protecting brand reputation through our distribution of caller information throughout the calling ecosystem. You can contact us at callerid.neustar or +1 (855) 898-0036.
15. Is implementing STIR/SHAKEN something our service provider can do for us, or do we have to do this on our own?
If you procure your telephone number from a single carrier and originate all calls on that carrier’s network, your carrier partner may be able to implement the STIR/SHAKEN functionality on your behalf. Otherwise, to take control of how your calls will be signed and to what attestation level, businesses will need to implement STIR/SHAKEN to enable the ability to sign outbound calls and have input for the highest level of call validation / attestation.
16. As a business, how can we implement STIR/SHAKEN?
Neustar licenses a complete software product suite for STIR/SHAKEN, Certified Caller, that includes all the required components to support automated certificate management of STIR/SHAKEN. It can be deployed locally within a private cloud environment or customers can access the product suite through our hosted service running in AWS. The software product suite supports both published REST and standards-based SIP proxy interfaces to the signing and verifying functions.
17. Should we wait for the carriers to roll out STIR/SHAKEN before we implement it?
Most Tier One carriers are well on their way to implementing STIR/SHAKEN across their networks. With the impending regulations, smaller carriers are also required to implement the capability to authenticate calls. It’s important for businesses to get started in planning and preparing for adopting STIR/SHAKEN to be ready and able to sign calls as more and more calls will be routed through carriers that have the capability to protect brand and number reputation and have calls attested at the highest level so they can be trusted by consumers.
18. Should we participate in the Test Bed before rolling out STIR/SHAKEN?
Yes interoperability testing is highly recommended to work through any challenges and apply learnings to ensure success of your full scale implementation of STIR/SHAKEN.
19. Could enterprises with more than one SIP outbound service have their own credentials?
Yes, STIR has defined a “delegation” mechanism which permits enterprises to control their own certificates, or to allow a third-party service to manage the enterprise’s credentials on their behalf. This enables enterprises to originate traffic to multiple outbound services from a given telephone number while still using a credential that proves that the carrier who assigned the number authorizes the enterprise to use it.
20. Are there STIR/SHAKEN solutions that are affordable for smaller companies?
Neustar’s hosted cloud-based solutions offer signing at affordable rates for enterprises that do not field their own infrastructures for IP calling.
21. What is Neustar's experience across multiple switch platforms? My company operates Genband, Metaswitch and Broadworks in different parts of the country.
Most carrier and enterprise infrastructure vendors today are in the process of implementing and deploying STIR/SHAKEN. Through the ATIS testbed, many vendors have demonstrated their interoperable implementations today. It is a safe bet that major vendors will have compliant STIR/SHAKEN implementations in the 2020 timeframe.
22. How do Neustar’s solutions differentiate from those offered by TNS, Hiya, and First Orion?
Neustar is a pioneer in call authentication as co-author of STIR, contributor to SHAKEN and exclusive host of the ATIS Robocall Testbed. We offer a full portfolio of trusted call solutions for business and carriers. As the leader in Caller ID we act as a neutral Caller ID hub. Our Certified Call solution includes all the STIR/SHAKEN components and is easily deployed so you can be compliant STIR/SHAKEN standards.
23. What is branded call display?
Neustar Branded Call Display enhances caller identity and enriches the mobile call experience by leveraging the valuable real-estate of the smartphone screen. Businesses can add expanded business information such as location, title, department and logos, images and e-business cards to deliver a rich multimedia display. This gives customers a reason to answer and engage in the conversation.
24. We are in the Fintech industry and require identity verification through phone contact. We utilize databases to verify phone numbers but frequently encounter cases where the customer's phone numbers are being spoofed. What tool or system improvement do you suggest for us to use?
Neustar offers solutions that improve call center efficiency and effectiveness via real-time identity solutions that allow you to identify and authenticate inbound callers, even if they are using a different phone number from the one in your records. You improve operational efficiency by matching callers to your CRM database without requiring additional verification.