Frustrated with the lack of robocall solutions?
You've heard of STIR/SHAKEN-but what does it mean for your business and how you communicate with customers?
Regulators and legislators continue to enact new rules that ensure service providers implement effective ways to combat illegal robocalls.
In response, phone companies are deploying Caller ID authentication with the STIR/SHAKEN standard. But what does this mean for businesses and how they connect with customers through calls?
In this on-demand webinar, you will learn:
- How illegal robocalls are impacting businesses today
- What STIR/SHAKEN addresses (and what it doesn't)
- The complexities of implementing call authentication across networks, and what it means for business calls
- The current state of FCC, Federal, and State STIR/SHAKEN regulations and carrier deployments
- How STIR/SHAKEN standards may evolve
- What solutions are available to augment STIR/SHAKEN deployments and provide a better call experience for your customers
Fill out the form to view the on-demand webinar and download a PDF of the presentation.
Video Transcript
Again, I want to thank you for joining us on today's call-- STIR/SHAKEN for Businesses How to Protect Against Card Fraud and Spoofing. It's now my pleasure to introduce your speakers for today. Joining us are Jonje Sena, senior director of product marketing with Neustar. And joining him is Marybeth Degeorgis, senior director of Communication Solutions. And finally, last but not least, following them is Jon Peterson, fellow an active member of the Internet Engineering Task Force. With that, I will turn the floor over to Jonje. Take it away.
Thanks, Phil. And welcome everybody. We appreciate everyone joining us today. We're going to be discussing some of the regulatory pressures we're seeing and the challenges that that raise for businesses. I'm going to outline really what we're seeing from a market and regulatory landscape, and the impact that has on the calling experience for businesses.
STIR Standards
Our resident expert Jon, who helped co-write the STIR standards, will be discussing what that addresses, as well as things it does not and just an overall view of that solution set. And Marybeth will follow to outline the commercial solutions, including those that complement the call authentication aspects, and how together they help evolve and improve the customer to-- the enterprise to customer phone engagement.
So while I was preparing for this webinar, I came across this somewhat cryptic quote. And it's from Eugene Martin. He's an artist from the Washington DC area. And what struck me about this was the idea that fixing one problem can actually create a ripple of other problems. And maybe it's because I've been looking at robocalls for too long, but it kind of evokes for me a parallel of what we're seeing in the robocall areas.
Problem with Robocalls
So what's the one problem that we want to talk about? Really, it's robocalls. And I'm not going to bore you with all the different stats, but we all know how bad it's become. 2,000 calls a second, big impact on customers, a large number of folks that are being affected by this. And while we're all aware of the impact of consumers, it goes well beyond that.
Really, it's the phone call itself that's under attack. And this affects many parties. And today we're going to focus on the other business impact. Now, definitely this type of fraud has very real consequences to consumers. We've heard examples of citizens being scammed as part of the IRS, social security-type frauds.
We've heard from large brands in the finance and insurance and travel industries. And I have seen similar scams carried out really in the name of the brand to the detriment of that brand. And the net impact of this is that nobody picks up the call. Consumers miss important calls. Enterprises can't deliver messages. And really, the phone channel itself is dying to some degree.
And this is an issue because our research shows that phone calls still remain one of the most important channels, especially deeper into that customer engagement. Customers use the phone to complain. They ask about non-standard tasks that may not be available on the web or other channels. Or they're addressing very specific private or personal information or dealing with very high-complex and high-value transactions.
Limitations of Current Solutions
So what are the two problems that emanate from some of the solutions? Well, I think really in a nutshell, we're seeing two types of challenges that businesses themselves face. Number one is that calls that they actually want to make aren't getting through to the customers that they're reaching out to. The second part of what's happening is that calls that they actually don't want to happen-- and in this case, a lot of spoofings going on-- are reaching customers in their name. And that's a really big issue for just from a brand and an engagement perspective for the enterprises.
So if you kind of look at the results of some of these things and what's going on, just given the call volumes, given the level of complaint, really the legislators and the regulators have really jumped into this. The FCC has reiterated that stopping robocalls is their number one consumer priority. And they've focused on enforcement. They've issued multi-million dollar fines.
They've also challenged the industry to roll out call authentication to help solve these problems, as well as a lot of other anti-robocall angles. And very recently in June this year, the FCC actually allowed carriers to block calls, not just illegal, but what people might perceive as unwanted, to block those caused by default, meaning without customer opt-in. Now, on the legislative side of the house, we're seeing a lot of bills being run. Obviously, from the Senate, you're seeing the TRACED Act. In the House, you're seeing the Stopping Bad Robocalls Act.
Fundamentally, these mirror a lot of the exhortations coming from the FCC-- roll out the solution, make sure that you extend the period of liability. But at the end of the day, it's to give the ability to enforce and apply certain rules that can be applied to the illegal calls that are going on. And even several states have jumped in. We're aware of really more than a handful of different states. And I think California just rolled one out last year. There's a lot of similarities in those.
But before we even go into that aspect, I sort of want to cover one of the angles that we're seeing. And it's kind of evident as you read some of these legislations. And so before you dig into the specifics, you really have to understand there's two issues that are being addressed. And they're related, but they're actually different.
And one aspect is the robocalls. And the robocalls is really the deliverer of recorded messages or programmatic origination of calls, whether or not it is a recording or a live person. And it's fundamentally automation that's allowed the explosion of the number of calls.
The second aspect is really this call spoofing idea. And this is the act of changing the originating number or the calling number so that it appears to be coming from somebody else. And again, these are related, but they're not quite the same thing, and somewhere illegal or legal. But what's starting to happen with the legislations is a lot of these are starting to sort of get-- they're starting to get conflated-- sort of grouped together as part of the new rules that we're seeing today.
Robocall Analytics
So one of the responses that we've seen to this is this idea of specifically stopping robocalls is the introduction of robocall analytics. And fundamentally, what these illusions are being done-- supplied by the leading operators, both the mobile and landline-- is really applying call analytics. And they do this by applying a variety of different checks.
So they look at the volume and frequency of calls. They look at who's calling. They see how many different people are called. They take into account seasonality. And there's many other factors.
And the goal of that is if you can try to identify a potentially fraudulent or risky call, that information can then be reflected back to the consumer as we show in some of the shots here. One of the challenges though in rolling this out, is that it's really impacting some of the legitimate business calls. And they're being mistakenly labeled. Or worse, they're potentially being blocked.
Several operators are already explicitly blocking calls. And this has kind of been, in some ways, enabled by the recent FCC mandates that will now allow robocall blocking by default, even without customer opt-in. So there's a lot of tension right now between how this is being rolled out by operators and the mobile apps they provide and a lot of the enterprises, and specifically in the call origination industries that are sort of how these analytics work and how you get associated as being potentially fraudulent.
And many of the industries, and notably, the contact centers, collections, and many others are saying, look, this is not applying appropriately for my call. And there's been additional drops in the marketplace. I think the metric we've heard over the last two years-- there's an additional 20% drop. One of the chief concerns is this no standard way to mediate these claims of incorrect blocking or tagging. And so the industry's working to try and address all of that.
Improving Call Authentication
The other aspect that we're seeing is this idea of call authentication. So in parallel, which complements the analytics angle, the industry has been working on what we're calling call authentication, which is really around this idea of using technologies called STIR/SHAKEN. And if you kind of look at this, this is highlighting a recent commitment by 51 of the state attorneys general in Washington DC. And 12 of the carriers that I've noted here have said that this is something that they support, and they're willing to roll out.
Now, this is a pretty good commitment that we're seeing. But one of the questions we often hear is, yeah, it's a great commitment, but what is the deadline for this? This commitment really didn't have a deadline.
But if you listen to many of the other on goings with the FCC and the different carriers, it's fair to say that the majority of these operators are already in active deployment of STIR/SHAKEN. And we expect a majority of them to have STIR/SHAKEN, or at least a portion of their networks, by the end of the 2019 FCC deadline. And more and more of them should roll out in 2020-- that the vast majority will be there by what is tending to be the deadline on some of the bills that are being rolled out today.
Now, it's worth noting that there's probably about 2,000 phone companies. So when you hear about 12 carriers committing, it's not a large number. But really these are the major operators. And they actually service the vast majority of consumers, so we expect this will have a pretty broad deployment as we go.
In contrast with the analytics, though, STIR/SHAKEN, what it actually does is apply digital certificates to attest to the identity of the call to prevent spoofing. And Jon will cover that in a little bit more detail when it gets to his section. And so the way that we want to think of this as that call authentication really isn't a replacement for all the different strategies that carriers have rolled out today, but rather a compliment.
And so this analytics and this certification-type angle really address the one and two problems that we've been hearing about. So a lot of the analytics helps address robocalls. They stop the calls that you want that aren't getting through to try and address some of those angles. And on the certificate and call authentication side, it's really trying to stop a lot of this spoofing. And the converse of that is that legitimate calls are actually reflected back on to the consumers when they're called.
STIR/SHAKEN: A Collaborative Solution
Now, even though that this is helping address the solution of spoofing, there is still a challenge of how STIR/SHAKEN shaken works for enterprises. Today, STIR/SHAKEN is really driven by carriers. And it's them that do the signing and implementing those capabilities. But one of the challenges are enterprises that want to participate in this. They can sign for the calls, currently. And so the question here is, well, how do you engage there? And Jon will address some of these things in his portion, as well.
What are the Challenges to Calling Customers?
So really, that takes us to the next set-- really to the first poll. And the first poll is really trying to get a measure of the attendance here today and get a sense of what are the challenges that you as an enterprise have in calling your customers? So please feel free to answer here. We'll give it about 15, 20 seconds.
But is it because you don't have accurate or complete customer contact information? Does it really have to do more with how your call agents and staffing and scheduling worked? Is it about the idea that the caller ID is sometimes not available, unknown, or inconsistent? Are you running into some of the blocking and spam call blocking or call spoofing that we've outlined earlier? We'd love to hear your take.
I'll give it another five seconds. Does everybody see the stats coming up here? From what I can tell, we're getting answers that's across the board. But we are seeing two in particular that are standing out-- incorrect customer details, as well as spam and fraud labeling. Jon, Marybeth, any reactions to what you're seeing from what the audience is telling us here?
I mean, I'm just going to say that we've had some wide adoption with our enterprise customers about some-- on some of the commercial solutions that I think this goes right in line with what they're telling us. It's the inaccurate detail about themselves and the presentation to their consumer. And then also the fact that in many cases, they're not even getting to the consumer because these analytics programs have overlaid them with some sort of erroneous label or tagging as a robocaller or something worse.
Got it. Jon, you were saying?
I was just going to add, you see call blocking and call spoofing are relatively low on this. In part, call spoofing is an underlying cause of a lot of the remainder of the symptoms that you see here. And although we see now incorrect spam and fraud labeling kind of higher than call blocking, I think that reflects the fact, as Jonje was saying, call blocking is relatively new. But as these analytics become more prevalent, then it could be the case that we'll see that become a much more visible problem. This is still something that's kind of in beta at the moment.
Wonderful. Well, Jon, I think that's a perfect transition. It hands it off to you from your perspective for the Standards & Technology portion.
What is Secure Telephone Identity Revisited (STIR)?
Well, thank you, Jonje. So I'm Jon Peterson. And I'm a fellow here at Neustar, and I've been working on STIR since the very start. A lot of the concepts that we discuss here are indeed things that have been considered in the standards for, in some cases, more than a decade, where really it's only been, as Voice over IP has started to become a huge part of how communications happens that we've kind of had to go back and revisit the way we looked at authentication.
And for those of you that have heard the term STIR and are wondering where it came from, the Secure Telephone Identity Revisited part of it reflects the fact that everyone kind of knew that we were going to need to have strong identity in Voice over IP systems. But the initial stabs we took at this clearly-- we hadn't really seen what the deployments would turn out to be like yet that would necessitate them.
And this is what motivated us to revisit it. This whole STIR/SHAKEN thing by the way, I mean, it's true that I came up with STIR as a name late one night when I was waiting for a very late flight that stranded me in an airport bar for about nine hours. And that may have something to do with how we ended up with these drink-themed names for these things.
But it's also true SIP, itself, kind of lends itself to STIR and SHAKEN, and so on. So I do a lot of work on the core technology and design of this. I'm happy to answer any technical questions at the end here or offline. I am pretty easy to find on the internet.
I think a good place to start this conversation, though, is with the kind of traditional question of, which is more secure, the telephone network or the internet? I think if we posed this question 10 years ago, people would probably say that the telephone network is this rigid network of responsible carriers. The internet is this absolute wild west that contains these properties where really it was designed so that any computer can send arbitrary data to any other computer. That's pretty much the definition of the internet.
And it turned out, though, that as these things evolved, we ended up in a situation we didn't really anticipate a decade ago. The phone networks certainly used to be very secure. It was a closed network. You hear about these protocols like SS7. These were effectively staged at least here in the United States.
In you network, you had to be a carrier to participate in. It wasn't like the internet where you can just kind of send-- anybody could send packets over it. We, as end users of the telephone network, just had our black phones or maybe our smartphones already 10 years ago. But we couldn't, at a fundamental signaling layer, have the same access to the guts of the telephone network that carriers did.
And the internet was initially was kind of a mess. But let's face it, we have made some progress on that mess, especially over the last 15 years or so. Email spam used to be an endemic problem. I think we were nearing an inflection point with emails similar to the one were with on the telephone network today where an email message is something you wouldn't want to open because it was so likely that it was spoofed and full of spam and ads for certain sorts of pills and things like that.
Importance of Analytics & Authentication
But analytics and authentication technologies largely have gotten that under control. Email is a much more useful medium, I'd say, today, than it was then. And this is because people have done a lot of thinking about how to apply cryptographic instruments and proofs of the origins of communications to things like email and the web.
And that's great, but we didn't really do those sorts of things for Voice over IP, at least not out of the bat. And when we interconnected the Voice over IP network with the telephone network-- and in full disclosure, I was one of the people who was kind of responsible for some of the earliest switches that did that-- this created a new situation. This created a situation where the kinds of spoofing that the Voice over IP protocols, since they borrowed so extensively from email.
There's the SIF protocol has a from header field which is pretty much just taken from header field. And like the email from header field, you can kind of populate it with whatever you want. When we interconnected that, the problem was that these gateways that translated Voice over IP signaling into telephone network signaling would kind of just trust what was in that from header field without really any assurance of how it was populated.
Potential Impact of STIR/SHAKEN
And the aggregate of this has been as these protocols have become increasingly intrinsic to how telephone calls are placed, it's enabled basically untraceable, abusive calls. And so yeah, that's on us. And we've got to have a plan. And I guess the good news is that we do have a plan.
And I guess that's the first thing I want to get across. And there's a lot of impacts that STIR/SHAKEN is going to have on the industry. But STIR/SHAKEN is your friend. All of the problems that Jonje was just alluding to about robocalls and about call fraud, especially based on spoofing, they are enabled by this gap in the standards.
And we have taken it upon ourselves to figure out ways to bring the same kind of cryptographic security that has made the web the premier place for tremendous percentage-- I wouldn't even speculate how much of commerce today. And by getting carriers to be able to sign calls with those kinds of cryptographic instruments. And we have a number of protocols that support this.
I'm not going to go too deep into the details of those today. But like I said, you can feel free to reach out if you want more information. These will permit the carriers that originate calls to sign these calls, to attach a cryptographic body to them. And for the eventual recipients of these calls, which may be carriers-- might even in the long-term be our smartphones or end devices themselves to be able to see that security association and having an assurance-- yes-- the person who placed this call has the right to place calls from that number.
And the way we've done this is we've taken this technology, X.509, which is what is used for web certificates-- the thing that gives you your lockbox when you connect to Amazon. And we've extended those certificates to be able to talk about telephone network identifiers. In particular, telephone numbers and also kind of network specific identifiers like these operating company numbers or ONCs, which are kind of the way carriers identify themselves in this environment.
And this is a big lift. This is something that we don't implement new features like this in the telephone network super-often these days. The telephone network is kind of a legacy network in many respects. So this has required a coordination of a number of bodies, including the Internet Engineering Task Force, which is the body that defines the email, the web, SIP, things like that, as well as the ATIS/SIP Fourm IP NNI Task Force, which is focused on the carrier network-to-network interface. That's what the NNI in that means.
So this is the body that defines how when a Comcast, say, is going to share Voice over IP calls with T-Mobile, what are the operational practices and so on around all that? And this is required for cooperation with regulators, with a variety of industry, bodies, and groups. And this has led us along the timeline you see here from developing threat models.
We've been developing additional protocols, but also building out test beds and making sure that carriers have a way to make sure they're going to interoperate when this goes out. Like I said, this is not necessarily a small lift for them. And fortunately, we've made tremendous progress on this since we kicked off this effort some years ago now. And we've now got to a point, as Jonje was suggesting, where we see words like STIR and SHAKEN and like bills in Congress and things like that, which I mean, designing things like this is pretty much as good as it gets.
How STIR Works
So this is a picture that shows a little bit about how STIR works. It looks a little busy. And it's in part because it shows a lot of those yellow end points around the edges. But the key idea here is that requests come in from a variety of sources. These could be enterprises. These could be ordinary black phones, whatever, to these authentication services which are intermediaries in the originating carrier network.
And it's their job to sign them with credentials. They get those credentials from some kind of a logical authority. And this is a very high-level map. And we'll show a bit about what this looks like actually for carriers minute.
The basic idea is that those intermediaries sign these requests if they come through. They look at them, and they say, oh, this is the telephone number that is being asserted to this call. Is, in fact, this end point the right endpoint to be sending calls for that telephone number? Great. And I'm going to attach this cryptographic signature that says that, I-- maybe it's Verizon, for example-- I, Verizon, assert that this person can use this number.
That then travels through various networks until it reaches the terminating side where there exists a verification service. And the verification Service also has relationship to the logical authority to the certificate authority that issues these credentials. And it can use that cryptography it learns from the logical authority to validate-- yes-- this really did come from Verizon. Verizon really did vouch for this. Fantastic. Pass this along to the end consumer.
And then there are a variety of analytics and so on that may fire off associated with these things at many phases of the architecture here. But as a high level, this is the part that STIR covers, just the signing and the verification of these requests based on these certificates. And this has been implemented in the SHAKEN universe. And SHAKEN is the name that ATIS and the SIP Forum have applied to their profile of STIR that is specific to the North American carrier environment.
In other words, this is a, first of all, governance model that determines who will get certificates, who is eligible to receive certificates. It also includes a number of extensions to STIR that add additional data that ends up getting signed in that cryptographic blob the gets carried along with the call. That it's just helpful for trace back for forensics and also for giving a sense of how strongly the signing carrier feels their assurance is that originating telephone number.
The SHAKEN Model
And so in the SHAKEN model, you see here a pair of service providers who are interconnected. There is again, an authentication service. And it goes through various transits in the middle, gets to the terminating side. And that terminating side relies on analytics and so on. Before it passes along to the end consumer device, some kind of a display element or at least guidance, it'll be used for display online saying, hey, here's what you can render to the end user that will help them decide whether or not they can pick up the phone. That's the basic idea here.
The one thing I'd add to that-- you see in the line of the bottom, it talks about this trust indication A. This is what I was speaking about a moment ago when I said, this level of assurance that the originating carrier has-- that they actually know who the consumer is. Now, this is something that's important for enterprises, in particular, for businesses that are looking at STIR/SHAKEN to understand.
There are three levels of attestation that are defined in SHAKEN. There's the first, is full attestation. And this is the kind of attestation that a carrier would give when they know that this is their customer. They know to whom that number was issued. And that this is kind of their gold seal of approval. If you see an A attestation, you should really be able to trust it.
Now, second, there's a B attestation. And this reflects a situation that may be familiar to some enterprises where what the carrier's done is instead of, oh, I have an individual business relationship with a consumer on the other side of this telephone number, instead this is where I gave a block to some entity, and they're allocating them. And I don't really have much insight into how they are doing it.
I know they're my numbers. Like, from a regulatory perspective, those telephone numbers belong to me as a carrier, but I'm not sure how my customer has chosen to sub allocate or whatever else this resource. So this is still pretty good assurance, but it's maybe not as good as the A assurance.
The C assurance is kind of the weakest assurance. This is something where, for example, if you received the call through an international gateway, and you still want to testify, yes, I was the transit carrier who got this. And I am correctly attesting what I have received from this gateway. But like, I don't really have much insight into how this call originated, or I don't have any specific relationship with the originating number.
Now, these three levels were defined by SHAKEN. And they're very important to understanding kind of what the original deployment framework for STIR/SHAKEN is going to look like. And because this is such a big lift, it's important you start simple. These levels, I think, reflect things that carriers are initially comfortable with.
They're kind of easy categories to sort calls into to try to just help take the first bite out of the problem here. Because this is effectively being mandated, and there's been quite a bit of work just to get operators to support it, vendors to support it, that's something that we've been heavily involved with our work with the people who are calling test bed and also with various pilot customers in this regard.
And when I say that it's a first step, it's important to understand this is not a silver bullet to solve the problems that Jonje outlined at the beginning of this webinar. Merely having the assurance that a call is not spoofed is tremendously valuable because a lot of these, especially fraudulent calls going on today are both spoofed and automatically generated. They are both robocalls and calls that are attesting an incorrect originating number.
When we start to lock that down, it becomes possible to A, make sure yes, we know this is really Apple calling us, for example and not someone who can just spoof one of Apple's store numbers. But moreover, it gives accountability for the calls that are assigned and the ability to hunt down and kind of forensically trace who those people are and hold them accountable, like at the FTC level, not just the FCC level.
Challenges of Tracking Call Origination
And so there is going to be a certain amount of analytics, a certain amount of additional processing that is performed, especially on the terminating side on these calls to kind of help get them into shape. So it's not intended to be any single silver bullet around this. But by all of these kinds of solutions that are based, for example, on analytics, if the people who are placing these robocalls can change their number every time they place a call, analytics solutions that are based on the frequency with which an originating number made a bad call have a limited value. And so this really is a key enabler I'd say for those future steps that we're going to take.
It's also the case-- and we're getting into more kind of limitations of the technology here. This zip and Voice over IP is not the whole world. And it's be great if there was universal IP, end-to end connectivity for telephone calls everywhere. As Jonje pointed out, this is-- sorry, I'm going to record here.
As Jonje pointed out, these-- I'm sorry, I completely lost my train of thought. Where are we? We're on-- more to life than SIP-- yes. So, you will-- I'm sorry. I completely lost it.
So Jon, I think we were talking just about how SIP can apply. But really there's a world of phone calls that don't have this. And the ability to supply STIR/SHAKEN may not work. And I guess where you were going was how else are we addressing that particular segment of phone calls?
Yeah, sorry-- jeez that was-- not wondering if there's another call to come in. And probably a robocall, too.
[LAUGHS]
Yeah, I mean, the fact remains not every call out here today goes end-to-end SIP. And so we need a solution that's going to work for calls that still transit some part of the traditional PSTN. And a lot of robocalls today actually start in the IP world, start with someone who is using a Voice over IP client to spoof a telephone number, go through one of these gateways, but are actually going to terminate on the PSTN.
And so we're looking at ways to make this technology applicable to those kinds of cases. And we have worked towards something called the out of band solutions or out of band that is especially designed for a lot of these either business to consumer cases. Or in some cases, even the consumer to business cases where a strong security assurance can be established by virtue of the fact that the endpoints individually can connect up to the internet.
And even if the entire call path between those endpoints is not fully IP enabled, you can still kind of bootstrap off the fact that you have those separate IP connections to be able to get a strong security assurance. And we see a lot of transitional deployment interest in getting to that-- getting to that space.
Enterprise Call Scenarios
And the enterprise case presents a lot of interesting features you don't see for consumer calling. This example scenario that we show here-- and I don't know how many enterprises people on this call today have a similar kind of deployment environment-- you may get multiple carriers who are providing outbound telephone service for you. It could be two. It could be three or four, even.
And if you get your numbers from only one of them, there are a set of, I guess, limitations in the way that initially STIR/SHAKEN is understood where you-- if you expect kind of every carrier to be signing for their own numbers, what happens if you want to send calls for one carrier's numbers out through a different carrier just based on like at least cost routing algorithm or something like that, for example?
And this scenario has motivated a lot of thinking in the industry. And there are a variety of things that kind of go along with this as well, including what Jonje alluded to earlier, the legitimate spoofing cases that-- cases where you actually do want to be able to impersonate a number because you should be able to. You have a call agent that wants to be able to send their calls kind of from a number that is not a number that belongs to the carrier that they're sending their calls out through.
Any scenario like this requires some additional technology. And this is an example of an area where we're continuing to do work in the standards today to make sure that you always get the highest levels of attestation. And this, I guess, is the key for enterprises to understand as we go into this-- that if you have a pretty simple arrangement with a carrier, where a carrier manages your numbers for you, you really can send your calls out through one carrier, it's very likely that you'll be able to get the A attestation, kind of the gold stamp that we are all seeking from calls in the STIR/SHAKEN world.
But then there are a bunch of these discontingent factors that could potentially lead to you getting a score less than that. And given, again, the possibility of call blocking and things like that, we want to try to find ways obviously to make sure that enterprises do not become second class citizens, I guess, in this STIR world. Now, I want to emphasize again, STIR/SHAKEN is your friend. STIR/SHAKEN is helping. STIR/SHAKEN is going to get you to a better place in terms of consumers picking up calls and everything like that and prevention of fraud and so on.
Carriers and Enterprise Callers
But to get there, we're going to have to figure out ways to work with the carriers to make sure that enterprises end up getting this very high level of assurance. And this has been a real focus of ours lately is because SHAKEN is kind of carrier centric, which is based on the assumption that carriers are really going to do the work. They're going to be the people are going to do the signing.
We're looking at features. And there are a couple of technical approaches to this that are being explored in the industry today to get delegation into STIR/SHAKEN, to get ways that enterprises who want to, could get credentials they could use to sign their own calls, which would make a lot of those sorts of use cases like we were showing earlier where you got your least-cost routing across multiple outbound carriers, make those much, much simpler to solve for.
And going along with that, there are a variety of features like rich call display, branded call display that will let enterprises show additional data beyond just-- yes, this number has not been spoofed that are being built into STIR/SHAKEN to improve the customer experience. They understand better who it is that they're contacting. These are all things that we're doing to try to make sure that enterprises have an optimal environment to get their calls delivered one STIR/SHAKEN gets rolled out.
And I guess I will leave you-- the goal here is to get telephone numbers to be an identity platform for the 21st century, not for the 20th century. If you'd asked me 20 years ago if I thought that telephone numbers would still exist now as we're getting into 2020, I would have said, of course not.
The email style identifiers, which are becoming common in here that are obviously going to replace them. And it is really thanks to these smartphones that it becomes so tightly coupled to our digital identity, which is kind of accidentally happened now telephone numbers that we have ended up in this situation where it's important that we bring telephone numbers into the proper context in the security solution that we bring to personal communications today.
Have Companies Started Adopting STIR/SHAKEN?
And so this brings us to our next poll. So given all this, we were curious to understand where people are who are listening to in terms of their plans for getting involved in call authentication, figuring out even what the direction should be, given all these things going on in the mystery. Where are we? What do you still need to understand? And so we've got some options here. I don't know how long you want to spend for this.
Let's give it five seconds and go, Jon.
Five seconds and go? OK. And to go, I just move to the next-- I just move the next slide to go?
Just click Next-- yes.
OK, we're doing it. So you better get your vote in. Here we go OK. So I'm not surprised that the number for complete is pretty low because it would be hard to be complete at this point this technology that's still evolving. And even the carriers, many of them are not yet complete on this yet.
And yeah, I mean, I think the numbers for in progress or planning are pretty good. Combined, that makes up around 50% of the people listening here, which, I guess, is unsurprising, given what this is about. I see a good 30%, though, still haven't started. And 10% don't have a plan for this at all. I guess I message is it's worth planning for. This is going to be a big deal.
If you're someone who makes calls, this is going to matter to you, as this continues to roll out in these very, very kind of aggressive regulatory environment around it. Jonje, MB? Anything more on this?
Well, I'm looking at the in progress. And I actually find that really encouraging. I think with just the newness of how call authentication STIR/SHAKEN is from an enterprise perspective, remember, today, our audience is predominantly businesses and enterprise. That's a really good sign.
Yeah. MB?
Yeah, I agree. I was surprised it was that high. So people are paying attention, which is great.
Fantastic. Well with that, I think I will turn this over to MB.
Enterprise Call Solutions
Great. Thanks Jon, and good afternoon, everyone. My name again is Marybeth Degeorgis. I'm on the product team here at Neustar. And I'm going to talk a little bit about some of the commercial solutions we have out to assist our enterprise clients in navigating this new world.
So it's not just about robocalling and blocked calls, right? But what we're trying to do when we've been working on this for a few years, of course, as Jon was the co-author of the standards, is to restore trust in phone calls, overall. We understand we want to protect consumers from fraudulent activity and robocalls. But at the same time, there are a lot of enterprises out there that we need to take into account and assist them also in improving their customer engagements. So everybody wins.
So over the past few years, we've really been very busy in this area. And we have introduced multiple solutions-- actually more than are on the slide. But these are really pertinent to businesses who are in the-- heavily into the voice calling space. And the first solution we have is caller name optimization. And this actually allows you to manage your own brand data and ensure you are known across the telecom ecosystem as who you are, who the call originator is, and what their intent is in the call.
And I'll talk about each of these in detail on the next few slides. The next solution is certified callers. So exactly what Jon's been explaining. This is the ability to digitally sign your outbound calls. And of course, although this was originally a carrier solution, we're now moving on extending this to enterprises. And I'll talk a little bit about how we can do that as well.
Caller Name Optimization
And then finally, branded calling, which is the ability to convey more content and context about who's calling. And we'll talk about this as well. So first, caller name optimization. So this solution is available to businesses today. And it actually allows them to come in to the caller identity database.
Just as background, Neustar does run the largest caller identity database here in the United States. We act as a hub to all of the carriers, including the mobile network operators, the cable companies, and the analytics providers. So we're uniquely positioned to get this data distributed to the ecosystem. This allows enterprises to come in.
And rather than have to deal with their carrier or multiple carriers, they just manage the data themselves. They update the name that they want the consumers to see. And as they do that, that data is then distributed from our hub position to have to the ecosystem, out to the carriers, and the network mobile analytics providers. So that they understand that this is not a robocall but a legitimate call originator.
In addition to that, it allows our businesses, who might have inbound numbers only, to market them as such. We call that Do Not Originate in the telecom world. But basically what would happen is it would-- it's a step toward preventing spoofers from taking that number over.
If you, mark an inbound-only telephone number as do not originate, what will happen is when-- if the spoofer takes that number over, the carrier will either block it because it's marked as DNO. Or what the consumer will see is that it's a fraudulent call. So it's a layer of protection as we roll STIR/SHAKEN standards out.
In addition, there's ongoing monitoring and alerting. So sometimes, you may have your telephone number clean and registered across the ecosystem. But there could be something that happens to that particular number that changes the pattern or the behavior. And so we monitor these numbers, ongoing.
And we let our businesses know-- our business customers know if there's some nefarious activity or something odd that's happening with that telephone number. It may have been taken over by a spoofer. Or potentially, the business has changed their patterns and just not alerted the ecosystem. So there's that in place as well.
And then finally, there's an optional feature where you can protect your brand's name. And what that means is that if anyone else comes into this industry database to try to provision a name that is similar to yours, or that-- think Apple-- APPL3-- anything like that, we would set an alert and prevent that from happening. So that's the caller name optimization service. And that's available today and being fairly widely adopted with some success.
Certified Caller
And now, there's a second level, which is certified caller. Now, certified caller here at Neustar, we have the three distinct implementations of this solution. The first is you can envision an enterprise that is just very large. They have a significant telephone infrastructure. So they act very much like a carrier. And there are, of course, many enterprises out there like that.
And so there is the there's the thought that they would actually implement a solution that's very similar to the STIR/SHAKEN solution that carriers use right into their own telecom network infrastructure. So that is the first implementation. Second, there's the carrier network integration. And so this is actually a carrier solution. And Neustar, as the author and standard bearer of STIR/SHAKEN, was chosen by the industry to host the Telecom Interoperability Test Bed.
We do that in the Neustar Trust Lab. And so all the interoperability of these new standards amongst the carriers is being done at Neustar. And as a result, a lot of the carriers are just adopting the Neustar solution. So it has some success there.
And then finally, what is new and in pilot is what Jon just mentioned, which is certificate delegation. And this is the implementation for enterprises that may want to host it, or a cloud service that don't have the telecom infrastructure to support a full-blown STIR/SHAKEN solution, but still want the ability to sign their own calls, particularly, for carriers, as Jon mentioned, who might use multiple-- I mean, for enterprises, I'm sorry-- as Jon mentioned, who might use multiple carriers for purposes of least-cost routing or redundancy or regionally, et cetera.
And so we have this in pilot today. And a little bit more about this. As Jon mentioned, there are standards proposed for delegation at the IETF, which is where STIR/SHAKEN began. And it's also being socialized at ATIS, which to the Alliance for Telecom Industry Solutions here in the US. So there's multiple implementations being discussed. And we're staying on top of that and building those solutions out for testing in our lab.
What this does, again, is it hides the STIR/SHAKEN complexity for enterprises. It allows them to sign their own calls, about the service of the cloud service. And it's just layers upon the identity solutions that Neustar already has.
So you're now managing your calls through caller name optimization, or you're managing your brand through caller name optimization. You're registering it through the ecosystem. And now you can sign your calls as well. So it's just the next logical step toward a trusted brand calling experience.
Finally, we did talk about the test bed where all the interoperability testing is being done. And we're extending that test bed now to include these delegation implementations. We're hoping to-- as we had carriers coming in and doing their interoperability testing-- we now want our enterprise customers to be able to come in and test as well with the carriers on signing their own calls. And so we're hoping to extend that lab capability through this next quarter and it started inviting some of our clients in to do that testing.
Branded Call Display
And then finally, as Jon kind of hinted toward, we also has a solution called branded call display. And this is really all about enhancing the mobile call experience. So there's a lot of real estate on the mobile device that's not being used.
If you just see an 800 telephone number or a name, you can also add additional content and context with logos and call intents, and visuals of why this call is being made? Who it's being made by? And then of course, with a STIR/SHAKEN-authenticate signature there, more likely that the call is going to be picked up.
We have this service in pilot as well. We used the last quarter or to really shake out functionality. And now, we're testing this at across about 12 million devices now at a single carrier. We plan in the fourth quarter to extend to additional carriers an additional device types.
So this is a really interesting one because the impacts to the calling answer rate are significant in a positive direction, of course. And the other interesting thing about branded call display is there's more you can do with the post-call interaction. So if you don't reach the consumer you're trying to reach, if they are busy, or they haven't picked up the call, they'll see that missed call. And when they click on that, it can actually bring them to some call to action.
For example, it can bring them to a promise to pay link or visit a website link or confirm your appointment link. And so in our pilots, we're finding a lot of success. But even if the initial call is missed, the interaction with the post-call has been very successful. So we're pretty excited about this.
And then, just lastly and briefly, we do have this capability in a mobile app SDK. And so if there are large enterprises out there that may have a mobile app-- think of the banking world or the Amazons of the world-- they can actually embed this software into their app that's already existing. And we have multiple integration options for that as well.
And we're running on-- I know we're running a little over, so I want to quickly just talk about why Neustar is uniquely positioned to roll solutions in this space. And that is first of all, we have a full suite of trusted call solutions. We've been working on that for multiple years now-- caller name optimization, as I discussed, certified call, or branded call display, but others as well.
And we're uniquely positioned because we are the hub to the industry today for all caller identity services. We actually cover about 90% of the market. So 90% of the interactions for caller identity, the telephone number to name association, do come through the Neustar database. We have about 850 carriers, I think, now that we service through that and also support identity services for 7,0000 of the world's largest brands.
So we're a pretty big hub for that service and reach most of the industry from a central, basically neutral location. We also, as I mentioned, have the trust lab where all the carriers are doing the interoperability testing. We're really excited to be extending that out to the enterprise world.
We have future proof call authentication solutions. So we just we're evolving with the industry. As Jon said, as the standards evolve, we evolve our solutions. And that's where the testing is being done. And we have flexible interfaces. So multiple ways to roll out STIR/SHAKEN and some of these other services to vendors, to carriers, and to enterprises because of that central position that we enjoy.
What's the Top Driver for Call Authentication?
That's just really briefly what we have going on here at Neustar. I think we have one little final polling question. And that is, what is the most important driver to your organization for implementing call authentication? We'd be curious to know, is it regulatory compliance?
Is risk and security your primary focus? Is it customer care and retention? Or finally, customer growth and experience? And I'll give you about five or 10 seconds here to answer. OK, let's see where we are. Wow!
It's pretty even right there.
It really sure is. Well, we thank you for that. That's great information, good for us to know. And looks like it's just across the board pretty even. Thanks for your attention. And with that, I'll pass it back, I think, to Phil.
Oh, thank you. And ladies and gentlemen, we will be moving on here to our question and answer session. And while we answer some of those questions, we would like to get a little bit of feedback from you. And if you wouldn't mind going to the survey that is posted on your slide area at this time. And I'll turn the floor over to Jonje to moderate some of the questions that have come in.
Perfect. Thank you, Phil. Really, as we go, unfortunately, I don't think we'll be able to address all of the questions that we have. We'll hit the first couple. But even as you enter, what we're going to do is we're going to collate a lot of the questions and post webinar. We'll provide an update to the attendees in a summary of a lot of the questions that we see.
Q&A
We do have a nice set of questions here. I'm just going to pick a couple here and just throw them out, just open it out to you both, MB and Jon. One question here says, my company makes millions of robocalls a year, but really through third party vendors. How do we prepare a plan for this new methodology, I assume, talking about STIR/SHAKEN in an outsourced contact center environment? MB? Something you can address?
How do legitimate robocall users prepare?
Well, I think we also have vendors-- call center operator vendors testing in our Trust Lab the STIR/SHAKEN capability, a couple of them. And we're talking to a few of them as well. But if you have a vendor who may not be prepared or has started, certainly Neustar has solutions for those vendors as well.
Jon, any broad thoughts from a call center perspective when you have multiple people using multiple call centers?
Yeah, I mean, obviously, it is an important use case for STIR/SHAKEN to make sure that legitimate calls that are robocalls that are legal get placed. And this is really where you see that divide between the call authentication technology and then the analytics technology. And legitimate calls, we need to have a process in a way to make sure that those along typical TCPA compliance lines are still honored in this environment.
And that's been a focus of the standard from the start. And yes, I'm sure that as this evolves, there is going to be a lot of questions about the right way to do that and kind of what paths to remediation are, and so forth? And that is going to be part of what shakes out as we start to see this become real in the next couple of years.
Is there reputation center for phone numbers?
Perfect. Again, other questions. It says, what about the phone equivalent of center reputation? We have numbers in inventory, which have a bad reputation as a result of external spoofing. Will the customer facing indicators no longer flag us as spam based on that reputation? MB? This sounds very familiar to your area.
Yeah, it sure does. So we have so many of our clients who were being erroneously tagged or labeled as a robocaller or a debt collector or whatever, other derogatory label was put on. And so what happens through the caller name optimization services, even if it was a number that had been spoofed before, we were able to update those numbers, distribute those to the ecosystems so that they can be reconsidered in the analytics models and improve that reputation.
So we've had a lot of success there. It's actually probably more detrimental to kind of run through numbers, change them out because the new numbers are unknown. It's better to use the number blocks that you have and just ensure that the reputation is known amongst the carrier ecosystem.
Thank you, MB.
Can enterprises have their own credentials?
Jon, this looks like for you. It says, could enterprises with more than one SIP outbound service have their own credentials?
So yeah, that is definitely part of the plan. And again, everything that we've discussed about approaches to delegation, as we call it, is about figuring out ways for enterprises to look like first-class citizens, to have credentials that will be honored and will not be kind of treated differently than the credentials of carriers in this environment. So that's a major goal of our ongoing work on this today. And as MB be alluded to, this is something we've already built out. And that we have some work in our labs towards getting that underway already.
And unfortunately, we're hitting the top of the hour. We want to respect everybody's time. We have a wealth of questions unfortunately we weren't able to get to. As mentioned, we're going to summarize a lot of these-- some of them are around specific industries.
I've seen questions from people in the health care and the finance and the type of environment. We will send this all out as a follow up. You'll get it via email. And we'll also be downloads to the questions that are just from the rich set of questions we've got today. That will also be followed with copies of the slides.
Now again, if you look there you also have contact information. If we didn't get to address your question, and it's not in the summary we send, give us about a week or so. But feel free to send additional questions, both technical product or sort of just high-level questions to the emails that you see here, and we're happy to respond individually as well. And with that, I think we're done. Pass it on to Phil to close it out.
All right, thank you, Jonje. And thank you to Jon Peterson and also MaryBeth Degeorgis for their presentation and information. And thank you to the audience.
Thank you for your time and your questions. This does conclude today's presentation. Again, please do visit the survey to provide any feedback for future sessions such as these.