What is STIR/SHAKEN?

If the words STIR/SHAKEN make you think about James Bond, martinis and not much else… You’re not alone! But in today’s world, where robocalls are the norm and fraudulent calls cost the American public $29.8 billion in 2020 alone, STIR/SHAKEN might be the answer.

What exactly does STIR and SHAKEN mean?

STIR is an acronym for Secure Telephone Identity Revisited, while SHAKEN stands for Signature (based) Handling of Asserted Information using tokENs.

Together, they are a set of technology protocols that authenticate caller ID, to ensure that you and your customers know the real identity of whoever is at the other end of the line. When implemented, STIR/SHAKEN validates that the phone number is accurate as displayed on the caller ID, and signs off on the legitimacy of the call.

Why do I need to know about STIR/SHAKEN?

For one thing, if you work in the States – compliance. The Federal Communications Commission (FCC) rules dictate that all voice service providers need to have implemented STIR/SHAKEN by June 2021, or be able to prove that they are taking action to protect customers against illegal robocalls. Not only that, but if providers are using legacy network technology that doesn’t use IP networks, you need to be working towards onboarding a called ID authentication solution that works for these networks, too. If you’re working with a VOIP provider, it’s important to ask them where they are on their STIR/SHAKEN roadmap.

What are the practical risks of ignoring STIR/SHAKEN?

Without a caller ID authentication solution, you can’t trust the name that displays when you get an incoming call. Hackers often spoof the calling number of outbound calls, either to numbers that are contextually meaningful to you – like a friend, family member or neighbor, or more frighteningly still, to official names and numbers like the IRS, your bank, or a legal firm. When these robocalls come through and warn you of a fake threat such as a compromised bank account, or intended legal action, fear makes it very likely that you will “press one and enter your pin number” for example. As it only takes one weak link to offer access to your whole network, you’re only as strong as your more vulnerable employee and their mobile phone or landline.

How does STIR/SHAKEN work?

The technology behind the STIR/SHAKEN protocols relies on digital certificates. Every telephone service provider has their own digital certificate which comes from a registered authority. They receive a SIP INVITE, and look at the call source and the number itself, giving it one of three ratings:

1. Full attestation, or A: The calling party has been authenticated and they can use the calling number.

2. Partial attestation, or B: The service provider knows where the call is coming from, but can’t verify whether or not they can call that number.

3. Gateway attestation, or C: The location that the call is coming from can be authenticated, but not the source itself. (E.g., an international call)

This information is then put into a SIP Identity header, which will include the number, the timestamp, the attestation rating that’s been given, and the origination identifier. This is all sent directly to the terminating telephone service provider, who is taking or refusing the call, who passes it to the verification service.

Now it’s the verification service’s time to shine. It will take the digital certificate from the repository and verify that the originating provider is legitimate, decode the SIP Identity header and compare it to the SIP INVITE message, verify it using its public key, and then return the results to the terminating service provider to complete the call.

What are the business benefits of STIR/SHAKEN?

Once you’ve got your head around the technical details, it’s important to be able to talk about the business benefits of using these protocols, which ultimately is all about keeping the end users secure, and adding a layer of confidence when you pick up the phone. Here are the main reasons why these protocols are important:

Reducing spam calls: Spam emails are bad enough, but at least they can be ignored most of the time, or filtered to end up in your junk mail. Spam calls are much harder to ignore, and can disrupt you during the working day, and even trick you into making poor decisions.

Limiting Robocalls: Who doesn’t hate picking up the receiver and hearing that tell-tale pause before a robotic voice starts talking? Robocalls are annoying – whether they are offering a pay out for that imaginary accident you had, or telling you to call back to claim your free vacation!
Protecting your network: Remember, not all fraudulent calls are obvious, and hackers are getting more sophisticated all the time. It only takes one employee on your network to fall for a scam before your whole business is at risk. If you’re an MSP, or managing client networks – this risk is even greater.

What about non-IP network calls?

STIR/SHAKEN can help with IP calls, but it’s not foolproof, and what about other forms of communication? Here are some best practices to give your clients, colleagues, and for yourself:

1. Don’t answer calls from unknown telephone numbers, and never return a phone call from an unknown number if you see that you’ve missed it. Connection fees alone could cost you dearly.

2. Use the FTC’s National “Do Not Call” Registry, or similar for your location. Although this can’t stop calls originating from everywhere, it will stop legitimate cold calling and telemarketing calls.

3. Slow down and ask informed questions to make sure they are legit, hang up and call the official website-vetted number back to check that a deal is real, and never ever act out of coercion or fear – just hang up if you think something isn’t right.

4. Watch what you say and never hand out personal or financial data, even if the caller tells you they need to confirm it with you. Even if the caller ID shows you you’re speaking to a legitimate contact, be aware that these are not foolproof, and they can be spoofed.

If you’re interested in how Atera protects your customer or corporate environments from other kinds of security threats – check out our integrations with top of the line security vendors from Bitdefender to Webroot.