STIR/SHAKEN and the Robocall Plague
An Insight from Polina Hristova
Life is a sequence of glorious conquests and wise defeats, and these memorable events are connected through a chain of mildly infuriating moments whose resolution or fading sting provide that unique taste of victory, a flavour of utmost satisfaction to our accomplishments. While it could’ve been mildly infuriating to the 1920’s dweller to endure long ads dissecting a favourite radio show, it is even more infuriating to the modern citizen attuned to the immediacy of a rushed life to be bombarded with robocalls when expecting a legitimate call.
Call spam flourished thanks to the rise of the Voice over Internet Protocol (VoIP), making it incredibly cheap to place international calls, and with the software being so easily accessible (Skype, Google Voice) and operational on inexpensive computers, it is an affordable, albeit illegal venture.
The ability to spoof the Caller ID has also greatly contributed to the rise of this telephone fraud – spoofing being the technique used to fake the caller’s number. You might find yourself tempted to answer calls from numbers similar to yours, but it is most likely the beginning of another scam – “neighbour spoofing” is a tactic that makes the caller seem local and it has been effective in orchestrating social engineering attacks. Not only that – automated calls have increased drastically over the last few years, thus prompting a large volume of complaints.
YouMail, a spam call blocking service, has reported that there have been 5.2 billion robocalls targeting the US in January alone, making it a new domestic record. It is a lucrative scheme – last year scammers made an average of $430 per call.
Although these numbers represent the current situation in the US, it is a global epidemic.
“The problem is, the technology making these robocalls is cheap and easy to make, so it’s a low barrier to entry,” Susan Grant, the director of consumer protection and privacy at the Consumer Federation of America, told Moneyish. “They obviously work often enough that more scammers keep entering the market. And it’s hard for law enforcement to go after every single robocall, because there are so many of them.”
Cheap and easy to make, the robocalls multiply and spread like a cloud of locusts despite numerous efforts from federal regulators to obstruct this invasion, but what they failed to predict was the speed of technological progress which is barely regulated and provides a rather creative outlet for scammers who pose as an agent of the IRS or another authority and use threats to intimidate the victim.
IRS employees will not:
- Call demanding an immediate payment. The IRS won’t call taxpayers if they owe taxes without first sending a bill in the mail.
- Demand payment without allowing taxpayers to question or appeal the amount owed.
- Demand that taxpayers pay their taxes in a specific way, such as with a prepaid debit card.
- Ask for credit or debit card numbers over the phone.
- Threaten to contact local police or similar agencies to arrest taxpayers for non-payment of taxes.
- Threaten legal action, such as a lawsuit.
This advice should be taken and applied to other similar situations and tax authorities in every country, including for donations.
The percentage of spam phone calls has jumped from 3.7% of total calls in 2017 to 29.2% in 2018, according to First Orion, and predicts a 44.6% by early 2019.
Thankfully, the Federal Communications Commission adopted new rules to allow mobile operators to proactively block illegal robocalls last year in November. Many operators have since developed their own applications (most of them are free) to filter the traffic of incoming calls. But Ajit Pai, the Chairman of the FCC, has demanded a more permanent solution – a set of standards.
Robocallers have sailed through a stormless sea so far, but very soon they will be STIR-red and SHAKEN from their dark ships.
As the reader can probably tell, this choice of words was not accidental. STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENS) are the standards that will make it much harder for phone scammers to continue piggybacking on the telephone network.
How would they work? Very similarly to SSL certificates for websites which you might have also seen as HTTPS in the address bar, but more simply explained: Every outbound call would contain a certificate that would be provided by a trusted third party and verified by the incoming carrier every time a call is made to ensure its validity. Makes sense, doesn’t it? Nothing like this exists in the telephone network, it’s completely open to fraudsters and illegal activity. Big telcos have their own certificates, but it is impossible to efficiently keep track of every call without the assistance of a specialised third party. If you’d like to see a more technical description of how STIR/SHAKEN would work, you can read all about it here.
It has still not been decided as to how the carriers will communicate with their subscribers – should they put a giant verification checkmark, a message on the screen informing the receiving end of the authenticity of the call? Whatever it will be, it has to be executed in a manner that wouldn’t be easily simulated by the scammers.
STIR/SHAKEN will only work in the US – indubitably other countries will follow course soon due to the global prevalence of the problem. It doesn’t mean that Americans would entirely cease to receive unwanted phone calls, but as with e-mail spam filters, the goal is to filter the spam out, so it won’t even reach the main channel of communication.
Many questions remain unanswered: If the incoming call does not bear SHAKEN’s stamp of approval, then should the carrier automatically block the number or give it as an option to its customers, or just warn the receiving end? If 100,000 calls come through a single VoIP provider in one minute, all of which have signed but illegitimate numbers, should that carrier’s signing certificate be revoked? Who will be in charge of revoking that carrier’s certificate?
Obtaining the big operators’ support and co-operation isn’t really the hardest knot to untangle – how would STIR/SHAKEN appeal to the VoIP providers? Without an FCC directive to explicitly demand their assistance, these new measures might not even work bringing forth another year of phones buzzing irately five times a day until we stop trusting voice calls completely.
See ROCCO’s recent report on Signalling Firewall Vendor Performance at ROCCO Research.