How will STIR/SHAKEN stop illegal robocalls?
Digital Secure Telephone Identity (STI) Certificates are used to authenticate phone calls, similar to the way web transactions are validated. With STIR/SHAKEN in place, spoofed calls can be detected and stopped before they reach consumers, or a warning displayed on caller ID.
Is there a difference between robocalls and spoofed calls?
Robocalls are a programmatic origination of calls, usually done in high volume, which can deliver either a recorded message or a live person on the line. Legal robocalls are used for quickly getting out important messages such as for school closures or weather alerts. Call spoofing is when a call originator changes the calling number, for the purpose of hiding or controlling which calling number is shown on the call display.
How did call spoofing get to be such a big problem?
Initially the telephone network was a closed network for internationally licensed carriers who had authorized access to the underlying signaling network, using the SS7 protocols. The Session Initiation Protocol (SIP) was designed to place Voice over IP (VoIP) telephone calls over the Internet and enabled a feature similar to email where a ‘From’ header field could be set by the call originator. However, there were some unanticipated consequences when the SS7 network and the Internet were connected by gateways which ultimately compromised security, with no mechanism to verify the originating telephone number at a gateway. Gateways generally accepted the calling number provided on the Internet side and propagated it into the public switched telephone network (PSTN) and thus the caller ID ecosystem. With so many VoIP networks today interconnected with the PSTN, it is now cheap and easy to spoof caller ID and deliver virtually untraceable phone calls.
Why is STIR / SHAKEN the best way to address caller ID spoofing?
STIR/SHAKEN brings together the security that keeps e-commerce safe on the Internet with telephone security that provides a way of knowing whether a caller has the right to use a given telephone number. The most proven way to attest to an identity on the Internet is with a digital certificate. In the STIR/SHAKEN framework, digital STI Certificates are first issued to carriers, or others who own or are assigned dedicated telephone numbers. The private key associated with an issued digital STI Certificate is then used to sign a VoIP call, thereby indicating that the calling party number has been properly attested. Calling numbers that cannot be verified by terminating carriers are ones that may have been spoofed.