By the end of June all U.S. voice providers are required to implement STIR/SHAKEN technology, to fight against robocallers by authenticating caller ID to help ensure a phone number isn’t being spoofed.
And while scammers continue to evolve to more sophisticated methods, progress is being made.
T-Mobile on Thursday announced it is now the first in the wireless industry to implement the protocol with all major U.S. network providers. Collectively they represent around 98% of wireless customers in the U.S., according to T-Mobile.
That includes AT&T, Comcast, Spectrum Voice from Charter, UScellular, Verizon, as well as Altice USA, Bandwidth, Brightlink, Clear Rate, Google Fi, Inteliquent, Intrado, Magicjack, Peerless, and Twilio.
Verizon recently started exchanging STIR/SHAKEN-enabled calls with AT&T, T-Mobile, as well as Comcast.
The FCC mandate for STIR/SHAKEN, which stands for Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN), applies beyond just Tier 1 carriers to mobile, residential, enterprise, and landlines.
STIR is the technical protocol and SHAKEN is the U.S.-Canada governance and management framework on top.
Iconectiv has the role of industry and policy administrator for SHAKEN. It essentially acts as the trust authority, to ensure that different parts of the STIR/SHAKEN authentication process are trustworthy themselves and not infiltrated, including carriers, companies providing signing certificates to carriers, and the certificate authorities.
“Those three things create this triangle of trust to ensure SHAKEN is not penetrated by fraudsters,” Chris Drake CTO of iconectiv told Fierce.
Iconectiv has processed well over 100 carriers to be enabled for SHAKEN certificates, according to Drake, with more than half a dozen certificate authorities approved to dole them out. There are between 50 and 100 carriers still in the queue.
“It’s quite vibrant and it’s only going to pick up,” Drake said, as the June deadline gets closer. And he wouldn’t be surprised if that ticked up to 400 or 500. “That’s not everybody, but that’s a huge chunk of the American calling ecosystem that should be ready to do SHAKEN by the end of June.”
A lot of testing has gone into the technical aspects of STIR/SHAKEN to make sure it's interoperable among carrier networks – where calls to and from a providers’ network can be verified on both ends and vice versa – and is pretty smooth at this point, he said.
T-Mobile and AT&T have been exchanging calls using STIR/SHAKEN since 2019. To date, T-Mobile says it’s protected over 80 million customers from more than 33 billion suspect calls. AT&T has blocked or labeled more than 16 billion robocalls since 2016. Verizon, meanwhile, said it’s prevented more than 10 billion unwanted calls to more than 75 million customers to date.
STIR/SHAKEN not a silver bullet
While verifying the authenticity of a phone number before it reaches consumers is an important tool against robocalls, Drake acknowledged it’s not the end-all-be-all to fix the problem.
Robocallers were still active in 2020 though new data from TNS found that number of unwanted calls was down 28% last year compared to 2019. Still, Americans still received 77 billion unwanted calls.
Similarly, in mid-2020 Verizon reported a 30% drop in unwanted calls over three months since the Covid-19 pandemic took hold in March. Robocallers, while changing tactics, appeared somewhat disrupted.
But that doesn’t mean gone. YouMail Robocall Index estimated 45.8 billion robocalls in the U.S. last year and 8.6 billion robocalls in the first two months of 2021.
The FCC continues to take action and Acting Chairwoman Jessica Rosenworcel this month kicked off an anti-robocall agenda (PDF) that includes the launch of a Robocall Response Team.
STIR/SHAKEN is very important in the robocall battle, with the FCC giving voice providers safe harbor from blocking calls if the signing protocol is implemented. But analytics also play a powerful role, according to Drake.
For example, analytics allow carriers to recognize that a number that’s calling, which may previously have had normal call pattern behavior, is suddenly doing something out of the ordinary (like placing more than 1 million calls within 30 minutes).
“There’s an anomalous action there that [carriers] could intercept without SHAKEN signing,” Drake said. “Analytics combined with SHAKEN in creative ways…compound the effectiveness” but SHAKEN all by itself can’t be the answer.
He attributed a massive reduction in robocalls in the last year in part to call signing as well as analytics catching sloppy or less sophisticated fraudsters.
“We can’t let our guard down though because the good fraudsters or the proficient ones are just going to continue to also find ways around the defenses we’re mounting now,” Drake said.
Next phase of SHAKEN
There are additional efforts in the works to give consumers more information and confidence in the calls they receive, beyond just knowing a phone number is authentic.
Drake said they’re in the middle of phase two of SHAKEN in the standards body, which is looking to introduce a way of conveying more details, such as the name of the caller and the reason for calling - for example, a delivery notice, an appointment reminder, or notification about payment due.
It even potentially includes logos if companies want a branded experience, although he noted that often brings a higher level of trust for consumers, meaning a higher level of certainty required by the provider.
“Whatever it might be you can indicate this on the phone, with the logo, and the name, not just a number,” he said.
These can details help consumers know who is calling, even if they don’t recognize the phone number.
“I think that’s quite powerful,” Drake said, noting many calls go unanswered because it’s almost always junk or malicious. “Once [consumers] can tell who it is and it’s authentic, and SHAKEN ensures it can’t be falsified, then people will start to answer the phones because they know when they’re getting the calls they want.”