Enhancing Call Authentication: Unraveling the Impact of STIR/SHAKEN

An Interview with Jon Peterson, Fellow and Vice President Research and Consulting at TransUnion

In an era marked by a relentless onslaught of robocalls, call spoofing and fraudulent activities, authenticating calls has emerged as a pressing need that has persisted for years. The repercussions of these practices extend beyond mere inconvenience as they steadily erode trust in the integrity of the phone channel for consumers and telecom operators alike. To combat these challenges, various solutions have been proposed and implemented, each striving to mitigate detrimental impacts on call recipients and service providers.

To gain deeper insights into this critical matter, Bart Pesavento, Senior Director, Product Marketing at TransUnion, recently had the privilege of sitting down with Jon Peterson, Fellow and Vice President Research and Consulting at TransUnion. With a wealth of knowledge on call authentication, Jon has been at the forefront of the industry — exploring how industry standards like STIR/SHAKEN are spearheading the battle against malicious call activities. Having already made strides within the US and Canada, STIR/SHAKEN is proving to be a formidable ally in tackling the root causes of call-related issues.

View a series of video interviews of Jon discussing call authentication.

Jon, it’s been over three years since the introduction of the STIR/SHAKEN call authentication. Is it working?

Since the STIR/SHAKEN mandate has gone into effect in the US, we've seen a tremendous upswing in the signing of calls, which is phenomenal because what this creates is a non-refutable token we can use to determine who let traffic onto the Public Switched Telephone Network (PSTN) in the first place. However, that isn't the last step in getting this to work. STIR/SHAKEN has always been a foundational technology that enables us to build services on top of it.

It's crucial we do more verification and analysis of what's going on with STIR/SHAKEN than was previously possible in these early steps we've taken toward fully implementing in the US. But even with what we've done so far, it's clearly helping. It's helping support regulator enforcement against introducing bad, abusive, fraudulent traffic into the PSTN, which benefits everyone in the chain.

In May 2023, the FCC mandated intermediate and gateway service providers implement STIR/SHAKEN. What do you think the impact will be?   

The incentive for getting gateway and other Intermediate Service Providers (ISPs) to implement STIR/SHAKEN will be to bolster the traceback capabilities we have today to better ascertain how bad traffic is entering the PSTN and then getting to consumers. Since gateway providers receive calls from providers outside the closed community of carriers in the US, including calls from the Internet which can be from just about anywhere in the world, they’re an important component. And it’s vital these providers participate in the STIR ecosystem and have the same accountability as other carriers.

Beyond STIR/SHAKEN, what else should be done in the US? 

For years, we've been attempting to get all traffic to be Internet Protocol (IP) in the PSTN in the US. However, it’s a big project and challenging to attain across the thousands of carriers and abundance of legacy equipment — even across a decades-long timeframe. With that, we need alternative ways to make sure we can still get strong authentication for traffic — even when that traffic doesn't go end to end over IP in the PSTN. This is why we work on enterprise certified caller solutions, our call session registry and related out-of-band technology to make sure STIR/SHAKEN is available — even in legacy contexts.

Is a green checkmark displayed on a device’s caller ID the universal sign a call has been authenticated, or are there other ways to indicate a call can be trusted? 

Whenever you’re looking at technology that’s being deployed incrementally, the question is how to handle situations when not everyone is using the technology. For instance, the use of green checkmarks during phone calls serves as an indication of trustworthiness, guiding users to identify reliable sources even if not everyone has adopted this technology. Hopefully soon, we'll get to a place where you won't get calls you shouldn't trust anymore. As TransUnion TruContact™ Branded Call Display, Powered by Neustar® and Rich Call Data (RCD) are more fully embraced, consumers will see additional indications of trust like a company logo. This will be vital to solving the problem of how businesses get consumers to pick up the phone again.

Do you believe there’s enough standardization in the industry in the US when it comes to how calls are labeled? 

Call labeling guidelines are currently under consideration. Due to the multitude of analytics providers and varied recommendations from experts advising carriers, defining criteria (such as scoring robocalls or setting thresholds for call treatment) remains uncertain. Establishing a consensus within the industry on these scoring metrics would be beneficial to prevent confusion among consumers.

Session initiation protocol (SIP), a signaling protocol that enables voice calls over the Internet, has not been universally deployed in the US, leaving a lot of legacy traffic and content out there. As a consequence, we either need a full IP transition that will get every carrier and gateway provider participating in the PSTN onto SIP or provisional technology like our out-of-band solutions that provide assurance calls can be protected, even if there's legacy content somewhere in the middle. This is why products like TruContact™ Caller ID Authentication, Powered by Neustar   provide such a strong vector for enterprises to assure consumers they're being called by the right entity for that calling number and logo, and we can convince them it’s ok to pick up the phone.

Do ‘know-your-customer’ systems do enough to stop fraudulent calls?

Know your customer (KYC) must mean something much more expansive than simply having a database that says, “These are some phone numbers associated with this particular enterprise, and we think they’re good numbers.” It must involve a deeper dive into the behaviors and calling patterns of enterprises to make the predictions we ultimately need to help consumers decide whether to pick up the phone.

Unfortunately, with how SHAKEN has been implemented thus far in the US, it's possible to give an A attestation to a call that shouldn’t have that designation. The interaction of that with KYC systems that are strongly decoupled from the call authentication phase raises the possibility we could worsen the problem. To make this better, we need to look at KYC as a more holistic set of behavioral analytics that are both deterministic and probabilistic, involving many different factors we know about enterprises and the relationships with consumers.