Skip to main content

From the Trenches: A STIR/SHAKEN Update at Year Three

spam blog header

An Interview with Jon Peterson, Fellow and Vice President of Research and Consulting, TransUnion

Q: Jon, now that the STIR/SHAKEN mandate has been implemented in the US, what effect is it having?

In the nearly three years since the STIR/SHAKEN mandate has gone into effect in the United States, we've seen a tremendous upswing in the signing of calls, which is phenomenal because what this creates is a non-refutable token we can use to determine who lets traffic onto the PSTN in the first place. But that isn't the last step in getting this to work.

STIR/SHAKEN has always been a foundational technology; something that enables us to build services on top of it. And it's crucial we do more verification and analysis of STIR/SHAKEN workings than what was possible in the early, incremental steps toward implementation.

That said, even what we've done so far has clearly shown it’s helping. For one, it’s promoting enforcement actions because when you can tell who’s introducing nuisance, abusive, fraudulent traffic onto the PSTN, you can address it.

Watch the full video series of Jon Peterson's interview here.

Q. While there are many types of robocalls, some of the biggest phone scams start with call spoofing — when a fraudster falsifies the caller ID to make it look like they’re calling from a trusted bank or other brand. How can operators spot and stop spoofed calls?

If you're a terminating service provider (TSP) whose job is to defend your consumers from nuisance calls, you have tools in your toolbox — and STIR/SHAKEN is obviously one. You can look at an incoming call, assess its level of attestation, and ascertain, for example, this is a C attestation call and maybe I shouldn’t trust it like I would an incoming A attestation call.

But that STIR/SHAKEN layer of information ultimately gets upleveled into application layer decisions made by analytics and machine learning software that enables terminating service providers to decide — though it’s not always clear cut. And sometimes, a ‘probabilistic guess’ about whether a call is good or not is required while it's actually quite obvious. There are lots of deterministic analytics at play; for example, a call may be on our ‘do not originate’ (DNO) list, or we know it's invalid or unallocated, or analytics has shown this caller hasn’t placed a telephone call in the last 18 months. All these things factor into call validation and the treatment decision being made on the terminating side.

Q. Some of the biggest call scams are originating outside of the US. What’s being done about stopping offshore robocallers?

Getting various gateways and other intermediate service providers to implement STIR/SHAKEN will require bolstering current traceback capabilities to ascertain how bad traffic is entering the PSTN and getting through to and annoying consumers. Gateways obviously are a crucial component of this because so much traffic unfortunately doesn't originate in the closed community of carriers here in the US. Much of it comes in internationally, with some coming through gateway providers taking calls from the open internet that could originate from pretty much anywhere.

It's crucial people participating in the STIR ecosystem have the same accountability carriers have today. We've reached a step now in STIR/SHAKEN’s implementation and deployment where there's a lot of call signing going on — and that's great.

Certainly, one of the things we need most is for more terminating carriers to take the information they get from signed calls, run it through their own internal call validation and treatment services, and make decisions that will ultimately protect consumers from nuisance traffic.

We build services on top — traceback being one of those services. But even just looking at how your international gateways operate and what traffic you accept would be a good example. Some jurisdictions want to forbid calls coming in internationally that have a calling number from their numbering plan. So, in other words, if someone's calling into North America from an international gateway, say from Europe or Asia, but it has a plus one (+1) number in the calling number field indicating it’s coming from the US, perhaps we should block those — unless we have good cause to think they’re authentic.

But there are other dimensions of this as well that are very significant. Not all calls today, to my eternal chagrin as one of the people who worked on developing the Session Initiation Protocol (SIP), go over a SIP-based network. So we need a way to close that gap.

Q. If legacy networks are a hurdle for STIR/SHAKEN, what’s the industry timeline for transitioning to all IP-based networks? 

For years, we've been attempting to get all traffic to be IP in the PSTN in the US. This is obviously a big, big project,

There are thousands of carriers and tons of legacy equipment. It's very difficult to realize something at that scale, even across a decades-long timeframe. So we believe it's very important we have alternative ways to make sure we can still get strong authentication for voice traffic — even when that traffic doesn't go end to end over IP in the PSTN. And that's why we work on solutions like TruContactTM Spoofed Call Protection and other related out-of-band technologies to make sure STIR/SHAKEN authentication is available, even in legacy contexts.

Learn more about TruContact Spoofed Call Protection and TruContact Robocall Mitigation Solutions, Powered by Neustar®.

Do you have questions? Our team is ready to help.