Scam calls suck. In 2019 alone, 26 billion illegal robocalls and scam calls eroded subscriber’s faith in telephone service worldwide, an increase of 18 per cent year over year. In many cases, vampiric scammers hunted people’s wallets. Between January and October 2019, they stole $24 million from Canadians.
Fraud and anti-spam laws set harsh punishments for criminals, but they can only be enforced after the damage has been done. Netting the perps is even harder. Therefore, these calls must be stopped before they reach the receiver.
Amid the swelling volume of spam calls, the world raced to find a defence. In Canada and the United States, STIR/SHAKEN has been selected as the best candidate. With a name inspired by James Bond’s famed quote, STIR/SHAKEN will be the first antidote to curing the spam/scam call plague.
- STIR: Secure Telephony Identity Revisited, the standard developed by the IETF that defines signature-based call authentication.
- SHAKEN: Signature-based Handling of Asserted information using toKENs, the framework for implementing STIR.
However, before discussing STIR/SHAKEN’s implementation, it’s important to understand the two popular telephone network protocols.
TDM vs SIP telephone networks
The term Public Switched Telephone Network (PSTN) has persisted to describe the plain old telephone service. Old films often cast operators swapping wires on a switchboard to route a call. These depict the circuit-switched system. Eventually, the invention of the SS7 protocol set and the time-division multiplexing (TDM) in 1975 retired the human operators.
The TDM-based system was superior to humans in that it could carry many calls over a single wire, consolidating the hundreds of cables in dedicated connections. It achieved this by quickly switching between different calls, so quick that the gaps between voices were unperceivable. Its high reliability and simple implementation would dominate the phone industry for the next 50 years. But in the 21st century, demand for richer call services have exceeded TDM’s capabilities.
After much scouring, the industry settled on the session initiation protocol (SIP). The SIP protocol is a part of voice-over IP (VoIP) technology and operates over the internet as opposed to TDM’s specialized telephone hardware. Phone operators valued the SIP network’s reliability, cheaper hardware, the potential for new services, multimedia support, and better management capabilities. Its flexibility enabled STIR/SHAKEN, the upcoming hero in thwarting spoofed calls.
How STIR/SHAKEN works
The principle behind STIR/SHAKEN is based on digital signatures, an established technology that’s almost as old as the internet.
SHAKEN authentication over a SIP interconnect is trivial. When the caller makes a call, the SHAKEN Authentication module appends a digitally signed token to the call invite before passing it through the SIP interconnect. Once the invite reaches the receiver, the SHAKEN verification system qualifies the token and delivers/blocks the call. This simple system makes number spoofing exponentially harder.
But there’s a catch: these tokens cannot be transmitted over legacy (PSTN) networks, which carries 85 per cent of all robocalls. This is because the tokens are dropped at the first SIP to TDM conversion. When the terminating STIR verification system does not see a token, it simply drops the invite. This is the largest roadblock in establishing the STIR/SHAKEN in Canada as most operators use a mix of both systems.
What are digital certificates and how do they work?
The solution is out-of-band (OOB) STIR/SHAKEN. It hands the token to a call placement service (CPS) before the network conversion, removing it from the call path and sends it to the destination over the internet instead. Once received, the authentication server would match the call invite and the token at the destination and begin the verification process. This small change bypasses the barriers between mixing network types.
For operators with SIP networks, OOB STIR/SHAKEN is turnkey-esque. Operators that exclusively use TDM switches can transition using ISUP to SIP gateways.
Companies without direct access to phone numbers can implement STIR/SHAKEN as well. Google, for example, mentioned STIR/SHAKEN in its call display service.
Because CPS has insight into all calls, its security needs to be carefully managed. The certification authority needs to gain approval from policymakers to run the CPS and be held accountable when things run amok. In Canada, the Canadia Secure Token-Governance Authority (CST-GA) is the central policymaker for digital certificates.
The business case lies in rich call data
STIR/SHAKEN also enhances a key peripheral use–rich call data. Rich call data contains information about who is calling and why. Additionally, it can contain information like name, logo, picture, and call reason. It even allows for a URL that links to external files to give deeper caller context. Together with STIR/SHAKEN, users can authenticate calls at a glance and companies gain greater control over their brand’s appearance.
“There’s real value in that, it’s an easy business case to justify,” said Jim Dalton, CEO of TransNexus at the 2020 Canadian Telecom Summit. “We believe customers are going to pay for rich call data. And we think that because there are enterprises saying ‘I need my calls answered’…that’s the obvious first market: to sell to give them control over their branding, how and when they make a call, how it’s displayed while they’re calling. And most of all, it’s going to improve their call completion rates.”
RCD is coming to desktop phones, smartphones, smart TVs, and stationary phones. It will even bolster virtual communication. Zoom calls, for example, don’t verify where the connection is coming from. The user can access a meeting by clicking on the invite in the email. Imposters can easily hijack the link and pretend to be the recipient.
“We think there’s value in that it gives you a security identity for these outbound calls that you make,” said Dalton. “And it’s going to be great for inbound call centers….when they get that digitally signed token, there’s been some vetting by the service provider…and they can verify it with that call. It’s going to make their call or authentication processes much more robust.”
It’s up to the telecom operators to implement STIR/SHAKEN, but smartphone manufacturers will need to support rich call data. Dalton said it will be market-driven; if there’s high user demand, then it’s very likely it will be added quickly.
When is STIR/SHAKEN coming to Canada?
STIR/SHAKEN is planned for June 2021, but Canadians already have basic call protection.
In December 2019, Canadian carriers deployed a rudimentary blocking feature that barred calls from bogus numbers. While it blocked the most flagrant calls, it does nothing to combat call spoofing.
Thus, the CRTC mandated carriers to add STIR/SHAKEN by September 2020. But due to the effects of the pandemic, Canadian operators requested the CRTC to extend its implementation date by nine months. Rogers cited that some technical standards relating to STIR/SHAKEN haven’t been defined and that it needed more time to renegotiate contracts with vendors.