by Thomas Hadden, COO Simwood Inc.
Many of you may have heard of the changes being implemented in 2019-2020 by USA – ILEC/CLECs/IPES Carriers.
The most common topic is SHAKEN/STIR. For our James Bond fans, this is SHAKEN and STIR.
Consistently, Caller ID spoofing and robocalling generate the largest number of consumer complaints to the Federal Communication Commission (FCC), with an estimated 2.4 billion robocalls received by Americans per month in 2016 alone. Recognizing this fact, on July 14, 2017, the FCC issued a Notice of Inquiry seeking comment on the FCC’s role in promoting SHAKEN/STIR—an industry-developed set of protocols and operational procedures designed to authenticate telephone calls and mitigate spoofing and illegal robocalling.
As part of this administrative process, the FCC has directed the Call Authentication Trust Anchor Working Group (CATA WG) of the North American Numbering Council (NANC) to investigate a variety of issues associated with the SHAKEN/STIR system. Specifically, the FCC directed the NANC CATA WG to address the following substantive issues:
- Define criteria by which a GA should be selected;
- Describe the evaluation process of applying the above-defined criteria;
- Recommend, if the Commission is not to serve as the GA, the role that the Commission should play in overseeing the administration of the call authentication system; and
- Recommend the process by which the PA should be selected, including whether solely by the GA, or by a process including other stakeholders.
Additionally, the FCC directed the NANC CATA WG to address the following procedural steps:
- A reasonable timeline or set of milestones for adoption and deployment of a SHAKEN/STIR call authentication system, including metrics by which the industry’s progress can be measured;
- Incentives or mandates that the Commission can put in place to ensure that these milestones and timelines are met;
- Any additional steps the Commission needs to take to facilitate deployment of a call authentication system; and
- Any steps the Commission or industry might take to make sure a call authentication system works for all participants in the North American Numbering Plan.
November 6, 2018 — The Federal Communications Commission sent letters to voice providers, calling on them to assist industry efforts to trace scam robocalls that originate on or pass through their networks.
These letters, written by FCC Enforcement Bureau Chief Rosemary Harold and Chief Technology Officer Eric Burger, were sent to voice providers that are not participating in these “traceback” efforts, including those the FCC has encouraged to do more to guard against illegal traffic. These traceback efforts assist the FCC in identifying the source of illegal calls.
“It is vital that public and private stakeholders work together to combat scam calls,” said Chief Harold about the letters. “It hinders both FCC enforcement and industry call authentication work when companies do not cooperate with traceback efforts. We must do everything we can to catch and stop scammers, and industry cooperation is vital to achieving that goal.”
“The industry is helping combat illegal robocalls and spoofing, but more must be done,” said Dr. Burger. “We hope all carriers and interconnected VoIP providers will join these traceback efforts and implement tools to speed the traceback process, such as deploying a robust call authentication framework. In my experience, strong enforcement is the best tool against bad actors, and improved traceback is a critical tool for finding scammers.”
So, as we see, in 2018 the FCC in the United States accepted the recommendations of the North American Numbering Council (NANC) to institute a governance authority to oversee implementation of the SHAKEN/STIR protocols. The FCC and NANC hope the framework will help fight robocalls and spoofed numbers by providing procedures to authenticate caller ID information associated with telephone calls.
SHAKEN/STIR is an industry-developed set of rules and procedures designed to authenticate caller ID information associated with telephone calls by assigning them an encrypted “digital fingerprint.” Calls originating from a particular service provider are digitally signed with a Secure Telephone Identity (STI) certificate verifying the caller is entitled to use the indicated phone number. The terminating service provider can then review the STI certificate to validate the calling party’s number and screen spoofed calls to the service provider’s customers. The process is similar to SSL certificates used to establish secure connections between internet users and websites, and can be used to cryptographically verify incoming call information.
Many of the illegal calls use caller ID spoofing, which occurs when the originator of the call manipulates the telephone network in order to display a number that is different than the originating number. Most of the time, spoofed caller IDs are very similar to the number that is being dialed which increases the likelihood the call will be answered. SHAKEN/STIR are protocols created to combat bad actors who use caller ID spoofing to increase the chances of speaking to a subscriber.
The FCC issued an order (FCC 17-151) In this Report and Order and Further Notice of Proposed Rulemaking, the FCC takes another important step in combatting illegal robocalls by enabling voice service providers to block certain calls before they reach consumers’ phones. Specifically, we adopt rules allowing providers to block calls from phone numbers on a Do-Not-Originate (DNO) list and those that purport to be from invalid, unallocated, or unused numbers. Providers have been active in identifying these calls and there is broad support for these rules. At the same time, we establish safeguards and seek further comment on options to mitigate the possibility of blocking desired calls, among other things.
This has allowed service providers to block calls originating from numbers that are not valid under the North American Numbering Plan (NANP). Many Terminating Carriers including the CLEC/IPES carriers are now taking steps to limit the robocall and unwanted fraudulent calls within the USA.
Starting in June 2019, Simwood Inc., along with many of the other carriers we exchange traffic with, are beginning to implement rules to block some of these unwanted calls. In the beginning, calls which do not have valid NPA/NXX as defined by NANPA may be blocked by the terminating carrier. Some carriers have chosen to use an ISUP 21-Call Rejected or SIP 403-Forbidden as the return code for these blocked calls.
Many customers have asked,
“ I have seen press releases from service providers announcing their deployments of STIR/SHAKEN. Is the technology ready for production use?”
No, there is a great deal yet to be decided. A base set of standards exists for Identity header operation and certificate management and a task force is actively working on finalizing the standards. For certificates to be available, a special PKI infrastructure SHAKEN signing and verification needs to be put in place and deployed by all service providers. Some implementations exist and several service providers have begun exchanging Identity headers on a limited basis, with workaround methods to share unofficial root certificates for validating each other’s signatures.
Wider deployment will require the industry-level PKI infrastructure including an ecosystem of STI-CAs (Certificate Auth), authorized service providers, and an STI-PA (Policy Admin). Currently, the governance authority organized under ATIS is in the process of choosing a policy administrator and some of the infrastructure is expected to be available later in 2019.
For those who have not had a chance to review the current progress, below is an outline of SHAKEN/STIR
- The customer sends a call to the originating SP. The originating SP determines the following information that is populated in the “PASSporT” data format in the Identity header:
- Calling number, called number, and timestamp
- URL to the public key certificate associated with the signing private key
- Attestation value – determined by the type of interconnection peer (customer or other service provider) and if a customer, whether the TN authorization can be determined
- Origination Identifier (origid) – provides information to aid traceback within the originating SP network and can aid reputation determination/segmentation of calls in the terminating SP analytics function. The origid may or may not be at the granularity of a customer.
- Calling number, called number, and timestamp
- The originating SP network sends this information to the “Secure Telephone Identity – Authentication Service” (STI-AS) function that populates the PASSporT data structure and generates a cryptographic signature using its private key.
- It encodes and assembles the resulting “JWT” (JSON Web Token) and returns it to the originating SP for population in a SIP Identity header.
- The originating SP network populates an outgoing INVITE with the Identity header when sending the call to the next-hop service provider, which can either be a directly connected terminating SP or an intermediate SP. The Identity header is passed unchanged through any intermediate service provider networks.
- The terminating SP receives a SIP INVITE with the Identity header and forwards the header and other call information to the verification function (Secure Telephone Identity Verification Service or STI-VS). The STI-VS function retrieves the public key certificate for the key used to sign the Identity header at the URL provided in the PASSporT (4a.) and verifies the signature. It checks the timestamp populated in the PASSporT to guard against replay attacks and checks that the calling and called numbers match the unprotected information in the SIP INVITE. If all checks are successful, the STI-VS function returns a “verified’ indication to the terminating network call processing functions. It also returns the decoded Identity header parameters, including the origination identifier and attestation indicator. Where implemented (4b.), this information is also passed to an analytics engine which makes other determinations about the validity of the data based on the call parameters, attestation, and origid values, together with comparisons with other call patterns.
- Depending on the type of terminating customer and its equipment, the terminating SP can choose to forward the verification information as-is, provide enriched name display including the results of spam checking (as enhanced with verification information), and/or allow the customer to change the call flow.
Other questions that quickly arise are;
Some or all of our traffic originates from outside the United States.
Will Simwood, Inc. populate Identity headers on our traffic and what attestation value will it populate?
If your network terminates calls coming from other parties internationally, chances are this will be considered a “gateway” type of call. Simwood, Inc. will likely mark such calls with the “gateway” attestation value when the capability is deployed
What about Canada?
The Canadian telecommunications industry and regulators are implementing their own SHAKEN governance and operational ecosystem that for now will be separate from the U.S. There may be some opportunities for SHAKEN federated certificate and policy management across national boundaries at some point in the future. In the meantime, calls originating from the U.S. to a service provider in Canada via Simwood, Inc. will likely not carry a Simwood-populated Identity header. They may carry a gateway-attestation header from a Canadian provider.
What about calling numbers from both Simwood, Inc., and other TN providers across my outbound calling providers. Can Simwood mark my calls with “full attestation?”
Will other providers mark my calls from numbers Simwood assigned to me with “full attestation?”
The SHAKEN standard covers the possibility that a customer’s “association” to the calling number can be established by means other than direct TN assignment by the originating SP who receives a particular call, which would allow a customer to utilize multiple service providers and originate calls with the same set of calling numbers with full attestation. There are technologies and administrative procedures under discussion in the industry aimed at facilitating the determination of TN associations across service providers. Each service provider may establish its own policy as to the conditions for publishing or accepting an assertion of customer/TN associations.
As Terminating Carriers progress into late 2019, and continue to work on SHAKEN/STIR, it is expected that we will begin to see the introduction of blacklisted numbers as well which have been repeatedly reported as fraud. Simwood will take all precautions to make sure legitimate calls are not blocked. If we find cases in the future where calls are reported as fraud, we will work with our customers to correct the issues. As the process continues, please feel free to reach out to us with any questions or concerns.