Naked Security Naked Security

Phone carriers must authenticate calls to fight robocalls, says FCC

The FCC has given voice carriers until June 2021 to implement technology it says will stop the robocall plague that's driving us all insane.

The US Federal Communications Commission (FCC) on Tuesday unanimously passed new rules that require wireless carriers to implement a technology framework – by June 2021 – to filter out robocalls.
This one’s been kicking around for years: it’s called STIR/SHAKEN.
Short for Secure Telephone Identity Revisited and Signature-Based Handling of Asserted Information Using ToKENs, STIR/SHAKEN is a pair of network protocols that use digital certificates to verify that the number on caller ID is the number that actually placed the call, as opposed to one of the many flavors of robocalling scammers who’ve been pestering us like growing swarms of gnats.
What it doesn’t do: block spoofed numbers. The protocols don’t identify bad actors. Rather, they enable carriers to authenticate calls, after which consumers will be able to tell if a number is likely to be a robocall.
The FCC says STIR/SHAKEN should help to protect consumers against malicious caller ID spoofing, often used in robocall scams to trick us into answering our phones so telemarketers and/or scammers can bleat at us. You know their spiels: home improvement and remodeling services, robots rattling off messages in fast Chinese, or “apply for coronavirus testing here” scams, among so, so many more.

According to the FCC, spam robocalls cost $3 billion in wasted time and money each year. That doesn’t even take into account the fraud part: the Commission estimates that scammers use robocalls to milk an annual $10 billion from Americans. We’re drowning in these calls, receiving up to 200 million every day.
In November 2018, FCC Chairman Ajit Pai demanded that the phone carriers adopt SHAKEN/STIR to help solve the problem.
In a SHAKEN/STIR interaction, the originating caller’s phone sends an authentication request along with their phone number to a STIR authentication service (which would typically be operated by their carrier). The authentication server checks that the caller has the right to use that number, and signs a digital token that’s sent to the recipient’s STIR verification service. That service checks the authentication service’s repository of digital certificates to ensure that the invitation is legit. If the certificate matches, the call goes through to the recipient. If not, the carrier can drop it.
The industry didn’t exactly embrace Pai’s request. In November 2018,
Pai slammed carriers for dragging their feet on implementing SHAKEN/STIR.
The carriers had reservations about the protocols. Sprint, for one, told the FCC in October 2018 that the protocols will be helpful in fighting illegal robocalls, but it’s not a “complete solution.” Nor is it cheap.
Carriers have also complained that SHAKEN doesn’t tell them anything about the content of a call or whether it’s legal. Instead, all it does is authenticate the origination of the call path and the Caller ID information of individual calls.
Nor will it be useful without universal adoption, Sprint said, without which call authentication can’t be passed to the terminating carrier.
T-Mobile concurred, among other carriers.
Notwithstanding, in February 2019, Pai warned that if carriers didn’t step up, he’d introduce regulations to force them to block robocalls: regulations that he proposed last month (March 2020).

… Which brings us to Tuesday’s order

The order issued by the FCC on Tuesday requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by 30 June, 2021, a deadline that’s consistent with Congress’s direction in the recently enacted TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act. The TRACED Act was signed into law and signed by the president in December 2019, just before the new year.
Also on Tuesday, the FCC said it was looking for more public comment on expanding STIR/SHAKEN to cover the intermediate voice service providers between the originating and terminating ones, and it extended the implementation deadline by one year for the small providers that will have a tough time paying for their implementations. It’s also looking for input on requirements that would promote caller ID authentication on voice networks that don’t rely on IP technology.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Leave a Reply

Your email address will not be published. Required fields are marked *