STIR/SHAKEN, what do you need to know?
Learn about the various VoIP components and processes affected by STIR/SHAKEN so you can maintain compliant calling practices.
By Fiona McDonnell
What is STIR/SHAKEN and why does it matter?
STIR/SHAKEN is a call authentication framework developed by regulatory bodies and telecommunications experts to combat the rise in fraudulent robocalls and illegal phone number spoofing. STIR/SHAKEN is designed to protect the general public from scammers while ensuring that legitimate calls go through.
What are robocalling and number spoofing?
A robocall is a phone call that uses a computerized autodialer to deliver a pre-recorded message. Robocalls are often associated with spam (unwanted) or scam (intentionally fraudulent) calls. However, robocalls can also be used to spread critical information quickly and widely for legitimate reasons, like public service announcements or emergency warnings. Still, robocalling technology is used for the most part to deliver unwanted or fraudulent calls; according to the Federal Communications Commission (FCC), American consumers receive nearly 50 billion robocalls per year.
Number spoofing is a fraudulent activity in which a caller with malicious intent displays a false caller ID number in order to mask their identity.
Robocalling and number spoofing have heightened the public’s general reluctance to answer calls from unfamiliar phone numbers. In 2020, 80% of Americans said they would not answer a call from an unknown number. For businesses that depend on phone calls as a primary method of contact with customers, this is a major issue—and trends predict that it will only get worse.
What is STIR/SHAKEN?
The number of spam and scam phone calls made over IP networks to American phone numbers has steadily risen. In the past year alone, over 4 billion robocalls were made in the U.S. each month—that’s 1,500 robocalls per second.
To combat this problem, the FCC and the Canadian Radio-Television and Telecommunications Commission (CRTC) required Service Providers to implement STIR/SHAKEN, which stands for Secure Telephony Identity Revisited (STIR) / Secure Handling of Asserted information using toKENs (SHAKEN).
The FCC’s TRACED Act of 2019 mandated that U.S. voice service providers implement the FCC STIR/SHAKEN framework by the end of June 2021. The CRTC’s Compliance & Enforcement & Telecom Decisions 2018-32, 2019-402-2 and 2021-123 mandated that Canadian voice service providers implement STIR/SHAKEN by the end of November 2021. In short, both entities required telecommunications providers to complete certain validations and data collection to help prevent fraudulent activity.
With these mandates fully in effect, it’s important to understand how they impact VoIP (Voice over Internet Protocol) systems and processes in order to maintain compliant calling practices. Now, let’s see how compliant calling works under the FCC STIR/SHAKEN framework.
Here’s a step-by-step breakdown of how it works:
- The calling party initiates a phone call through the originating service provider, which then contacts an internal authentication service to verify the caller ID number. The authentication service assigns an attestation level (A, B or C, depending on the legitimacy of a given originating phone number) to the call and generates a signed toKEN.
- The token is included as a header in the SIP INVITE (an alphanumeric message sent by the calling party to the receiving party) and passed along to the terminating service provider, which contacts an internal verification service for analysis.
- The verification service reaches out to a certificate repository to validate the signature on the toKEN.
- If the toKEN signature is successfully validated, the call is completed to the recipient. If not, the terminating service provider can either pass along the verification results to the called party or take additional action, such as blocking the call.
Attestation levels explained
STIR/SHAKEN dictates a three-level system which uses various criteria to categorize callers' “attestation” for the call. The different levels describe the level of trust a provider has in the caller’s right to use that particular number, with attestation levels ranging from 'A' to 'C'. Attestation alone does not guarantee that a call won’t be marked as spam and blocked (analytics engines factor into the equation too), but it’s a good starting point.
What are the differences between A, B and C attestation?
There are three attestation levels a originating provider can use to label a number:
- Full Attestation (A): The provider knows the customer, knows they have a right to use the originating number, and knows that the call originated on their network.
- Partial Attestation (B): The provider knows the customer but the customer may be using another provider's phone number. The call is legitimate but the provider can’t fully attest because of missing information.
- Gateway Attestation (C): The provider can’t verify the customer or the phone number and has no way of knowing if the call is legitimate. The originating provider will still attest to the call in order to mark that the call originated on their network.
What Telnyx customers should know about attestation
Telnyx is fully compliant with STIR/SHAKEN—all calls originating on the Telnyx network will receive an attestation. Customers do not need to take any action and will not be notified of the attestation their calls receive from Telnyx.
Telnyx will sign and attest to any outbound call that is not signed by our customer. Customers, however, should be aware of any applicable regulatory requirements to directly participate in the STIR/SHAKEN ecosystem and to sign their own calls as mandated by the Federal Communications Commission. Telnyx will pass along SHAKEN signatures we receive in any outbound calls.
Telnyx customers who purchased numbers from Telnyx should expect to receive an A attestation. If a Telnyx customer is using a number that is not on the Telnyx portal, the customer will be assigned a B attestation. Telnyx customers with HVSD (high volume short duration) traffic can also expect a B attestation.
Customers who would like to increase their attestation to an A attestation should consider porting their numbers to the Telnyx portal. With Telnyx FastPort, customers can port their numbers in just a few clicks while maintaining complete control and transparency throughout the porting process.
In cases where this is not possible, the customer must meet the below requirements to be considered for increased attestation:
- They must be a committed customer
- They cannot have any Traceback complaints or subpoenas related to fraud
- They should have a Know Your Customer (KYC) vetting system to ensure that bad actors cannot access their network
Companies may choose to sign their own calls, or their provider may sign the tokens.
What are the requirements for signing tokens?
Some service providers may wish to sign their calls with their own toKENs, but acquiring authorization to conduct this process is complex. First, the company needs to be approved by the Secure Telephone Identity Policy Administrator (STI-PA) who is in turn evaluated by the Secure Telephone Identity Governance Authority (STI-GA). Thereafter, the organization must fulfill the following requirements:
- Have a 499A (a Telecommunications Reporting Worksheet) on file with the FCC;
- Have an Operating Company Number (OCN), which is used to identify CLEC and Reseller usage data
- Have a robocalling mitigation plan filed with the FCC
- Have obtained valid certificates from an approved Certificate Authority.
- Have implemented a STIR/SHAKEN solution on their network.
Plainly put, this process takes time, resources and industry expertise.
What is the alternative to signing your own tokens?
Many organizations prefer to delegate the complicated process of signing calls to their telecommunications provider. As an approved provider, Telnyx carries out call signage and attestation for all its customers.
As a carrier, Telnyx has been approved by the STI-PA to participate in the STIR/SHAKEN framework and is fully STIR/SHAKEN compliant.Telnyx authenticates every outbound call with a valid U.S. Caller ID that originates on the Telnyx platform and abides by the attestation levels listed above. All calls on the Telnyx network receive an attestation without any action required from the customer.
Call forwarding and attestation with STIR/SHAKEN
VoIP facilitates programmatic call forwarding, which must also adhere to the STIR/SHAKEN framework.
When forwarding inbound calls that contain an identity header, Telnyx passes the identity header for the incoming call to the callee and adds a DIV PASSporT (short for Diversion Personal Assertion Token) to the call to show that it’s been forwarded. A DIV PASSPorT is a token generated by the provider that assists with call forwarding. The attestation is determined by the originating service provider that originally signed the call.
When forwarding inbound calls that are not signed, Telnyx defaults to the original process by starting a new call that is assigned a B attestation. This call will not have a DIV PASSporT attached. If the inbound call is signed by another provider or company, that provider or company will see an inbound call with an identity header come through and take appropriate action.
As robocalling and number spoofing spread, businesses around the world face consumers who hesitate to pick up the phone. The U.S. was the first country to implement STIR/SHAKEN, Canada followed shortly thereafter, and other countries are considering similar regulations.
STIR/SHAKEN in the U.S. The Federal Communications Commission (FCC) required telecommunications service providers (TSPs) to implement STIR/SHAKEN by June 31, 2021.
STIR/SHAKEN in Canada The Canadian Radio-television and Telecommunications Commission (CRTC) required TSPs to implement STIR/SHAKEN by November 30, 2021.
STIR/SHAKEN in the U.K. The Comms Council met in July 2022 to discuss possible implementation of STIR/SHAKEN, but no definitive action has been taken yet.
What do Telnyx customers need to do to be compliant?
Telnyx is fully compliant with STIR/SHAKEN in all relevant jurisdictions, so our customers’ calls are attested to in accordance with the standards outlined in this post. The Telnyx team includes VoIP regulation experts, and we will continue to update customers on what to expect in terms of STIR/SHAKEN capabilities if changes occur.