See how identity attestation works, why spoofing is so damaging, and what carriers need to do to restore confidence in voice.
STIR/SHAKEN is a call authentication framework developed by regulatory bodies and telecommunications experts to combat the rise in fraudulent robocalls and illegal phone number spoofing. STIR/SHAKEN is designed to protect the general public from scammers while ensuring that legitimate calls go through.
Key points
A robocall is a phone call that uses a computerized autodialer to deliver a pre-recorded message. Robocalls are often associated with spam (unwanted) or scam (intentionally fraudulent) calls. However, robocalls can also be used to spread critical information quickly and widely for legitimate reasons, like public service announcements or emergency warnings. Still, robocalling technology is used for the most part to deliver unwanted or fraudulent calls.
The number of spam and scam phone calls made over IP networks to American phone numbers has steadily risen. In 2023 alone, over were made in the US, growing 9% year-over-year.
Related articles
Number spoofing is a fraudulent activity in which a caller with malicious intent displays a false caller ID number in order to mask their identity.
Robocalling and number spoofing have heightened the public’s general reluctance to answer calls from unfamiliar phone numbers. In 2020, 80% of Americans said they would not answer a call from an unknown number. For businesses that depend on phone calls as a primary method of contact with customers, this is a major issue—and trends predict that it will only get worse.
To stem the increase of spam and scam calls, the FCC and the Canadian Radio-Television and Telecommunications Commission (CRTC) required Service Providers to implement STIR/SHAKEN, which stands for Secure Telephony Identity Revisited (STIR) / Secure Handling of Asserted information using toKENs (SHAKEN).
The FCC’s TRACED Act of 2019 mandated that U.S. voice service providers implement the FCC STIR/SHAKEN framework by the end of June 2021. The CRTC’s Compliance & Enforcement & Telecom Decisions 2018-32, 2019-402-2 and 2021-123 mandated that Canadian voice service providers implement STIR/SHAKEN by the end of November 2021. In short, both entities required telecommunications providers to complete certain validations and data collection to help prevent fraudulent activity.
With these mandates now fully in effect, it’s important to understand how they impact VoIP (Voice over Internet Protocol) systems and processes in order to maintain compliant calling practices. So let’s take a closer look at how to ensure compliant calling under the FCC STIR/SHAKEN framework.
Here’s a step-by-step breakdown of how STIR/SHAKEN works in practice:
STIR/SHAKEN dictates a three-level system which uses various criteria to categorize callers' “attestation” for the call. The different levels describe the level of trust a provider has in the caller’s right to use that particular number, with attestation levels ranging from 'A' to 'C'. Attestation alone does not guarantee that a call won’t be marked as spam and blocked (analytics engines factor into the equation too), but it’s a good starting point.
There are three attestation levels a originating provider can use to label a number:
Telnyx is fully compliant with STIR/SHAKEN—and as such, all calls originating on the Telnyx network will receive an attestation. Customers do not need to take any action and will not be notified of the attestation their calls receive from Telnyx.
Telnyx will sign and attest to any outbound call that is not signed by our customer. Customers, however, should be aware of any applicable regulatory requirements to directly participate in the STIR/SHAKEN ecosystem and to sign their own calls as mandated by the Federal Communications Commission. Telnyx will pass along SHAKEN signatures we receive in any outbound calls.
Telnyx customers who purchased numbers from Telnyx should expect to receive an A attestation. If a Telnyx customer is using a number that is not on the Telnyx portal, the customer will be assigned a B attestation. Telnyx customers with HVSD (high volume short duration) traffic can also expect a B attestation.
Customers who would like to increase their attestation to an A attestation should consider porting their numbers to the Telnyx portal. With Telnyx FastPort, customers can port their numbers in just a few clicks while maintaining complete control and transparency throughout the porting process.
In cases where this is not possible, the customer must meet the below requirements to be considered for increased attestation:
In the STIR/SHAKEN framework, companies may choose to sign their own calls, or their provider may sign the tokens.
Some service providers may wish to sign their calls with their own toKENs, but acquiring authorization to conduct this process is complex. First, the company needs to be approved by the Secure Telephone Identity Policy Administrator (STI-PA) who is in turn evaluated by the Secure Telephone Identity Governance Authority (STI-GA). Thereafter, the organization must fulfill the following requirements:
Plainly put, this process takes time, resources and industry expertise.
Many organizations prefer to delegate the complicated process of signing calls to their telecommunications provider. As an approved provider, Telnyx carries out call signage and attestation for all its customers.
As a carrier, Telnyx has been approved by the STI-PA to participate in the STIR/SHAKEN framework and is fully STIR/SHAKEN compliant. Telnyx authenticates every outbound call with a valid U.S. Caller ID that originates on the Telnyx platform and abides by the attestation levels listed above. All calls on the Telnyx network receive an attestation without any action required from the customer.
VoIP facilitates programmatic call forwarding, which must also adhere to the STIR/SHAKEN framework.
When forwarding inbound calls that contain an identity header, Telnyx passes the identity header for the incoming call to the callee and adds a DIV PASSporT (short for Diversion Personal Assertion Token) to the call to show that it’s been forwarded. A DIV PASSPorT is a token generated by the provider that assists with call forwarding. The attestation is determined by the originating service provider that originally signed the call.
When forwarding inbound calls that are not signed, Telnyx defaults to the original process by starting a new call that is assigned a B attestation. This call will not have a DIV PASSporT attached. If the inbound call is signed by another provider or company, that provider or company will see an inbound call with an identity header come through and take appropriate action.
As robocalling and number spoofing spread, businesses around the world face consumers who hesitate to pick up the phone. The U.S. was the first country to implement STIR/SHAKEN, Canada followed shortly thereafter, and other countries are considering similar regulations.
STIR/SHAKEN in the U.S. The Federal Communications Commission (FCC) required telecommunications service providers (TSPs) to implement STIR/SHAKEN by June 31, 2021.
STIR/SHAKEN in Canada The Canadian Radio-television and Telecommunications Commission (CRTC) required TSPs to implement STIR/SHAKEN by November 30, 2021.
STIR/SHAKEN in the U.K. The Comms Council met in July 2022 to discuss possible implementation of STIR/SHAKEN, but no definitive action has been taken yet.
Telnyx is fully compliant with STIR/SHAKEN in all relevant jurisdictions, so our customers’ calls are attested to in accordance with the standards outlined in this post. The Telnyx team includes VoIP regulation experts, and we will continue to update customers on what to expect in terms of STIR/SHAKEN capabilities if changes occur.
For additional information on STIR/SHAKEN click here, watch our webinar or talk to an expert today.
If America wants reliable, resilient AI-enabled communications, the framework has to be national. Not state-by-state.
David Casem, CEO @ Telnyx
