Your phone lights up with a number that appears to be not just in the same area code, but the same prefix (the next three digits), indicating that it might be a neighbor or a nearby business.
But when you pick up, it’s a robocall—an automated interactive call—that’s almost certainly a scam or spam. If you’re used to these calls, you hang up. Maybe you curse out the unfeeling recording before ending the call.
Not everybody gets off so easy. The Federal Trade Commission estimates that scammers extracted nearly a billion dollars from consumers in 2017, with 70% of of the fraud being instigated over the telephone. That’s just for instances in which victims reported their losses.
Despite FTC penalties and legal efforts to shut down scams, the problem has since gotten worse, with tens of billions of unwanted calls placed in 2018. T-Mobile alone said it blocked a billion scam calls over 18 months for customers who had opted into a free spam-identifying service.
Spoofing a number via Caller ID doesn’t fool everyone, and it isn’t the only tool in fraudsters’ arsenals. But it’s a significant part of the confidence game they try to play. And even if you never get suckered, it wastes your time. A solution to this spoofing—two paired standards amusingly called STIR and SHAKEN—has started early rollout with broad industry support. T-Mobile is leading the pack with an in-network early deployment, although it only works with Samsung’s Galaxy Note 9 phone at the moment; broader deployment will take at least several months, and will require Google and Apple to update their phone apps for the best results.
This change is coming in part because the FCC has demanded it. In November 2018, FCC Chairman Ajit Pai said in a statement that he “demanded that the phone industry adopt a robust call authentication system to combat illegal caller ID spoofing and launch that system no later than next year.” It was a rare act of regulatory insistence from an enforcement-adverse leader best known for his dismantling of Obama-era Net Neutrality protections.
Even before the FCC’s stern statement, carriers were inclined to make changes. Customers blame them, not the FCC or the vagaries of an outdated number-identifying system, for unwanted calls. And anything that leaves people dreading incoming calls is probably bad news for AT&T, Verizon, T-Mobile, and Sprint.
STIR/SHAKEN provides both validation and accountability. A rogue carrier could vouch for a call with a spoofed number, but such subterfuge would be easily tracked. A carrier that chooses to sign no calls could also stand out in a system in which nearly all calls from legitimate sources are signed legitimately. But there’s just one problem: If the FCC doesn’t mandate that every carrier, large and small, deploy the new anti-spoofing standards, it could land with a dull thud.
The name is ID. Caller ID
Caller ID originated late in AT&T’s monopoly period and was rolled out just after Ma Bell was broken up into Baby Bells in 1984. Penetration grew from about 3% in 1995 to roughly 45% by 2001. Widespread smartphone adoption a few years later brought that number up much higher.
Pervasive though the technology has become, it remains fragile. It isn’t validated, which is why scammers can lead you to think they’re calling from a local number. Worse, the public phone system relies on Caller ID as the only identifier for a call passing across the network between a caller and the recipient of the call—there’s no robust backchannel that provides any great assurance about the originating number, even as a call might take as many as eight or nine hops between its origin and destination. There’s also no central database of which telephone numbers are under the control of a given telco. What a way to run a railroad!
The system fit into the 1980s world with very few parties interchanging information, not the huge number of independent Voice over IP (VoIP) providers who have carrier agreements that let them send calls out to the public phone network. “Consumers benefit from having more diversity of options with respect to who can carry their phone calls,” says Chis Oatway, associate general counsel at Verizon. But he said “bad guys” take advantage of that infrastructure to inject billions of illegal calls.
“The Wild West was added to the phone network when we added VoIP telephony,” says Brent Struthers, the director of the Secure Telephone Identity Governance Authority (STI-GA) at the Alliance for Telecommunications Industry Solutions (ATIS). (Yes, the industry loves its acronyms.)
Struthers explains that VoIP providers can effectively set a unique Caller ID number for each call that passes through their gateway—even if all the calls are coming from one party. The lack of validation, automated call tracking, and other means of accountability makes it surprisingly hard to finger the offending VoIP services.
If Caller ID’s untrustworthiness sounds familiar, you may have seen this movie before: It’s essentially the same problem as the “From” address in internet email. Email senders don’t have to prove they have the right to use a particular address, and spoofing the address makes fraud dramatically more credible—especially phishing. (A few long-standing efforts to deal with that issue have borne some fruit, but they’re not used universally or consistently and introduce other problems.)
The rise in robocalling has led to fewer people picking up the phone at all. Statistics from Hiya also back this up. The company makes smartphone apps to identify, block, and allow reports on unwanted calls, and its database also powers some carriers’ caller systems. In a report analyzing a recent month of call data, Hiya says that Americans answer only 52% of calls on average. For calls from numbers they don’t recognize, that figure is only 38%; it’s 70% for those stored in their contacts.
Major wireless carriers have already added apps to let users opt into blocking likely scams and identifying potential ones. AT&T and T-Mobile have offered such apps for free since 2017, and Verizon will make its option free around March. Verizon already offers it at no cost to landline customers.
These are patchwork systems, however, relying on incomplete and imperfect information. Something has to change, and the STIR and SHAKEN standards appear to be the path forward.
SHAKEN to its core
When a web browser makes a secure connection to a server, it relies on infrastructure that lets the browser confirm that the server has the right to operate at a given domain name. No such validation currently happens with Caller ID, and that’s what the new anti-spoofing effort is all about.
As with people who operate web servers, telcos will apply to a central authority—likely one or more picked by the STI-GA—to get a digital certificate that uniquely identifies them. For every call a carrier originates, it will pair the phone number attached to the call with a cryptographically signed message confirming that number is originating from only the carrier possessing a certificate to generate it.
Other parties that handle that call on its way to its termination with the person called will be able to use public-key cryptography to validate that the number attached matches the one set when the call started and was signed.
The standards involved have ponderous names: STIR (Secure Telephony Identity Revisited) began in the Internet Engineering Task Force (IETF), a central standards body responsible for many of the pieces that make the internet tick. SHAKEN—which ridiculously stands for Signature-based Handling of Asserted Information Using toKENs—is an extension of STIR that’s broader based and designed as a framework that phone companies can implement.
Email relies on millions of mail servers interacting daily with no central authority, making enforcing validation nearly impossible. The public phone network, by contrast, has a handful of major companies—like AT&T, Verizon, and Comcast—that dominate the lines that receive calls. The system is also heavily regulated, and every party that attaches has some sort of commercial relationship with at least one other party.
Some issues remain to be sorted out for the industry, such as picking central authorities, something the STI-GA expects will fall inside its governance purview. Right now, major telcos starting rollouts have to use “self-signed” certificates, or ones that they vouch for themselves without the authority of an independent third party. T-Mobile’s early deployment has it signing its own calls and displaying a “Caller Verified” message on the Galaxy Note 9.
However, there’s a clear path forward for telcos to add STIR/SHAKEN validation. In responses to the FCC’s demand in November, all the major companies offering wireless, landline, and VoIP services expressed support for the new standards, though some did so more strongly than others.
The big players aren’t the problem. Without an FCC mandate for VoIP providers to adopt STIR/SHAKEN, it’s uncertain what the path forward will be. And even if they do, how will the industry make sure that carriers that provide service to fraudsters won’t just let them use illegitimate numbers and sign off on them with the new technology?
SHAKEN’s framework allows for three tiers of “attestation,” or the kind of validity that a Caller ID signer is offering. Verizon’s Oatway says the first tier is “I gave this phone number to the caller, so I know it,” which is appropriate for one-to-one consumer and business service.
A second tier lets a carrier identify its customer, as with corporate PBX-style systems with pooled lines. The lowest tier happens at a gateway level, and says that a call passed across a given pathway, but “I don’t know much about it” and it’s missing any STIR/SHAKEN tokens, says Oatway.
The framework makes sense, but there’s no current policy from the FCC or agreement within the industry as to what to do with the information it provides, including with smartphone operating-system makers and handset manufacturers.
For example, if a Caller ID number is validated, does the carrier pass along a message that causes an iPhone to show a big green checkmark, or will it just be modified Caller ID text, as both third-party and carrier-driven apps offer today? If there’s no SHAKEN attestation attached, should the carrier block the number, warn that it might be dicey, or give its customers an option in a call-management app to block such numbers?
If 100,000 calls come through a single VoIP provider in one minute, all of which have signed but illegitimate numbers, should that carrier’s signing certificate be revoked? “Who is in charge of revoking that carrier’s certificate if that’s the way to go?,” Oatway asks.
James F. Williams, Verizon’s director of network infrastructure planning, notes that “under current FCC rules, associating an attestation from a particular certificate holder with suspicious robocall traffic is not sufficient to block that traffic outright,” although customers can opt in individually to such blocking. This stance doesn’t mean that automatically blocking such calls would be illegal—but carriers might choose to err on the side of caution. (The FCC didn’t respond to a request for comment from Fast Company.)
These questions of both presentation and behind-the-scenes filtering are crucial, and yet they remain unanswered. The opt-in call management features carriers already offer could be expanded to sweep in STIR/SHAKEN signals. Oatway said STIR/SHAKEN could be very helpful, “but it also has the potential to be a tool that if not used by the industry in the right way, may fall flat.”
The tail isn’t shaking the dog here. As STIR/SHAKEN starts to take hold and carriers begin to pass along validation messages, patterns will emerge as a split between billions of verified calls and billions of mystery calls. In cases where a number is used illegitimately, the new technologies should help determine which carrier enabled the spoofing: “It’s safe to say that one of the early uses of STIR/SHAKEN can be effective and have rapid traceback,” says Oatway.
Fraud robocalls aren’t going to vanish in one fell swoop. But the phone system has fewer points of entry and fewer paths to monitor than the wide-open spaces of the internet. Knowing that incoming Caller ID correctly identifies the caller, or that a malicious party can be more easily identified, could finally cut off the dial tone for scammers.