ECC Newsletter May 2020

STIR/SHAKEN – Europe watches with interest as the United States and Canada roll out a solution for authenticating calling line identification

Fraud continues to be a major issue for the communications industry, as the percentage of total revenue lost due to fraud grew in 2019. The sector lost $28.3 billion (€26.1 billion) to fraud last year, the Communications Fraud Control Association's biennial global fraud loss survey shows. While the actual figure was down from $29.2 billion (€26.9 billion) in 2017, the percentage loss of total revenue increased from 1.27% to 1.74%. There remains no room for complacency when it comes to fraud within the industry.

Of course, revenue loss is not the only issue that arises as a result of fraud or misuse of electronic communications services. It is much harder to quantify the distress and anxiety suffered by consumers, on top of the financial cost to them and to service providers. The many different types of fraud and misuse that both service providers and consumers are experiencing is the subject of an earlier article in this series describing the A to Z of fraud types.

CLI spoofing

The above mentioned article describes Calling Line Identification (CLI) spoofing as a method whereby a fraudster manipulates the telephone number in the CLI field in the communication signalling. This leads the person they are calling to think the call has come from a different location, organisation or person. The contents of the CLI field can be manipulated for valid reasons – described in ECC Report 248 – but illegitimate CLI spoofing remains a major enabler of fraud.

The numbers that are spoofed can be fictitious numbers, real numbers assigned to end-users, or real numbers which have not yet been assigned. Numbers assigned to large organisations that are used exclusively for incoming calls are popular for fraudulent activity. One notable case of CLI spoofing which caught the headlines internationally was where the inbound telephone number of the US tax authority, the Internal Revenue Service (IRS), was spoofed by scammers who then falsely claimed to be from the IRS and sought out personal information, such as social security numbers, or demanded immediate payment of taxes by credit card from their victims. Over a period of four years, more than 15,000 victims in the United States lost "hundreds of millions" of dollars to this scam.

In the United States, CLI spoofing and robocalling – an outbound telephone call generated by a computerised auto-dialler to deliver a pre-recorded message or to connect the called party with a human operator – account for a staggering 200,000 consumer complaints to the Federal Communications Commission (FCC) every year. This equates to around 60% of all complaints it receives. The Federal Trade Commission (FTC) receives even more robocall complaints – 4.1 million in 2018. Robocalling has become a major problem in the United States and in many cases, these calls appear to originate from spoofed telephone numbers. To combat this growing problem the FCC Chairman, Ajit Pai, in a November 2018 news release, demanded the industry to implement a robust call authentication system known as STIR/SHAKEN to combat illegal CLI spoofing. In December 2019, the Traced Act was signed into law – service providers are now required to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks within a reasonable timeframe.

Apart from being methods to mix martinis, what are STIR and SHAKEN?

A single telephone call between two people can involve multiple service providers and multiple networks. An originating service provider always knows something about the CLI associated with a call. In most cases, the caller is a customer of the originating service provider and the service provider knows the customer has rights of use to the number. In other cases, the originating service provider knows the customer but allows the customer to use a different number in the CLI field. This is common for business customers who may want to display a different number, for example, a reception or a freephone customer contact number, rather than the actual extension of the caller. It may not be possible for the service provider to validate the CLI used by the customer. And finally, sometimes the service provider only knows the entry point to the network, for example, a long distance call from overseas which may have originated and transited through other networks before arriving at the terminating network. Until recently, there was no secure mechanism for an originating service provider to communicate this type of information to a terminating service provider. This is where STIR/SHAKEN comes in.

Secure Telephone Identity Revisited (STIR) is a working group of the Internet Engineering Task Force (IETF), which has developed a suite of standards to authenticate CLI. Secure Handling of Asserted information using toKENs (SHAKEN) specifies a practical mechanism for service providers to implement the STIR standards. Work on SHAKEN has been led by the Alliance for Telecommunications Industry Solutions (ATIS).

How does it work?

For almost two decades now, network operators around the world have been migrating their networks from traditional time division multiplexing (TDM) technology to IP, with Session Initiation Protocol (SIP) being the most prominent and widely used protocol for IP-based voice telephony. There remains a significant amount of legacy TDM traffic in access networks but most core networks in Europe are already IP-based and, most importantly, scammers almost always use IP-based technology to originate calls.

STIR/SHAKEN, which works with SIP, is essentially a tool to provide terminating networks with intelligence on calls originating on, or transiting through, other networks.

When a call is made, the originating service provider can check the source of the call and create a digital signature, called a Personal Assertion Token (PASSporT), which “attests” to what it knows about the call origination. The PASSporT is used to create a SIP identity header that contains information on the calling number, called number, attestation level, and call origination using secure digital certification. There are three levels of attestation defined by the standards:

  • Full Attestation: The caller, and their right to use the number in the CLI field, is verified. This must be a customer of the originating service provider.
  • Partial Attestation: The caller, but not the number, is verified. This could be a business customer of the originating service provider, for example, which may have the capability to manipulate the CLI field in their enterprise level switch for a valid reason.
  • Gateway Attestation: Only the point at which the call entered the network is verified. An example of this case would be a call received from an international gateway.

STIR/SHAKEN Governance Framework

In order to digitally certify calls, each service provider must obtain a digital certificate from a certificate authority who is trusted by other service providers. A key component of the SHAKEN framework is the governance model which was developed by ATIS and industry in close cooperation with the FCC. There are a number of different entities in the governance model and their respective roles are described in Figure 1 below.

Figure 1 - SHAKEN Governance Model – Entities and respective roles (source: ATIS)

The governance authority is designed to allow for non-discriminatory representation, in the form of a board, by representatives from the electronic communications service provider community which co-ordinates with the FCC to ensure transparency in the operation of the ecosystem and co-operates on any enforcement actions.

The STI-GA board has now been appointed and operates under the auspices of ATIS. iConectiv has been appointed as the STI Policy Administrator, and several STI Certification Authorities have been approved, including Neustar and Transnexus. Since 16 December 2019, voice service providers can register with iConectiv to obtain credentials in order to acquire STI certificates from approved certification authorities.

With the technical and governance framework now in place in the United States, the challenge is to get all domestic service providers signed up as quickly as possible.

STIR/SHAKEN – Could it work in Europe?

While the technical and governance framework described above relates to the domestic market in the United States, Canada has also moved ahead with its plans to implement STIR/SHAKEN. The Canadian Radio-television and Telecommunications Commission (CRTC) requested Canadian voice service providers to complete the implementation of STIR/SHAKEN by 30 September 2020, and for some time now the US and Canada have collaborated on a cross-border implementation. On 9 December 2019, Ajit Pai, FCC Chairman, and Ian Scott, CRTC Chairman and CEO, completed the first official cross-border call using the STIR/SHAKEN authentication framework.

This development has piqued the interest of many observers in Europe particularly in the policy and regulatory domain. CLI spoofing is a major problem in Europe also. Ofcom, the UK regulator, estimates that UK consumers receive 5 billion nuisance calls each year and that CLI spoofing is a key enabling technique used by scammers and fraudsters to avoid detection. Another pressing issue is the arbitrage opportunity that was created by the introduction of the roaming regulation in the EU. Some incidents of traffic from outside the EU are being re-originated – also known as refiling – to make it look like it originated inside the EU. The motive is to exploit the price difference between the regulated low termination rate for calls from within the EU and the higher unregulated rates for calls from outside the EU. STIR/SHAKEN could play an important role in mitigating such practices.

The Electronic Communications Committee (ECC) has been liaising with ATIS over the past 18 months to gain a better understanding of the STIR/SHAKEN model and how it might be applied in a European context. The United States and Canada have clearly proven that a bilateral implementation is possible and ATIS has some ideas on a multi-lateral approach. The discussions are still at an early stage and we expect further engagement between the FCC, ATIS, CEPT member countries and the European Commission to explore how the STIR/SHAKEN model might be tailored for implementation in European domestic markets or on a pan-European basis. This will require careful consideration of the most appropriate governance framework for STIR/SHAKEN that would meet Europe's needs.

Is STIR/SHAKEN the magic bullet for CLI spoofing?

The CLI spoofing problem, like combatting email spam, is a game of cat and mouse. As service providers get better at identifying suspicious calls, the scammers will seek out innovative ways of countering this. There are other technologies being considered to combat CLI spoofing that could complement STIR/SHAKEN. Distributed ledger technology (or blockchain) is being tested in the UK. Another technology called SOLID is also being considered. Both provide a basis for CLI validation without the need for a centralised entity.

These technologies, whether used separately or in combination, provide much-needed intelligence to those who need it to combat CLI spoofing. They provide real tools and real data to use in the fight against scammers. When combined with crowd-sourced information from call blocking and spam reporting apps, they will make it easier for industry players, regulators and law enforcement to source, identify and prosecute those involved in fraudulent activity. This includes service providers who obtain certificates from the STIR/SHAKEN ecosystem and then fraudulently sign calls as being trusted.

In short, STIR/SHAKEN on its own may not be the magic bullet to solve the CLI spoofing problem, but it is one giant leap in the right direction.

Freddie McBride
Deputy Director
European Communications Office