Jump to ↓

Nearly 40% of the 5 billion monthly robocalls Americans receive are fraudulent. About five times each month, you receive an illegal robocall from a cybercriminal trying to steal your personal information and money.

Even worse?

Number spoofing, the criminal act of intentionally falsifying the phone number and name displayed on a victim’s caller ID screen, makes it look like these scam calls are from familiar, reputable businesses–even government agencies like the IRS. Spoofers, pretending to be employees of these companies, easily coerce unsuspecting individuals into revealing sensitive personal information like bank account data, social security numbers, passwords, and more.

The good news?

The FCC has developed, implemented, and recently amended STIR/SHAKEN caller identification and authentication protocols to combat phone number and caller ID spoofing.[*]

In this post, we define STIR/SHAKEN, explain how it works, and cover what it can and cannot do to protect you and your business from cybercriminals and identity theft.

 

What Is STIR/SHAKEN?

STIR/SHAKEN is a series of technical protocols and implementation procedures that verify the information displayed on your Caller ID when you receive an incoming call on IP networks.

An FCC mandate, the main goal of STIR/SHAKEN is to cut down on the number of fraudulent robocalls to reduce incidents of identity theft and other VoIP security threats.

As a phone call moves through interconnected networks, STIR/SHAKEN protocols compare the name/number displayed on caller ID to stored carrier data and digital certificates, authenticating users and verifying that the person is who they say they are. Every carrier involved in processing a call–the initiating carrier, the terminating carrier, and any external carriers–validates the caller’s identity before forwarding the call to the next phase.

STIR/SHAKEN Process

 

STIR

STIR, short for Secure Telephony Identity Revisited, is an IETF (Internet Task Engineering Force) working group that outlines the technical protocols required to create a digital signature for a VoIP phone call.

These digital signatures (sometimes called digital certificates) use SIP data to provide information about the caller's identity, the call origin, and the terminating carrier. STIR is primarily focused on identity authentication on end devices as a part of the call screening process.

STIR was developed by the Internet Engineering Task Force (IETF) in February 2018 and first published as RFC 8824, an update to previous robocall legislation.

 

SHAKEN

SHAKEN, short for Secure Handling of Asserted Information Using toKENs, is a framework that outlines and defines how service providers implement STIR technology to authenticate calls made/received over the IP network. SHAKEN focuses on the deployment and implementation process of STIR across carrier networks and service providers.

It was developed by the SIP Forum and the ATIS (Alliance for Telecommunications Industry Solutions) as a response to STIR.

 

How Does STIR/SHAKEN Work?

STIR/SHAKEN

 

In simple terms, STIR/SHAKEN works by using standard cryptography key infrastructures that allow service providers to authenticate and verify SIP phone call headers.

We stated above that STIR/SHAKEN relies on digital certificates and digital signatures to ensure that the person making the phone call is who they say they are.

But where do these certificates come from?

The below 8 steps, illustrated in the image below, outline the entire STIR/SHAKEN Authentication protocol.

 

Step 1: Receiving the SIP Invite Assigning The Attestation Level

First, the VoIP provider examines the phone number the person initiating the call (we’ll call him Dave) is calling from.

The originating provider also receives a SIP Invite, essentially an “invitation” to assist in verifying and sending the call forward.

Before anything else happens, the initiating service provider needs to assign an Attestation Level to the call source.

 

Step 2: The Attestation Level is Assigned

Full Attestation (Level A) means the service provider verifies that Dave is allowed to use the number he is calling from.

Partial Attestation (Level B) means that Dave’s provider can verify the call origination point, but can’t verify if Dave is authorized to make calls from the number.

Gateway Attestation (Level C) means Dave’s provider verifies where the call was received from, but can’t verify the source of the call.

Once the Attestation Level is assigned, things can move forward.

 

Step 3: The Initial Service Provider Creates a SIP Identity Header

Dave’s VoIP provider examines all Dave’s related caller ID tags and connected phone numbers, verifying that “Dave” really is Dave.

As proof, the provider attaches an encrypted digital certificate of authentication to the SIP Header.

The SIP Header contains key information like the caller and recipient’s phone numbers, the current timestamp, the attestation level, and the origination identifier.

 

Step 4: The Terminating Service Provider Receives the SIP Header

The receiving service provider decrypts that certificate, reads all the data in the SIP Header, and “learns” that the phone number does indeed belong to Dave -- according to the originating service provider, that is.

 

Step 5: The SIP Invite and SIP Header Are Sent for Verification

To be sure, the terminating provider sends that SIP header to a Verification Service.

 

Step 6: The Verification Service Runs Its Own Tests

Once received, the Verification Service examines the digital certificate and runs it through additional databases, including known spam databases and certificate repositories from other service providers.

 

Step 7: The Verification Service Returns SIP Header to the Terminating Provider

Once the Verification Service authenticates the SIP Header via public keys and the public certificate repository, things move forward.

 

Step 8: The Intended Recipient Receives the Call

Once Dave’s identity is completely verified and authenticated according to STIR/SHAKEN standards, the call is sent to the intended recipient.

 

To summarize:

  1. The provider initiating the call receives a SIP Invite, which determines the level of attestation the call needs
  2. The provider sends that SIP Invite to an Authentication Service
  3. The Authentication Service sends the SIP Header, which includes digital signatures/certifications (called PASSporTs) back to the initial service provider
  4. The SIP Header, with relevant certificates attached, is sent to the Terminating Service Provider (the recipient of the call)
  5. The Termination Service Provider sends that SIP Header to an additional Verification Service
  6. The Verification Service sends the SIP Header to a Certificate Repository that provides another level of verification by decoding the SIP Header data
  7. The Verification Service sends the SIP Header back to the terminating provider with information on whether or not the Caller ID is valid
  8. If valid, the termination provider sends the call to the intended recipient

 

Why Is STIR/SHAKEN Important?

While the process of understanding how STIR/SHAKEN works and what it actually does is a bit complicated, the most important thing to remember is that this extra level of protection offers some major benefits to your business.

STIRSHAKEN

 

STIR/SHAKEN is important because it offers:

 

Spam Protection

Think your team knows better than to answer calls from unidentified, unfamiliar, or outright spam phone numbers?

Think again.

Businesses and consumers lost an astounding $10 billion to robocall scammers in 2023–a 14% increase from 2022. [*] Scammed consumers lost an average of $2,300 in 2023–an over 500% increase from the amount lost in 2022.[*] Roughly 28% of all unknown calls are spam or fraud–up from 24% in 2022.

Translation?

Spoofed and fraudulent calls are costing American consumers more time and more money than before–and businesses can’t keep up with the latest scams.

Using a VoIP software provider that implements STIR/SHAKEN protocols significantly lowers your chances of receiving these dangerous calls. Remember, it just takes one employee to reveal passwords to the kind of sensitive data that could lead to millions of dollars in lawsuits.

 

Robocall Reduction

Robocalls are relentless, incredibly annoying, and often get in the way of office productivity–even if they’re trying to sell you a legitimate product or service.

Businesses and consumers lose roughly 227 million hours per year to spam calls, with each spam call costing you roughly 3 minutes and 12 seconds of lost productivity[*].

Worse, scammers and disreputable companies are now spamming consumers with robotexts. In the first half of 2023 alone, consumers received 78 billion robotexts (up 18% from 2022) costing them around $13 billion.[*]

STIR/SHAKEN helps you to get that time–and lost revenue–back, while offering protection against new spam and scam trends like robotexting.

 

A Protected Reputation

STIR/SHAKEN doesn’t just help to cut down on the number of robocalls and potential scammers your business comes into contact with. It also protects your business reputation by significantly lowering the chances that your business telephone number will be stolen and used by these same number spoofers.

If these scammers get a hold of your company’s phone number and start using it to make illegal robocalls, customers will lose trust in your business. They won’t feel like you can keep their sensitive data secure, and many will take their business elsewhere.

And even if they don’t?

You’ll still be forced to change your business phone number, meaning lost leads, lost customers, and lost revenue.

STIR/SHAKEN helps to keep your business in good standing by ensuring your personal or business numbers don’t fall into the wrong hands.

 

What STIR/SHAKEN Can and Can’t Do

STIR/SHAKEN is an effective way to fight robocalls and hackers, but it doesn’t guarantee that you’ll never receive a call from a spoofed number.

Note that while STIR/SHAKEN can identify previous robocall numbers, validate phone numbers, and make it much harder for spoofers to successfully steal information from you, it can’t entirely eliminate robocalls, legally punish number spoofers, or guarantee that a robocall is unwanted spam or has malicious intent like identity theft.

Although STIR/SHAKEN and other security measures can’t completely eliminate the threat of hackers, VoIP providers today offer excellent network security and monitoring tools that greatly reduce the risk of cybercrimes.

Our in-depth reviews of the top business VoIP providers offer an overview of platforms like Nextiva, RingCentral, and Vonage, all of which have taken VoIP security to the next level.

 

FAQs

Below, we’ve answered some of the most common questions about STIR/SHAKEN.