The Federal Communications Commission (FCC), the US comms regulator, has announced its support for the SHAKEN/STIR method of using digital certificates to verify the originating number of a call. This follows soon after the FCC levied its largest ever penalty upon a Florida businessman who falsified the caller IDs of almost 100 million robocalls during a three-month period.
Adoption of the SHAKEN/STIR framework was recommended to the FCC by the North American Numbering Council (NANC). A recent NANC report also made recommendations about how to appoint a governance authority that will oversee the management of SHAKEN/STIR in practice. SHAKEN/STIR consists of a series of protocols and procedures for call authentication. The Secure Telephone Identity Revisited (STIR) protocols were defined by the Internet Engineering Task Force (IETF) whilst the Signature-based Handling of Asserted information using toKENs (SHAKEN) specifications were defined by the ATIS/SIP Forum IP-NNI Task Force. Put simply, SHAKEN/STIR involves the creation of digital certificates using well-understood public key cryptography techniques, and each telco obtains its certificate from a trusted certificate authority. A receiving party can then verify an originating number is accurate by checking the associated certificate. If the calling party has spoofed a number then they will be unable to provide a matching certificate. The SHAKEN/STIR approach relies on the use of Session Initiation Protocol (SIP) to perform authentication in real time.
Welcoming the report by NANC and the adoption of SHAKEN/STIR, FCC Chairman Ajit Pai said:
The NANC report represents a substantial step forward in ensuring that calls can be authenticated and verified. In addition to being a consumer-friendly solution, call authentication can help law enforcement catch scammers and help carriers identify illegal calls.
I look forward to seeing the industry take the next steps and acting on the NANC recommendations. I thank NANC Chairman Travis Kavulla and the NANC members for their contributions towards reducing the fraud and harassment that plague our networks.
The need to crack down on spoofed originating numbers has long been apparent in the USA, and earlier this year the FCC joined forces with the Federal Trade Commission by holding a joint policy forum on how to deal with frauds associated with robocalls.
A few days before the announcement on the adoption of SHAKEN/STIR, the FCC issued a USD120mn fine to Miami businessman Adrian Abramovich for what Americans refer to as ‘neighbor spoofing’. Abramovich repeatedly disguised automated marketing calls by manipulating area codes and the first three digits of phone numbers to make them appear as if they originated locally. Those receiving the robocalls would be played recorded messages offering to sell timeshares or holidays. In total, Abramovich’s firms were responsible for 96,758,223 calls during a single three-month period in 2016.
The FCC first proposed to fine Abramovich in mid-2017, but he appealed on the grounds that he intended no harm, and that the penalty was unconstitutional. Ultimately his appeal proved unsuccessful.
Commenting on Abramovich’s fine, FCC Chairman Pai observed that: “consumer complaints about neighbor spoofing have more than doubled in the first few months of this year.”