PINDROP BLOG

Measuring STIR/SHAKEN Attestations Against ANI Validation

October 2021 Data Report: Measuring S/S Attestations against VeriCall® Technology's ANI Validation

Summary of Key Findings

Next Caller, a Pindrop® Company, reviewed the analyses conducted of SIP Header information by its VeriCall® Technology of approximately 109.5 million telephone calls from April 2021 through September 2021, finding that:

  • A significant majority (64%-76% each month) of calls had no attestation by a carrier; 
  • Approximately 48.4 million calls without an attestation were scored “Green” and indicated for step-down authentication by VeriCall Technology; 
  • Nearly 300,000 calls with an Attestation C were scored “Green” and indicated for step-down authentication by VeriCall Technology;
  • Over 117,000 calls with an Attestation A still posed a spoofing risk and were scored “Red” by VeriCall Technology.

VeriCall Technology and STIR/SHAKEN Attestations

  • Next Caller’s team of data scientists and telephony experts regularly tests the accuracy of VeriCall Technology scores. The validation performed uses machine learning, lab testing, and client feedback.
  • Each carrier has the ability to define which calls receive Attestation A, B, or C. Next Caller studies carrier-specific attestations to develop insights that can factor into our risk analysis. VeriCall Technology can leverage this proprietary analysis in its scoring model.
  • Implementing STIR/SHAKEN does not have to be a complex and dynamic challenge. At Next Caller, we have experience working with carriers to increase full attestation header availability in order to deliver insights to our customers. We can help your organization leverage the information delivered within each carrier attestation.
  • Next Caller has analyzed the metadata of over 2.2 billion calls for our enterprise customers.

INTRODUCTION

Beginning on June 30, 2021, the FCC mandated that voice service providers implement STIR/SHAKEN requirements, including the issuance of Attestations to telephone calls that originate on their network. In April 2020, several months prior to that implementation deadline, Next Caller, a Pindrop® Company, started tracking the attestation data that was being delivered by certain carriers to our customers. Next Caller analyzed attestation data to assess whether STIR/SHAKEN attestations provided useful insights beyond the enterprise-grade call risk scoring engine provided by VeriCall® Technology (“VeriCall”), an API-based ANI Validation and Spoof Detection service.

Using approximately six (6) months of attestation data from approximately 35 million calls that had also been processed by VeriCall Technology, Next Caller created a preliminary case study to share some of our observations, including: 

ATTESTATION (UN)AVAILABILITY

From April 2021 through September 2021, Next Caller reviewed the analyses conducted of SIP Header information by its VeriCall Technology of approximately 109.5 million telephone calls from over 500 originating carriers, including major voice service providers. Interestingly, one of Next Caller’s first observations was that, despite FCC mandates, a significant majority (64%-76%) of these calls had no attestation by a carrier at all. 

Figure 1 below shows that the rate of availability grew from approximately 24% in April (pre-mandated implementation) to about 36% as of the June 30th implementation deadline; however, through September 30th, the rate of Attestations delivered remained only at approximately 36%. This plateau is concerning, and could be a signal that wide-scale and meaningful implementation of STIR/SHAKEN Attestations is still a long way off. Meanwhile, approximately 48.4 million calls that were missing an Attestation were scored “Green” and indicated for step-down authentication by VeriCall Technology.

Figure 1

Attestation (In)Efficacy 

One of the goals of implementing STIR/SHAKEN standards is to help voice service providers identify calls with spoofed caller ID information.1 It is not necessarily intended to stabilize or secure authentication in the contact center. The Attestation framework is limited in its ability to assess call risk or provide meaningful guidance needed for the multitude of call types that reach a contact center. Are all Attestation A calls safe to ANI Match? Are all Attestation C calls too risky to authenticate without an agent? These questions are important when considering how to create a passive, secure, and customer-friendly authentication process for your customers. Unfortunately, the STIR/SHAKEN data that we reviewed did not provide clear answers. 
1FCC (June 30, 2021). STIR/SHAKEN Broadly Implemented Starting Today” [Press Release]. https://docs.fcc.gov/public/attachments/DOC-373714A1.pdf.

STIR/SHAKEN Attestations and VeriCall Risk Scores

In order to help our customers augment and underpin the value of STIR/SHAKEN attestations, Next Caller has explored the relationship between Attestation ratings and VeriCall risk scoring. By identifying correlations, our team can design a cooperative system that leverages the two differing methodologies and help strengthen the ANI Validation process overall for our customers. 

Let’s consider what we’d expect to find when we compare attestations to VeriCall risk scores. Because both scoring systems aim to assess whether a call came from the device that owned the phone number, it could be expected that Attestation A calls would also be VeriCall Green scored calls. Likewise, Attestation C calls would be expected to correlate to VeriCall Red scored calls. 

However, our analysis uncovered some surprising results: 

 

Attestation A

During the 6 month period, over 117,000 calls with a SIP Header that contained an Attestation A (which indicates that the caller ID was verified by the originating provider) still posed a spoofing risk. In other words, the carriers “signed” calls with Attestations A were indicated “Red” by VeriCall Technology because the call originated from a device that may not own the number showing on the caller ID. Calls can be scored Red for a variety of reasons, but commonly the designation is given to spoofed calls, or when a number has been recently ported.2

Our finding that some spoofed calls were delivered with an Attestation A raises concern about the efficacy of using STIR/SHAKEN attestations alone to authenticate in an ANI match process. Despite the presence of calls scored Red in the Attestation A group, the statistical variance between the two was relatively low when compared to the relationship between Attestation C calls and VeriCall scoring. 

Attestation C

Similarly, the prediction that Attestation C calls would closely align with VeriCall Red scored calls did not hold true. We observed that Attestation C calls received a disproportionately wider range of VeriCall scores compared to the variation observed between VeriCall scores and Attestation A calls.

Our comparison of Attestation C calls to VeriCall scores in Figure 2 below revealed more volatile month to month discrepancies. Nearly 300,000 calls with a SIP Header that contained an Attestation C were authenticated “Green” by VeriCall Technology. Without VeriCall Technology, those calls may not have presented an opportunity for passive step-down authentication.

Figure 2

2Spoofing allows the caller to change the number shown on a caller ID. Criminals use spoofing to trick a business into assuming the call is coming from an existing customer. Number porting can allow a criminal to transfer an existing phone number to a different provider as part of an attempt to impersonate their victim or gain access to their information. 

Conclusion 

At this early stage of implementation, only a fraction of SIP Headers contain Attestations. Of those that are available, the information is likely not yet informative enough for a contact center’s call authentication process. These shortfalls may be attributable to the early phase of STIR/SHAKEN implementation and/or to the fact that the framework was not necessarily created as an authentication solution for contact centers. VeriCall Technology, on the other hand, uses a methodology that recognizes the nuances in call metadata to help determine risk and address the variety and complexity of factors associated with enterprise call traffic authentication.

Next Caller will continue to monitor Attestation data and communicate our observations in order to help address STIR/SHAKEN issues, answer questions, and assess implications of contact centers looking to meaningfully leverage STIR/SHAKEN Attestations in their call authentication process.