Search
Close this search box.
Search
Close this search box.

STIR/SHAKEN

STIR (Secure Telephone Identity Revisited)

SHAKEN (Signature-based Handling of Asserted information using toKENS)

The STIR/SHAKEN (S/S) framework allows voice service providers to authenticate that the caller ID information transmitted with a particular call matches the caller’s number.

Upon widespread implementation, the hope is that S/S will help reduce illegal spoofing, allow law enforcement to identify bad actors more easily, and help voice service providers identify calls with illegally spoofed caller ID information before those calls reach their subscribers. However, S/S was not designed to be a silver bullet for seamless authentication in the contact center. Indeed, the FCC has encouraged the industry to develop and implement new caller ID authentication technology in addition to the actions taken by the FCC.

This Guide Discusses How To:

What are STIR/SHAKEN Attestations?

The originating voice service provider passes along one of three possible Attestations for each of its calls: Attestations A, B, or C. The terminating carrier can utilize this information (the Attestation assigned) to decide whether to complete or block a call.
Full Attestation A: When the Caller ID is verified as known by the originating provider
Partial Attestation B: When the user is known but the telephone number cannot be verified
Gateway Attestation C: When the provider can only identify the gateway through which the call originates

Limitations to STIR/SHAKEN

The S/S framework does not confirm the identity of the person making the call. Rather, it provides an Attestation level regarding how sure the originating provider is that the entity making the call is lawfully utilizing the telephone number displayed on the Caller ID. For its intended purpose of service provider call authentication, particularly for identifying unlawful robocalls, S/S is expected to be effective. However, additional call types not identified by S/S warrant identification and potentially blocking. As just one example, many forms of lawful robocalls may receive a Full Attestation (Attestation A) in the service provider community, but a contact center may want to block these types of calls.

Does Your Carrier Support S/S In Your Contact Center?

The FCC requires voice service providers either to implement S/S or obtain an extension and file a Robocall Mitigation Plan with the FCC protocols by June 30, 2021. As of September 28, 2021, providers will be precluded from terminating covered voice calls from providers not listed in the FCC’s Robocall Mitigation Database. 

Each carrier can also determine the format in which they present Attestation scores to your business. Some carriers may be summarizing the full S/S response into a ‘VERSTAT,’ which removes the encrypted details that can be used to interpret the reason a call received a particular Attestation. The code examples below show the difference between a truncated VERSTAT response and a full ID header. Our professional services team can work with your business to help determine whether your carriers are delivering the full ID header. Calls that are delivered with the full ID header provide more information that can be used in call-risk assessment and response related to S/S Attestations.
Full Identity Header Response: eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZ J0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJkZXN0Ijp7InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdCI6IjE0NDMyMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0.rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYsojNCpTzO3QfPOlckGaS6hEck7w;info=<https://biloxi.example.org/biloxi.cert>
VERSTAT Shortened Response: <sip:[email protected]:5060;verstat=TN-Validation-Passed>

How VeriCall® Technology Leverages STIR/SHAKEN Attestations

VeriCall® Technology incorporates S/S Attestations into its algorithm, using the insights to enhance, corroborate, and improve its own proprietary call metadata analysis.
Layering VeriCall® Technology with S/S Attestations can also provide call risk analysis if/when S/S Attestations fall short. For example, some calls may arrive without a S/S Attestation at all. In other cases, the variety of call types into contact centers can challenge the ability of S/S Attestations to comprehensively assess call risk. For example, because each carrier is allowed to determine their own specific criteria for assigning an A, B, or C Attestation, VeriCall® Technology can help to mitigate Attestation-logic variance between carriers, or in relation to certain call types.

The Power of VeriCall® Technology + STIR/SHAKEN Attestations

VeriCall® Technology can enhance the usefulness of S/S Attestations by adding proprietary call analytics and telephony expertise to identify more Attestation A, B, and C calls for step-down authentication, and help to identify bad actors.

When S/S Attestations are inconclusive, or in the event of a S/S disruption, VeriCall® Technology can also help your business protect the passive authentication process and its related benefits to handle time, cost per call, and customer experience.

Integration Flow

A: Full Attestation

The Caller ID is verified as known by the originating provider.
“This is my customer. I gave them permission to present this number to your Caller ID. This call originated on my network.”

Attestation A: Have You Considered...

  • How your team will differentiate Attestation As from trusted providers versus unfamiliar providers?
  • Whether Attestations scores alone are capable of identifying other fraud attack vectors, or if any of the following scenarios may receive an A Attestation:
    • Forwarded calls
    • Robocalls originating from legitimately purchased numbers
    • Friendly fraud
    • Prepaid phones and VoIP calling apps
    • IPBPX exploits
    • SIM swapping, Boxing, or Porting
    • GSM Gateway hacking

Other Considerations...

  • What business rules will be used for each Attestation level and how to train agents on how to handle them?
  • Does your current telephony infrastructure allow you to pass Attestation scores to the IVR? 

  • How will you be aware of or notified when S/S keys are compromised at the carrier level?
  • How to validate calls if an Attestation is dropped by an intermediate carrier, or your carrier, when S/S is not fully implemented or when an Attestation cannot be provided on some calls?
  • Whether your SIP network gear removes the identity token by default?
  • If using a TDM (Non-IP) network, whether your process can transmit the identity token?
  • The issues that could arise if you are converting from UDP to TCP?

B: Partial Attestation

When the user is known but the telephone number cannot be verified.
“This is my customer. This call originated on my network. However, I cannot certify that they own this number.”

C: Gateway Attestation

When the provider can only identify the gateway through which the call originates.
“This call originated outside my network.”

Attestation B and C: Have You Considered...

  • Whether your business will treat all Attestation B and C calls as “bad,” and if so, what impact that may have on call handle time, customer service, and OPEX?
  • What percentage of Attestation B and Cs will be calls that originate from legitimate customers, and the related impact on their experience?
  • How to manage Attestations from carriers who determine that a broad subset of calls (like those that are simply forwarded), will be assigned a B or C?

Next Caller Can Help Your Business Maximize The Value of STIR/SHAKEN By:

Download Our Latest STIR/SHAKEN Report

Pindrop monitored over 260 million calls between April 2021 and June 2022, producing stunning insights that include how:
  • Only 35% of calls were delivered with any Attestation at all
  • Spoofed calls were given an Attestation A by carriers on numerous occasions
  • Hundreds of thousands of calls given an Attestation C were cleared for step-down authentication by PindropⓇ technology.