More than a year after FCC’s STIR/SHAKEN, America still has a massive robocall problem

There’s a compelling reason why STIR/SHAKEN was so desperately requested by the Federal Communication Commission (FCC) ahead of its final implementation on June 30, 2021. America has a pesky robocalling problem worth about 4-5 billion fraudulent robocalls every month (from 2021). And attacks are getting more intense.

STIR/SHAKEN is designed in the midst of a changing fraud landscape. Fraudsters don’t try to skim more money off the back of telecom transactions; today it is all about collecting personal and financial data. Enter the ‘Robocall Big Bang’, where attackers around the world exploit vulnerabilities in current technologies to directly attack end users.

Regulators know this, hence STIR/SHAKEN, a set of technical protocol and governance framework standards designed to counter robocalls, most of which have falsified Calling Line Identification (CLI) or Caller ID. This is how fraudsters make US customers believe they are receiving a call from someone in the US when they are not. Since the carrier initiating the call is supposed to ‘sign’ and verify each call as legitimate, STIR/SHAKEN was supposed to instill confidence in end users and terminating carriers (the final destination of the call – in this case the US) when they receive a call. verify incoming caller ID received on an IP network.

It’s nice in theory, but BICS FraudGuard revealed a 65% increase in attacks on US subscribers between November 2021 and February 2022.

So, what is the problem and how do we solve it?

Calling traffic is not a straight line: the problem with STIR/SHAKEN

At the heart of STIR/SHAKEN’s shortcomings is a misunderstanding of how international voice traffic works.

International calling traffic is not a straight line. Rarely does a call go directly from an operator in a country or to a mobile network operator in the US. There are a lot of ‘hops’ in between: You may see traffic between three or four carriers, but it’s not uncommon to see as many as seven or eight separate connections between carriers as traffic makes its way around the world.

If an operator in Singapore erroneously certifies a US CLI as genuine in a fraudulent call, and if numerous hops occur before the US operator’s final destination, then any regulations imposing methods to detect that CLI – and thus the call – ultimately certify nothing.

As soon as you have many intermediaries in international traffic, you lose traceability. The signature of the CLI is only passed to different carriers in the chain if the call also goes through IP networks, which is not always the case. Even worse, data protection laws and company policies often prevent US operators from identifying the origin of a call. And since foreign operators are not bound by FCC regulations, there is little incentive to implement STIR/SHAKEN.

Need worldwide adoption

In other words, STIR/SHAKEN forces international gateway providers to sign CLIs – and in costly ways – that they can’t know are real. All an international gateway provider can do in the middle is confirm that the call was authenticated by a previous operator (if the CLI signature is passed in the SIP headers). Alternatively, they can assign a ‘C-level attestation’ to the call (the lowest level of trust), essentially confirming that they themselves have not manipulated an incoming call from a completely different place.

What is the value of this ‘certificate’? For the comfort and safety of US customers, not much.

A policy like STIR/SHAKEN can only work if it is applied to every other country that sends calls using US CLIs, which is not realistic. Despite all of America’s influence as a major geopolitical player, it could never impose its domestic regulations on operators in Japan, Zimbabwe or Australia. The governance framework is simply not designed to adapt to the international environment.

A quick look at the Robocall index reveals that the number of robocalls has fallen year-over-year, but not enough to justify the enormous costs international carriers incur for running low-value, C-level attestations of calls.

AI to fight fraud

Against the robocall situation: for regulation to be effective, we need a global framework that applies equally to all international parties. But the complexity of this means it’s unlikely to happen anytime soon.

Tools such as analytics and machine learning (ML) can alleviate this and are already part of FCC regulations. Indeed, BICS has a FraudGuard platform that collects information from over 900 service providers and then applies AI to detect and block incoming fraudulent calls and text messages. In the past year, BICS has blocked millions of calls before reaching US operators and subscribers.

Part of why AI works here is because the anti-fraud response is less ‘Know your customer’ than ‘Know your traffic’, and in this regard AI tracks traffic behavior very well. But these aids cannot be relied upon as a crutch. They must be used with care to avoid blocking legitimate traffic and creating legal disputes between international airlines.

Time to look for humbler solutions

Tracebacks, also backed by FCC regulations and led by the Industry Traceback Group (ITG), are an investigative process to eradicate the party responsible for initiating fraudulent calls. Starting with the last carrier, the conversation is traced through many carriers, bypassing confidentiality agreements and privacy laws where possible to find the bad actors. Punishing robocallers should be part of our strategy, rather than punishing intermediaries who do their best, but admittedly this is a very lengthy process.

Fortunately, there are simpler solutions. One entails that international airlines should provide greater clarity on the North American Numbering Plan (NANPS) to facilitate the distinction between “good” traffic and “bad” traffic (that is, which U.S. CLIs are allowed to generate traffic from abroad, apart from roaming end users?) .

Operators typically assign numbers and ranges to companies operating abroad that allow them to generate traffic from outside the US. A list of these company numbers could potentially be shared with the international telecom community; any incoming number that is not on the list and does not exhibit human roaming behavior will be marked as suspicious.

New Threats in a 5G World

Taking more action to fight fraud and security threats will only become more important in a world of 5G and Internet of Things (IoT).

This transition will make the telecom ecosystem more complex, inevitably creating more entry points and loopholes for fraudsters to exploit. A network is always only as strong as its weakest link, so as an international community we will have to bring our A-game in fraud prevention and security protection. This includes stricter controls on who we do business with, especially if other parties are found to be initiating false calls.

Fraud prevention never stands still. Fraudsters are constantly adapting and expanding geographically. There is no one magic solution, but we must recognize that we can never completely eradicate fraud. Protocols such as STIR/SHAKEN are a starting point to protect the telecom ecosystem, but the challenge of international borders requires a truly global collaborative approach from the entire ecosystem, including national regulators and operators.

Katia Gonzales is head of fraud prevention at BICS and chair of the i3 Fraud Forum.