Stir/Shaken Compliance: Ensuring Your VoIP System Meets New Standards

In 2019, the U.S. had a robocalling epidemic. Close to 50 billion robocalls were estimated to be conducted in the country that year. Understandably, people were reluctant to take any call they received from even a slightly suspicious caller ID. To combat this problem, a new class of security standards called STIR/SHAKEN were devised, and the FCC (Federal Communications Commission) mandated all providers to implement these standards into their services by mid-2021. However, that was only the beginning of the story. Here’s what you need to know about STIR/SHAKEN and how your company may be affected by it.

What Is STIR/SHAKEN

STIR and SHAKEN are a pair of security standards for voice-over-IP (VoIP) and telephone providers, which add additional digital records on each call made through the service and allow the receiving service provider to control whether the call goes through to the intended party.

STIR

STIR—short for Secure Telephony Identification Revisited—adds a digital footprint or token to every call invite made by the service provider that implemented the standard.

The token is provided alongside the encryption key from an independent Certificate Authority (CA). The CA provides the public and private keys for token encryption, similar to those used in traditional IP signals.

When the call invite reaches the receiving service provider, the digital information surrounding the token is stripped from it and decrypted. The receiving service provider checks the token against a known base of certificates to confirm whether the originating service provider is eligible to make calls from the calling number.

Based on the information gathered, the call invite receives an attestation level. STIR/SHAKEN use a shared attestation grading system:

  • Attestation level A means that the caller’s ID has been verified in the certificate repository and the originating provider is authorized to use the ID.
  • Attestation level B means that the originating caller ID is present in the system or known, but there was a lack of certainty or additional information missing on its legitimacy in the certificate repository.
  • Attestation level C means that the called ID hasn’t been verified, likely due to passing through another gateway or intermediary between the originating and receiving service providers.

In simpler terms, attestation level A is almost certainly using a legitimate caller ID and can be trusted to actually come from the person or company that the called ID claims to be. On the other hand, attestation C is more likely to be using a spoofed (faked) caller ID, whether unintentionally or maliciously.

SHAKEN

On the other end of the call invite, SHAKEN—Signature-based Handling of Asserted Information using toKENs (yes, it’s a bit of a mess)—provides the receiving party or receiving service provider more control over whether to accept a call invite based on the decryption and verification process initiated in STIR.

As mentioned, the SHAKEN protocol uses the same grading system for attestation levels as STIR. Then, the service provider creates a call invite handling network or system based on the incoming attestation levels.

The extent of customization for how service providers handle the call can vary, but there are usually three results:

  • Accepting: the call invite goes through to the receiving party.
  • Blocking: the call invite is rejected, and the receiving party doesn’t receive a call at all.
  • Labeling: the call invite goes through, but the receiving service provider appends additional information or a warning to the receiving party.

The call handling is typically aligned with the attestation level. Call invites with attestation level A are accepted, and call invites with attestation level are labeled as such. Call invites with label C may be blocked or labeled depending on the provider.

Implementation of STIR/SHAKEN

Due to the growing urgency of the robocalling problem in the U.S. and Canada, the FCC has tried to expedite implementing the service across the country.

However, the process didn’t go as smoothly as expected. The original deadline for all providers was June 30, 2021. This has been pushed back repeatedly, with providers given various grace periods.

In the most recent news, the FCC has mandated that all small VoIP providers implement the standards by June 2023. Intermediate and gateway providers needed to implement the standard by December 31, 2023.

How This Affects Providers

While providers implemented the policies and standard laid out by STIR/SHAKEN at various times, they also had some control over how the final call handling procedures from SHAKEN.

In most cases, receiving providers opt to completely block call invites with attestation level C (if the originating provider even uses it) and label attestation level B invites as potential spam.

Due to the uncertainty in how the originating provider routes and verifies calls, there’s no guarantee a call invite sent one day with attestation A receives a lower attestation due to roundabout gateway routing. However, once a caller ID receives the designation of a lower attestation level, it’s likely to stick for a few months.

This can make it difficult for companies who have legitimate needs to contact customers with robocalls (such as pharmacies or medical practitioners providing receipt information). Once the caller ID gets “tainted” with a lower attestation level, your customer’s provider may completely block the call from going through.

What You Can Do to Ensure Your Calls Go Through

Providers can track a few statistics about calls to determine how to assign attestation levels to a caller ID. These are mainly CPS (calls per second) and ALOC (average length per call). A low length per call can have a drastic effect on how your call invites are processed. Some providers recommend that calls using human callers shouldn’t last less than 30 seconds.

That means that customer engagement and training protocols are the name of the game. However, these need to be bolstered by state-of-the-art VoIP providers who partner with gateways that already use STIR/SHAKEN standards to avoid misflagging attestation levels.

If you’re interested in upgrading your network or updating your call security and robocall handling standards and live in the Bloomington, Minneapolis, and St. Paul areas, contact Definitive Technology Solutions. Our technicians will provide a step-by-step overview and advice on upgrading your existing telephone and VoIP service or implementing a new framework you can use to breathe new life into an old system.