The Ultimate Guide to STIR/SHAKEN: What You Need to Know to Avoid Spam Labels

Published on March 2, 2023

Robocalls have become a prevalent issue recently, with individuals receiving a significant number of unwanted calls every day. In the US alone, consumers receive an average of 4 billion robocalls per month. 

stir-shaken-guide-robocalls-statistics

The combination of robocalls and caller ID spoofing makes it challenging for individuals to identify and avoid unwanted or fraudulent calls. This allows criminals to carry out illegal activities such as scams.

To combat this problem, The Federal Communications Commission (FCC) has been promoting measures for STIR SHAKEN compliance to stop robocalls and caller ID spoofing since 2014. In response, the telecommunications industry has developed the STIR/SHAKEN framework and technical standards to address this issue.

Caller ID spoofing is a method used by fraudulent callers to disguise their phone numbers and make it appear as if the call originated from a trustworthy source, necessitating STIR SHAKEN compliance. 

What does STIR/SHAKEN mean?

STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are two standards that work together for STIR SHAKEN compliance to combat the problem of robocalls and caller ID spoofing.

Secure Telephony Identity Revisited (STIR)

STIR is an authentication protocol that creates a digital certificate to verify the caller’s identity. This certificate, as a token, is then attached to the call. The certificate serves as a way to confirm that the phone number displayed on the caller ID is linked to the entity making the call. It establishes a secure caller identity. 

Signature-based Handling of Asserted information using toKENs (SHAKEN)

SHAKEN is the implementation of STIR used to validate the token and certificate on the recipient’s end. 

It includes technical standards for 

✅ Creating the digital certificate

✅ Attaching the token to the call, and 

✅ Checking the token’s validity. 

Together, STIR and SHAKEN ensure the authenticity of the caller ID information. This reduces fraudulent robocalls and provides a higher level of security for consumers.

What are the benefits of the STIR/SHAKEN framework?

stir-shaken-guide-caller-id-display
Comparison of how your Caller ID displays on your contact’s phone screen with and without STIR/SHAKEN enabled

Implementing STIR/SHAKEN compliance can provide several advantages for you, such as:

  • Increased trust: Implementing STIR/SHAKEN technology builds trust with your contacts by giving them a higher level of assurance that the calls they receive are not fraudulent.
  • An increased answer rate: A ‘Verified’ sign associated with your caller ID increases the chances of contacts answering your calls.
  • Reputation protection: Authenticating your calls with STIR/SHAKEN makes them less likely to be blocked or marked as spam by the recipient’s phone. This protects your reputation as an organization.
  • Compliance with regulations: STIR/SHAKEN can help you meet regulatory requirements related to robocalls and caller ID spoofing. This enables you to avoid potential fines or penalties.
  • Cost saving: Implementing STIR/SHAKEN technology can help you save money spent on making calls getting marked as ‘spam’. 

Let us assist you with registering for STIR/SHAKEN. Enable it now. 

How does STIR/SHAKEN compliance work?

STIR/SHAKEN verifies the authenticity of a caller’s phone number using digital certificates and encryption.

stir-shaken-guide-process
STIR/SHAKEN framework

When a call is made, the originating telephone service provider (TSP) applies a digital signature to the caller’s phone number, which is sent along with the call to the receiving TSP. The receiving TSP uses a public key to validate the signature and confirm the authenticity of the caller’s phone number. The call is authenticated if the signature is valid and the caller ID is displayed to the recipient. If the signature is invalid or missing, the call is flagged as potentially fraudulent, and the caller ID is not displayed.

STIR/SHAKEN compliance also works in tandem with the database of phone numbers that should not be used for telemarketing or other unwanted call types.

A typical STIR/SHAKEN workflow involves several steps when a call is made and received. However, the entire process takes only seconds, and there are no significant delays in connecting the call.

Here is a general overview of the process:

  1. The caller places a call.
  2. Caller’s carrier generates a digital certificate: The caller’s carrier generates a digital certificate that verifies the caller’s identity. This certificate includes information such as the caller’s phone number, name, and a digital signature.
  3. Caller’s carrier attaches the certificate to the call: The caller’s carrier attaches the digital certificate to the call in the form of a token. The token is sent along with the call as it travels through the phone network.
  4. Recipient’s carrier retrieves the token: When the call reaches the recipient’s carrier, it retrieves the token from the call.
  5. Recipient’s carrier validates the certificate: The recipient’s carrier checks the token against its own database of legitimate certificates to ensure that it is valid. 
  6. Call is forwarded or blocked: If the certificate is valid, it means that the caller ID information is authentic, and the recipient’s carrier can forward the call to the recipient’s phone. If the certificate is not valid, the recipient’s carrier can block the call or mark it as spam.
  7. Caller ID displayed on recipient’s phone: If the call is forwarded, the recipient’s phone will display the caller’s name and phone number on the screen, as well as the validation status of the certificate.
Please note that the technical implementation may vary depending on the phone companies, but the goal is to create a certificate that verifies and validates the caller’s identity.

STIR/SHAKEN attestation levels

In the STIR/SHAKEN framework, there are several levels of attestation that indicate the degree of authenticity of the caller ID information. These attestation levels are based on the level of validation that is performed on the digital certificate. 

Here are the different attestation levels used in the STIR/SHAKEN framework:

stir-shaken-guide-full-attestation
stir-shaken-guide-partial-attestation
stir-shaken-guide-gateway-attestation
Comparison of attestation levels
  1. [A] Full attestation: The carrier identifies the caller and verifies that the caller is authorized to use the phone number as the caller ID for outgoing robocalls.
  2. [B] Partial attestation: The carrier confirms the identity of the caller, but it is uncertain if they are authorized to use the phone number as the caller ID for outgoing robocalls.
  3. [C] Gateway attestation: When the carrier is unable to confirm the attestation as level A or B, it’s set as level C. This is typically used for calls made to international numbers.

The attestation levels do not necessarily indicate the trustworthiness of a call. Additional analysis will continue to determine if a call is unwanted, a scam, or illegal, regardless of its attestation level. 

What will happen if you don’t do anything about STIR/SHAKEN compliance?

Without the ability to authenticate your caller ID, you may see lower answer rates and increased complaints from your contacts. Additionally, it may also have an impact on your organization’s reputation, as your contacts may see you as untrustworthy.

How to implement STIR/SHAKEN

Organizations can seek assistance from their calling software provider to guide them through the process and ensure that it is done correctly.

As a Call Center Software, CallHub can enable STIR/SHAKEN for you. 

All you need to do is fill a form to register for STIR/SHAKEN. You will find this form within the CallHub dashboard. The details will be sent to the carrier and after the successful verification, STIR/SHAKEN will be enabled for you.

Create a free account now to get started.

STIR/SHAKEN compliance legislation

STIR/SHAKEN is a set of technical standards that have been adopted by the Federal Communications Commission (FCC) in the United States and by the Canadian Radio-television and Telecommunications Commission (CRTC) in Canada.

If you use robocalls, you may be subject to a number of legal requirements and governmental regulations related to the use of STIR/SHAKEN. 

Here are some examples:

  1. FCC’s TRACED Act: In the United States, the Federal Communications Commission (FCC) has issued a mandate that all telecom/voice service providers must implement the STIR/SHAKEN framework, as part of the TRACED Act. 
  2. TCPA (Telephone Consumer Protection Act): In the United States, the TCPA is a federal law that regulates telemarketing calls, including robocalls. Organizations that use robocalls must comply with the TCPA’s requirements. This includes obtaining prior express written consent from consumers before making robocalls, and providing a way for consumers to opt-out of receiving robocalls.
  3. CRTC’s regulations: The Canadian Radio-television and Telecommunications Commission (CRTC) has recommended service providers to implement STIR/SHAKEN, but it is not mandating the implementation. 
  4. Other regulations: In addition to the regulations of the FCC and CRTC, there may be other regulations or laws in different countries that organizations must comply with when using robocalls.

SHAKEN/STIR and CallHub

Using CallHub to make calls can make it easier for you to comply with STIR/SHAKEN as CallHub has set up the option for its users to turn on STIR/SHAKEN on their accounts. CallHub implemented STIR/SHAKEN in its network in 2021; and now, hundreds of customers are using it to authenticate their caller IDs and improve answer rates.

The process includes providing a few details about your organization for STIR/SHAKEN compliance to the carrier. Once submitted, the carrier will verify it and assign an attestation level to your account. See how to enable STIR/SHAKEN on CallHub and what details you need to share. 

Frequently asked questions about STIR/SHAKEN compliance

Are there any costs associated with implementing STIR/SHAKEN?

No, STIR/SHAKEN implementation is free of cost.
How long does it take to implement STIR/SHAKEN?

STIR/SHAKEN implementation takes 1-2 days. In exceptional situations, when carriers have a high number of requests, it may take up to 4 working days.
Are there any alternative solutions to STIR/SHAKEN?

There are no alternatives for STIR/SHAKEN.
Can we assign CNAM to toll-free numbers? 

Yes, it’s possible to assign Caller Name and Number (CNAM) to Toll-Free Numbers, as long as the name is no longer than 15 characters. The name should start with letters and can include letters, numbers, commas, and spaces.
CallHub allows its users to register for CNAM when setting up STIR/SHAKEN for US numbers. However, this service is not guaranteed for Canadian numbers as the carriers don’t support this function on their networks.
What is call authentication?

Call Authentication is the process of verifying the identity of the caller and ensuring that the caller ID information displayed on the recipient’s phone is accurate. 
What is attestation?

Attestation refers to the process of verifying the identity of the calling party and the authenticity of the calling number. It is used to ensure that the caller ID displayed on a call is coming from a legitimate source and has not been spoofed.
What type of calls does SHAKEN/STIR address?

STIR/SHAKEN only applies to calls that are transmitted via the public switched telephone network (PSTN) and not to calls that are made through internet-based communication services such as VoIP, instant messaging, or social media.
Does STIR/SHAKEN apply to SMS/texts?

Yes, STIR/SHAKEN applies to SMS/texts.

Featured image: Photo by Kampus Production