There’s a compelling reason why the Federal Communication Commission’s (FCC) STIR/SHAKEN was so desperately called for before its eventual implementation on June 30th, 2021. America has a nasty robocalling problem to the tune of roughly 4 to 5 billion fraudulent robocalls every month (as of 2021).  And attacks are growing more ferocious.

STIR/SHAKEN was designed amid a shifting fraud landscape. Fraudsters aren’t trying to skim money off the back of telecom transactions anymore; today, it’s about harvesting personal and financial data. Enter the ‘Robocall Big Bang,’ where attackers around the world are exploiting vulnerabilities in current technologies to target end users directly. 

Regulators know this, hence STIR/SHAKEN, a suite of technical protocol and governance framework standards meant to clamp down on robocalls, most of which carry a spoofed Calling Line Identification (CLI), or Caller ID. This is how fraudsters make U.S customers believe they’re receiving a call from someone in the U.S. when they’re not. Given that the carrier originating the call is supposed to ‘sign’ and verify each call as legitimate, STIR/SHAKEN was supposed to bring confidence to end-users and terminating carriers (the final destination of the call — in this case, the U.S.) when they verify an incoming Caller ID received on an IP network.  

It’s nice in theory, but BICS FraudGuard revealed a 65% increase in the volume of attacks to U.S. subscribers between November 2021 and February 2022. 

So, what’s the problem, and how do we fix it?

Call traffic isn’t a straight line: The problem with STIR/SHAKEN

At the heart of STIR/SHAKEN’s shortcomings is a misunderstanding of how international voice traffic works.

International call traffic isn’t a straight line. Rarely does a call travel directly from an operator in a country or to a mobile network operator in the U.S. There are many ‘hops’ in between: You might see traffic transiting between three or four carriers, but it’s not unusual to see as many as seven or eight separate connections between carriers as traffic makes its way across the globe. 

If an operator in Singapore erroneously certifies a U.S. CLI in a fraudulent call as genuine, and if numerous hops occur before the final U.S.-operator destination, then all the regulations imposing methods to certify that CLI — and thus the call — ultimately mean nothing. 

As soon as you have many intermediate parties in international traffic, you lose traceability. The signature of the CLI will only be passed onto different carriers in the chain if the call also transits through IP networks, which is not always the case. Worse, data protection laws and company policies often further prevent operators in the U.S. from tracing a call’s origin. And since foreign operators are unbound by FCC regulations, there’s little incentive to implement STIR/SHAKEN. 

Global adoption needed

In other words, STIR/SHAKEN forces international gateway providers to sign CLIs — and in costly ways — that they cannot conceivably know are genuine. All an international gateway provider in the middle can do is acknowledge the call was verified by an earlier operator (if the CLI signature is passed on in the SIP headers). Alternatively they can ascribe a ‘C-level attestation’ to the call (the lowest trust level), effectively confirming that they themselves haven’t manipulated an incoming call that originated from somewhere completely different. 

What is the value of this ‘attestation’? For American customers’ comfort and safety, not much.

A policy like STIR/SHAKEN can only work if applied to every other country sending calls with U.S. CLIs, which isn’t realistic. For all of America’s influence as a major geopolitical player, it could never impose its domestic regulation on operators in Japan, Zimbabwe, or Australia. Its governance framework is simply not designed for adapting to the international environment.

A quick look at the Robocall Index reveals that the year-on-year number of robocalls has dropped, but not enough to justify the tremendous costs incurred by international carriers for performing low-value, C-level attestations of calls. 

AI to combat fraud

Against the robocall plight, for regulation to be effective, we would need a global framework that applies equally to all international parties. But the complexity of this means it’s unlikely to occur anytime soon. 

Tools like analytics and machine learning (ML) can alleviate this and are already part of FCC regulations. Indeed, BICS runs a FraudGuard platform that sources intelligence from more than 900 service providers, then applies AI to detect and block incoming fraudulent calls and texts. In the last year, BICS has blocked millions of calls before they reached U.S operators and subscribers. 

Part of why AI works here is because the answer to combatting fraud is less ‘Know Your Customer’ than it is ‘Know Your Traffic,’ and in this respect, AI tracks traffic behaviors very well. But these tools cannot be relied on as a crutch. They need to be used with care to avoid blocking legitimate traffic and causing legal disputes between international carriers.  

Time to look for humbler solutions

Tracebacks, also supported by FCC regulation and led by the Industry Traceback Group (ITG), are an investigative process to root out the party responsible for originating fraudulent calls. Starting with the last carrier, the call is traced back through many carriers, bypassing confidentiality agreements and privacy legislations where possible to find the bad actors. Punishing robocallers must be part of our strategy, rather than punishing intermediate parties doing their best, but admittedly, this is a very lengthy process. 

Fortunately, there are humbler solutions. One involves providing greater clarity for international carriers on the North American Numbering Plan (NANPS) to ease differentiating ‘good’ traffic from ‘bad’ traffic (that is, which U.S. CLIs are allowed to generate traffic from overseas aside from roaming end users?). 

Operators typically assign enterprises operating abroad with numbers and ranges with which they can generate traffic from outside the U.S. — a call center serving American customers will often carry U.S. CLIs even if they originate from elsewhere. A list of these enterprise numbers could feasibly be shared with the international telecom community; any inbound number not on the list that doesn’t show human roaming behavior would be marked suspicious. 

New threats in a 5G world

Adopting more measures to combat fraud and security threats will only become more important in a 5G and Internet of Things (IoT) world. 

This transition will add complexity to the telecom ecosystem, inevitably creating more entry points and loopholes for fraudsters to exploit. A network is only ever as strong as its weakest link, so we will need to bring our A-game in fraud prevention and security protection as an international community.  This includes stricter audits of who we’re doing business with, especially if other parties are found to be originating spoofed calls. 

Fraud prevention never stands still. Fraudsters are constantly adapting and expanding geographically. There’s no single magical solution, but we have to recognize that we can never fully eradicate fraud. Protocols like STIR/SHAKEN are a starting point to protect the telecom ecosystem, but the challenge of international borders necessitates a truly global collaborative approach from the whole ecosystem, including national regulatory authorities and operators. 

Katia Gonzales is head of fraud prevention at BICS and Chair of the i3 Fraud Forum.