We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here
Schedule a Demo
Q&A Series March 31, 2020 Authentication, Robocalls, SHAKEN/STIR, The PKI Guy’s Q&A Series

The PKI Guy examines how to end illegal robocalls with Chris Drake of iconectiv

by Mark B. Cooper

Q&A with Chris Drake, CTO of iconectiv

TPG: How big is the illegal robocall and caller ID spoofing problem?

CD: Currently over 75% of calls are left unanswered when it comes from an unidentified or unfamiliar number. This is due to the spike in illegal robocalls. In October 2019, Americans were inundated with more than 2,000 robocalls every second, which is enough to put the annual total over 49 billion. In fact, illegal robocalls represented nearly half of all unwanted calls in 2019. VoIP technology advancements have allowed a massive number of phone calls to be initiated cheaply and enabled the calling party to select what appears on the caller ID. Given this, the situation has progressively gotten worse and people are not trusting that what they see on the caller ID is correct.

Now, people are no longer answering many of the calls they should be from schools, doctors, business associates, and others. People operate with the idea that if the caller leaves a message, they will return the call. This “new normal” is wrought with inefficiencies and frustration for consumers and businesses alike – and is compromising the way people communicate and conduct business.

TPG: In your words, how does the SHAKEN/STIR framework work?

CD: STIR (Secure Telephony Identity Revisited) is the protocol and SHAKEN (Signature-based Handling of Asserted information using toKENs) is a framework of specifications and governance that uses cryptographic signatures for each call so that service providers can verify calling number information between networks. This information is used by call blocking and analytics applications to determine what to do with the call and enables consumers to know, before answering, that the calls they receive are from legitimate parties.

TPG: Tell us about your role as the nation’s Secure Telephone Identity Policy Administrator (STI-PA) for SHAKEN/STIR?

CD: As the Secure Telephony Identity Policy Administrator, iconectiv has been selected by the Secure Telephony Identity Governance Authority (STI-GA) to apply and enforce the rules defined for the SHAKEN framework. These rules specify a mechanism for service providers to authenticate calls and let consumers know that the telephone number displayed on the caller ID is authenticated. As the policy administrator, iconectiv ensures participation in SHAKEN/STIR across the U.S. is limited to legitimate parties and prevents bad actors from infiltrating the framework. The STI-PA will confirm which service providers are authorized to request certificates and review and approve Certification Authorities to issue them.

TPG: What parties/companies are considered STI Certification Authorities?

CD: Once approved, Certification Authorities will be listed on the STI-PA website: https://authenticate.iconectiv.com/

TPG: How is PKI part of this?

CD: The SHAKEN Public Key Infrastructure (PKI) is the foundation of the cryptographic signatures that are sent between the service providers to convey authentic calling party information. Public Certificates for signing calls can be obtained from any of the approved SHAKEN Certification Authorities.

TPG: What about the STIR portion of the protocol/framework, is that separate?

CD: The IETF STIR working group standardized a set of protocol extensions that define how the authenticity of the calling party’s number should be securely conveyed and authenticated between the point that the call is initiated until it is received. SHAKEN is the framework that provides the specifications and governance on how that can be accomplished including preventing bad actors from infiltrating the framework.

TPG: Tell us more about the digital signature process.

CD: When a phone call is made, a digital signature is created that is tied to the calling party information it is routed through the network or multiple networks. Through the issuance of Service Provider certificates, a cryptographically secured exchange of this information occurs between the service provider originating the call and the one terminating it. This mechanism creates a secure way to ensure that the calling party information has not been tampered with at any point in the call process.

TPG: When do you foresee telcos implementing SHAKEN/STIR?

CD: In the United States, the Calling Number Verification Service, which is based on SHAKEN/STIR, rolled out in December 2019 making the United States the first country in the world to deploy the SHAKEN framework. Most U.S. service providers will join this framework through 2020 and into 2021.

Canada has announced its plan to launch a solution based on SHAKEN in the fall of 2020.

TPG: Do you think SHAKEN/STIR will really put an end to illegal robocalls?

CD: SHAKEN/STIR is an essential element to help mitigate robocalls but there is no one solution that will solve this global issue. Regulators, associations, service providers, application developers, and vendors all have a role in helping mitigate these nuisance calls and much is already being done in that regard including the call blocking solutions that service providers have in place that help mitigate illegal robocalls. That said, the fraudsters will not go away entirely and they will refine their approach to avoid detection including lower volume, more targeted attacks, as well as shift to other geographies to continue their robocalling ways. The industry will need to remain vigilant even as SHAKEN/STIR drives down the number of illegal robocalls.

TPG: Where do you see authentication headed?

CD: New technology breads new authentication needs. For example, Rich Business Messaging (RBM), powered by Rich Communication Services (RCS), is poised to be the wave of messaging technology offering enhanced features like read receipts, video, group chat and payments. This creates the need for an independent Verification Authority (VA) that would be responsible for authenticating the identity of businesses and their chatbots. The VA would enable service providers and businesses to provide consumers with the information they need to trust the chatbots and conversations they represent.

TPG: What’s in the works for you in 2020?

CD: Our focus is on creating, implementing, and operating an omni-channel trusted B2C communications platform that will help businesses get their calls verified as legitimate that will enable them to enhance their branding. This will in turn strengthen their customer relationships and drive revenue with timely consumer engagement across all communication channels (voice, text and data).

Mark B. Cooper

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

View All Posts by Mark B. Cooper

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *