STIR/SHAKEN hits milestone in fight to stop caller ID spoofing
Last week, cellular carrier T-Mobile completed its rollout of STIR/SHAKEN in the United States. Designed to stop caller ID spoofing, STIR/SHAKEN is a suite of security protocols that all U.S. mobile providers will need to implement by June 30. In this article, we’ll give you some background to the issue, and we’ll tell you why it matters for security and privacy.
What is caller ID spoofing?
Caller ID spoofing happens when the caller (often a bad actor) “tricks” a telephone network into showing incorrect caller ID information to the call recipient.
They accomplish this using different techniques. The most common method involves using VoIP (Voice over Internet Protocol) technology. VoIP providers sometimes allow users to configure the number that will be displayed when they make calls. Bad guys abuse this feature in caller ID spoofing attacks.
There are also full-fledged spoofing services. These work a bit like a prepaid calling card. Malicious callers can set up a PIN, pay for a certain number of minutes, and then place calls that can be configured to display whatever origin number they choose.
Why is caller ID spoofing a security issue?
For the most part, caller ID spoofing is used to perpetrate phone scams.
If a call comes in from an unknown or out-of-area number, call recipients are likely to be on their guard. But if a call comes in from a familiar number, or even just a local number, it can seem legitimate. This gives phone scammers the social engineering edge they need to fool their victims.
So what do these scams look like? They take on all sorts of forms. In one scam, bad actors spoofed the phone number of a local Apple Store in an attempt to gain access to iPhone users’ devices. The IRS has long warned of phone scammers impersonating the Taxpayer Advocate Service (TAS); and says that some versions of the scam now use caller ID spoofing to make the call appear to come from actual TAS regional offices.
Caller ID spoofing is also used heavily in robocalls — those automated, prerecorded phone calls that have plagued consumers for years now. While some robocalls are nothing more than spammy sales pitches (deeply annoying, but relatively harmless), many robocalls are scams. There have even been incidents in which robocalls were used in election interference campaigns.
How does STIR/SHAKEN stop caller ID spoofing?
STIR/SHAKEN is intended to help stop caller ID spoofing and all of the many problems it causes.
STIR stands for Secure Telephony Identity Revisited. The STIR protocol works by adding metadata to the call header information that’s used to route VoIP data through phone networks. This metadata includes information that shows how well the provider was able to verify the originating number (there are options for known origin, partially known origin, or unknown origin). The metadata is then encrypted using public key cryptography so that other providers further downstream can verify that the header info is really coming from a trusted provider.
In this way, any call that fails to authenticate properly, or that’s coming from an unknown or unverified caller, can be flagged by the carrier responsible for delivering the call to the end user. This could mean warning the user about the call with an alert that says “unverified” or “spoofed”, or it might just mean dropping the call altogether.
SHAKEN stands for Signature-based Handling of Asserted information using toKENs (yes, they really went out of their way for that James Bond reference). Unlike STIR, SHAKEN isn’t really about the technical procedures used to verify callers. More than anything, it’s a set of guidelines intended to standardize how carriers deal with calls that fail STIR authentication. SHAKEN is still a work in progress; the details are being hammered out by an industry standards organization called the Alliance for Telecommunications Industry Solutions (ATI).
So are phone scams a thing of the past?
STIR/SHAKEN is an important step in the fight to stop caller ID spoofing, but it isn’t a “magic bullet” that means you can now trust all incoming calls.
For one thing, the system isn’t fully implemented yet. Carriers in the United States and Canada have until June 30 to roll out STIR/SHAKEN. In other words, the deadline is still a little ways off. While STIR/SHAKEN is designed to work in other countries, it remains to be seen if it will be required everywhere.
In addition, STIR/SHAKEN isn’t going to stop phone scammers who don’t use caller ID spoofing! If a bad guy wants to steal someone’s credit card details, they don’t necessarily need a fake caller ID to do it. They could just go out and buy a prepaid “burner” cell phone and make their vishing calls from that number.
Lastly, there is a possibility that unscrupulous VoIP providers may knowingly help bad actors spoof caller IDs. In this scenario, a call would come through as “verified” when it isn’t. Such providers would face legal action if caught, and could even have their ability to perform STIR verification revoked … but that wouldn’t help an end user who’d already been scammed by a fraudulently authenticated call.
How to stay safe on the phone
STIR/SHAKEN is a promising technology. It should help stop caller ID spoofing, and thus cut down on robocalls and phone scams. Nevertheless, all of the old advice for dealing with an unsolicited phone call is still valid:
- If someone calls you first, put on your skeptic’s cap. Don’t assume that they are who they say they are; you may want to call them back at a number that you look up on the Internet for yourself. Don’t give out any sensitive personal information such as your Social Security number, date of birth, or home address. This could be used against you in a phishing attack or identity theft scheme.
- Remember that there are some kinds of organizations that will never contact you asking for sensitive information. Interestingly, these are typically the ones who are most aware of things like cybersecurity and identity theft. This includes big tech companies like Apple and Microsoft, banks and financial institutions, and government agencies like the IRS.
- Never give your password or other login information to anyone over the phone … for any reason. If a tech support person or customer service rep needs to access your records or your account area, they should have a way to do that on their end. There is literally no reason that they would ever need your password to do this.