In December 2019, Senate passed the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence) which would make rogue robocalls illegal and require phone companies to adopt new spoof call identification technologies called SHAKEN (Signature-based Handling of Asserted information using toKENs) and STIR (Secure Telephone Identity Revisited). The new regulations have been placed in the hands of the Federal Communications Commission for enforcement.
While understanding what the acronyms mean is an achievement in itself, there is a simple question every business still needs to ask – will the benefit of these consumer-protection measures extend to calls within the enterprise environment?
It is true that phone scammers bilked unwitting citizens out of hundreds of millions of dollars last year alone. And unwanted calls are ”far and away the biggest consumer complaint to the FCC with over 200,000 complaints each year—around 60 percent of all the complaints we receive” according to the Federal Communications Commission website. But voice spam is not just an issue for consumers. When entering the enterprise, spam and robocalls can cause serious disruption to normal business operations, lock up extensions and block legitimate callers. They can also compromise the security of the voice network and open the door to deeper fraudulent intrusions within the organization. In healthcare alone, the financial fallout from a single scam call that results in a HIPAA violation can mean $50,000 fine. And that does not take into account the emotional toll and loss of productivity imposed on scammed employees.
What is the goal of the TRACED Act?
The goal of the TRACED Act is the eventual elimination of bad actors menacing telephone networks so individuals and businesses alike would see a decline in spam overall. But the process is long, complicated, and filled with unknowns as criminal scammers continually adapt to consumer behavior and attempts at regulation. One need only see how quickly phone spammers have changed their tactics from mass robocalling to targeted “spoofing” with fraudulent caller IDs in order to trick individuals into answering their calls.
According to Richard Shockey, member of the FCC’s technical advisory board and also one of the architects of the STIR/SHAKEN framework when speaking at a Professional Association for Customer Engagement (PACE) conference in Washington, D.C., “It will likely be a full decade before the industry can kill unwanted robocalls.”
Even that may be over-optimistic when looking closely at the issue.
What is STIR/SHAKEN?
The centerpiece of the TRACED act is a requirement for carriers to implement anti-robocall and anti-spoof call technology using the STIR/SHAKEN protocol system.
As explained by telecom software provider TransNexus, “STIR and SHAKEN use digital certificates, based on common public key cryptography techniques, to ensure that the calling number of a telephone call is secure.” In simple terms, each telephone service provider obtains their digital certificate from a certificate authority who is trusted by other telephone service providers. The certificate technology enables the called party to verify that the calling number is accurate and has not been spoofed.
However, STIR/SHAKEN will only work to verify caller ID if all phone companies adopt it, since both the sending carrier and receiving carrier need to have the technology deployed. Major carriers are under pressure to implement STIR/SHAKEN verification technology by June 30, 2021. But smaller carriers and landline providers working with older, pre-IP server technology may also be part of the carrier-to-carrier phone call stream and they are balking – a problem that is likely not to change soon since the law only requires that originating and terminating voice service providers implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks.
What’s more, a significant portion of spam and robocalls are generated from overseas sources that escape the FCC regulatory parameters. While the FCC has threatened legal action against a number of U.S.-based companies that accept foreign call traffic that terminates to US consumers, attempting to shut the door completely on the passage of these suspect, foreign-generated calls through U.S. networks is, at best, a long-term prospect. Until a worldwide system of compliance is adopted, scammers can simply move their activities to any number of unprotected networks.
What’s This Mean for Businesses?
Brian McDonald, Director of Product Development, and Roger Northrop, Chief Technology Officer for enterprise telecom software developer Mutare, recently traveled to ITExpo in Miami to learn first hand how IT technology providers see their role in the battle against voice spam in the enterprise. What they learned was revealing.
“It’s pretty clear that all the technology and regulations surrounding how voice spam is handled ends at the carrier level,” says Northrop. “When a carrier is tasked with certifying the validity of a call using the STIR/SHAKEN protocol, that doesn’t mean the call will be blocked. They are simply providing an attestation score of A, B, or C that shows a level of confidence. The call still goes through with that small bit of data attached that could trip a “Possible Spoof Call” red flag, but it is still up to the enterprise to determine what to do with it. It is not in a carrier’s best interest to outright block calls, and that is understandable from a liability point of view. So if businesses are thinking they are going to receive an immediate and significant reduction of spam calls as a result of STIR/SHAKEN implementation, from what I can tell that is simply not going to be the case.
“Another hitch in the authentication process occurs when a smaller, non-SIP carrier without the means to implement the STIR/SHAKEN protocol is part of the carrier-to-carrier call chain. There was some discussion of alternative system designs that could allow them into the process, but it is still just in the early stages and they would still need to work with the authenticating carriers to retrieve those attestation scores. It’s pretty much still the Wild West out there.”
How The Mutare Voice Spam Filter Can Help
As a developer of advanced enterprise voice messaging solutions, Mutare has included in its portfolio a powerful Voice Spam Filter designed specifically to protect enterprise voice networks from harmful spam and robocalls. “Our solution combines a spectrum of integrated tools to identify suspected spam calls, scam calls, spoof calls, and robocalls before they enter the enterprise voice network. It then puts control of how those calls are to be handled with the organization and its system administrators, which is certainly a better scenario than giving that control over to an anonymous carrier. Unlike calls flagged through STIR/SHAKEN, those clearly identified as fraudulent or nuisance calls by the Mutare Voice Spam Filter are blocked before they ever ring through, sparing employees unneeded work disruption. The solution includes a unique Voice CAPTCHA feature that can be turned on as a further failsafe measure so suspect calls can be clearly separated out and tested before allowing a ring through. Mutare has been building advanced and flexible applications for business voice networks for more than 35 years so we are well-equipped to take on challenge of blocking voice spam in its numerous forms before it does real harm to our customers.”
As for the role of STIR/SHAKEN authentication, McDonald suggests that it still has some value for the enterprise. “It adds one more piece of attestation information to the incoming call data, and that that helps augment our ability to identify and block the bad ones. We do feel the FCC is on the right track in its attempts to tackle this issue on a consumer level. But businesses need to maintain control over the integrity of their own voice traffic and are looking for effective tools to help them in that endeavor. Through the development and continuous enhancement of our Voice Spam Filter, we have established ourselves as a true ally and advocate for businesses in the fight against voice spam.”