Unwanted scam robocalls with spoofed caller IDs are a menace to consumers and businesses. These calls threaten the viability of the telephone network. The telecommunications industry has developed a technology framework, STIR/SHAKEN, to combat caller ID spoofing. When you can identify spoofed caller IDs, robocall prevention measures become much more effective. This presentation explains how STIR/SHAKEN prevents caller ID spoofing. Then it describes a variety of spam robocall prevention methods that are effective today. Finally, it shows how these methods will become even stronger with widespread deployment of STIR/SHAKEN.

1. Effective STIR/SHAKEN
and Robocall Solutions
that Work Today

2. • Software to help organizations manage and protect
their telecom networks
• Applications include:
• Telecom fraud prevention
• Unwanted robocall prevention
• STIR/SHAKEN
• Least cost routing
• Telephony Denial of Service (TDoS) prevention
• We’ve been providing such solutions for over 20 years
About

3. 1. A brief history of robocalls,
legislation and regulations
2. STIR/SHAKEN overview
3. Robocall prevention
4. Integration
5. Questions and answers
Agenda

4. A brief history of
robocalls,
legislation and
regulations

5. A brief history of robocalls, legislation and regulations
2000 2005 2010 2015 2020
Do-Not-Call
Act
Truth In
Caller ID
Act
FCC
authorizes
limited
blocking
FCC chairman
Pai calls for
SHAKEN/STIR
without delay
FCC
allows
blocking
by default
Robocall
Strike
Force
Canadian
CRTC
2018-32
PA
selected
in U.S.

6. “I’ve been clear that I expect major voice
service providers to implement
SHAKEN/STIR by the end of 2019…
“I’ve also made clear that if this deadline
is not met, the FCC will act to ensure that
SHAKEN/STIR is implemented. “
– Ajit Pai, FCC Chairman
address to USTelecom robocall forum
June 11, 2019

7. STIR/SHAKEN
overview

8. Triangle of trust
Governance
Authority Policies
Policy Administrator
iconectiv
Telephone Service
Providers
Certificate
Authorities

9. Originating
telephone service
provider
Key
management
service
Certificate
repository
Certificate infrastructure
Certificate
Authority

10. Originating
telephone service
provider
Terminating
telephone service
provider
Authentication
service
Verification
service
Certificate
repository
Calling party Called party
STIR/SHAKEN: the big picture
SIP network
STIR/SHAKEN doesn’t prevent
robocalls. It prevents caller ID
spoofing so you can answer
more calls you want while
avoiding spam robocalls.

11. INVITE sip:18001234567@example.com:5060 SIP/2.0
Via: SIP/2.0/UDP example.com:5060
From: "Alice" <sip:14045266060@5.6.7.8:5060>;tag=123456789
To: "Bob" <sip:18001234567@1.2.3.4:5060>
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
Identity:
eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc3Nwb3J0IiwieDV1IjogImh0dHBzOi8
vY2VydGlmaWNhdGVzLmNsZWFyaXAuY29tL2IxNWQ3Y2M5LTBmMjYtNDZjMi04M2VhLWEzZTYzYTgy
ZWMzYS83Y2M0ZGI2OTVkMTNlZGFkYTRkMWY5ODYxYjliODBmZS5jcnQifQ.eyJhdHRlc3QiOiAiQSIsIm
Rlc3QiOiB7InRuIjogWyIxNDA0NTI2NjA2MCJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOi
AiMTgwMDEyMzQ1NjcifSwib3JpZ2lkIjogIjNhNDdjYTIzLWQ3YWItNDQ2Yi04MjFkLTMzZDVkZWVkYmVk
NCJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7EZSZwiu0fd4H_QD_
9Z5U2bg;info=<https://certificates.clearip.com/b15d7cc9-0f26-46c2-83ea-a3e63a82ec3a/7cc4db69
5d13edada4d1f9861b9b80fe.crt>alg=ES256;ppt=shaken
SIP INVITE with Identity header

12. Authentication Identity token decoded
"header":
"alg": "ES256"
"typ": "passport"
"ppt": "shaken"
"x5u": https://certificates.clearip.com/4a8eb5-461b.crt
"payload":
"attest": "A"
"dest": { "tn": [ "14695858065" ] }
"iat": 1529071382
"orig": { "tn": "12013776051" }
"origid": "4aec94e2-508c-4c1c-907b-3737bac0a80e"
Attestation level
Called number
Timestamp
Calling number
Origination identifier

13. • Authentication for non-carriers (e.g., enterprises)
• Critical for outbound call centers
• Enables Least Cost Routing and Load Balancing among carriers
• Carriers for SHAKEN Authentication and call delivery may be different
• Rich Call Data
• Out-of-Band STIR
STIR/SHAKEN future developments

14. Authentication for non-carriers (enterprises)
STI-CA STI-CA STI-CA
TN Provider TN Provider TN Provider
Enterprise Enterprise Enterprise
Proof of Possession
TN Provider proxies
certificate signing request
Delegated
TN Provider issues certificate
LEMON-TWIST
TN Provider issues token to
Enterprise for CA authentication

15. • Additional information about the caller that
can be displayed to the called party, such as:
• Display name
• Hyperlinks to related info, e.g., image of the caller
or company logo
• Flexible set of caller information, e.g., address,
email, birthday, etc.
• Similar to enhanced CNAM
• Except done at origination instead of termination
• Cryptographically secure
• Gives source party greater control over info
presented
Rich Call Data

16. Example of Rich Call Data in SHAKEN Token
"attest": "A",
"dest": { "tn": [ "12155551213“ ] },
"iat": 1443208345,
"orig": { "tn": "12155551212“ },
"origid": "123e4567-e89b-12d3-a456-426655440000",
"rcd": {
"nam": "James Bond",
"jcd": [
"vcard",
[
[ "version", {}, "text", "4.0" ],
[ "fn", {}, "text", "James Bond" ],
[
"adr", { "type": "work" }, "text",
[ "3100 Apple Ave", "Washington", "DC", "20008", "USA" ]
],
[ "email", {}, "text", "bond@example.com" ],
[ "tel", { "type": [ "voice", "text" ] }, "uri", "tel:+1-202-555-1000" ],
[ "logo", {}, "uri", "https://example.com/logo.jpg" ]
]
]
}

17. Out-of-Band STIR
Originating
telephone service
provider
Terminating
telephone service
provider
Authentication
service
Verification
service
Calling party Called party
Call Placement Service
Identity
token
Identity
token
SIP network
Normal call flow
Certificate
repository

18. Robocall
prevention

19. Robocall prevention methods work well with SHAKEN

20. • On-net calls from external networks
• By OCN
• By DID
• Invalid calling numbers
• High risk calling numbers
• Calling numbers with poor reputation
• Real time traffic analysis
• STIR/SHAKEN verification
Nuisance call detection methods

21. • Report only
• Block
• Send to voicemail
• Send to CAPTCHA
• Send to a honeypot
• Modify caller display name (CNAM)
Nuisance call treatment options per subscriber
Can be configured for each subscriber

22. SHAKEN outcome Reputation Privacy header Digital display Character
display
Verified Good No Caller ID [V]Caller ID
Verified Good Yes Anonymous [V]Anonymous
Verified Poor Yes or No <SPAM> [V]<SPAM>
Failed or no token Good No Caller ID Caller ID
Failed or no token Good Yes Anonymous Anonymous
Failed or no token Poor Yes or No <SPAM> <SPAM>
Caller display name

23. Integration

24. Inbound integration
Ingress SBC Switch
302 – Divert, modify CNAM
503 – Report only
603 – Block
SIP INVITE
Called
party
External
network
• Blacklists
• Traffic Analysis
• Reputation
• SHAKEN verification
• CNAM lookup

25. Outbound integration – option 1
Switch Egress SBC
• Blacklists
• Toll fraud prevention
• SHAKEN authentication
• Least cost routing
302 – Divert, modify destination
503 – Report only
603 – Block
SIP INVITE
Called
party
External
network

26. Outbound integration – option 2
Switch Egress SBC
• Blacklists
• Toll fraud prevention
• SHAKEN authentication
• Least cost routing
302 – Divert, modify destination
503 – Report only
603 – Block
SIP INVITE
Called
party
External
network

27. • Get started now!
• Free trial offer
• Month-to-month billing
• No contract – no commitment
• Up to 2 million calls – no charge
• transnexus.com
• info@transnexus.com
• 1-404-526-6060
Questions, answers and discussion