If you’re anything like me, you get between 1 and 25 calls per day (aren’t I popular!), but you answer few (or none) of them because of the rampant rise of autodialed scams and advertisements. The plague of spam and robocalls is so prevalent that it’s reached Last Week Tonight’s main segment territory. I’m very lucky, because even though I live in Illinois my phone number has an area code from another state. This is fortuitous since most robocalls are made to appear as if they are a local number. If I see a call directly to my cell from my home area code, it’s safe to decline the call. Why does it seem like your carrier doesn’t or can’t do anything about it? It turns out they can!
Back in the olden days, phone calls were manually switched and connected by people, by hand. Eventually, phone companies developed switching equipment to automate the process, but all of it was given backwards compatibility to account for small and antiquated systems. This perpetual state of backwards-compatibility remains to this day, even when entire company phone systems exist within a single computer and cell phone companies can route calls globally. While systems are slowly being updated, but certain peculiarities remain. One of these is Caller ID. Back in the 90s when Caller ID was created, it existed as an extension of the phone book; the phone company coltrolled what was displayed. Later, as more and more providers offered the feature, and as VoIP calling took off, the responsibility for Caller ID was often left with the provider of the person making the call (or even the person themselves). This allowed for loopholes, like businesses making it seem like they were calling you back from their main line, instead of the direct phone number of the person you were speaking with. It also allowed less than scrupulous people to create scams by pretending to be a bank, utility, or auto dealership.
Before 2019, there was NO authentication for Caller ID. Much like email, if I had the right tools, I could put anything in my Caller ID field. The FCC is trying to put a stop to this. They are implementing a method very similar to how DKIM is now being adopted to protect emails (I’ll write about that next time!) to hold both the originating phone provider and the completing phone provider responsible and provide ways to authenticate calls.
STIR/SHAKEN
The FCC’s plan is twofold, given the names of STIR and SHAKEN (and apparently named by a big fan of James Bond). With STIR, the phone carrier who makes the call assigns a level of certainty to the caller:
- I guarantee this connection–usually because they are one of my customers. Think you picking up the phone to call your mom.
- I am reasonably sure about it–usually because the direct extension can’t be verified, but the endpoint is trusted. Think big companies who have their own internal phone system. They aren’t a phone company, so they still pay for a connection to the phone network. The provider might not be able to pin down which phone inside the company you are, but they CAN pin down that it’s coming from the company.
- I have no idea. Think “Hello, this is Visa Mastercard calling about your account…”
Now the second step is SHAKEN, in which the receiving carrier verifies that the sender itself wasn’t spoofed. It does so using certificates to mathematically prove that the STIR rating and call are coming from the carrier that is claimed. This prevents people from dumping VoIP calls into small carriers that then pretend to be Verizon or AT&T and give every call a glowing level 1 “This call is genuine” review. It’s not clear exactly how each carrier will act on the information given, but the FCC has demanded that all carriers adopt something by November, so we should be seeing the results soon. When my phone updated, I got the Verizon app, which I activated this week and have already noticed a drop in robocalls. The future is bright, and quiet.