By Robert McKay
Officially enacted by the FCC on July 1, the STIR/SHAKEN (Secure Telephone Identity Revisited /Signature-based Handling of Asserted Information Using toKENs) framework will help telephone carriers combat the scourge of fraudulent robocalls that cross their networks by verifying and authenticating the source of those calls. The goal of this legislation is to help rebuild the trust that consumers once had in the phone channel.
This will make it easier to distinguish legitimate calls from questionable ones while enabling carriers to track down the criminal organizations abusing their networks. STIR/SHAKEN has already demonstrated that it can make high-volume calling campaigns via automated caller ID spoofing less effective and, hopefully, much less common.
STIR/SHAKEN Creates New Hurdles for Fraudsters
Caller ID spoofing has been a staple in the fraudster’s toolbox for the better part of the past two decades. While more sophisticated groups write their own software or modify existing code, countless available apps and tools are available for purchase on black market deep web forums. It gives criminals easy access to methods that present any number as the originating calling number for their fraudulent calls. This allows them to easily impersonate real customers by having a legitimate customer’s phone number displayed when calling into a contact center.
Until the implementation of STIR/SHAKEN, these organizations on the receiving end of a spoofed call could not easily authenticate a customer with their phone number alone. Now a criminal will have to work much harder to keep spoofed calls from raising suspicion and receiving a low attestation, a mechanism by which the originating service provider verifies the call’s degree of trust by the ID and calling number.
It also helps mitigate account takeover attempts via call spoofing by flagging calls as questionable before they reach an IVR or call center agent. That said, there’s little doubt that fraudsters will evolve. The question is, “How?”
Criminals Are Masters of Adaptation
While we can’t say for certain how bad actors will evolve their techniques, history has shown us that they will find creative ways to respond. Fortunately, we already have a sense of how criminals will react to STIR/SHAKEN. Prior to enacting the standards in STIR/SHAKEN, a variety of third-party tools were available to help carriers and their customers distinguish legitimate calls from those that are likely spoofed.
Although these tools had their shortcomings (such as a higher volume of false-positive calls, which tagged legitimate calls as suspect) they did succeed in making it more difficult to spoof calls at scale. To avoid these tools, many fraudsters adopted virtual calling services to continue their attempts at account takeover fraud over the phone. Most phone calls originate from unique physical devices such as a mobile phone or landline device. Virtual services originate calls from mobile apps, personal computers, and even PBX systems. Many can be used anonymously from anywhere in the world—the perfect tool for a criminal. Virtual apps have been particularly attractive in this category.
There are large players such as Skype and Google Voice, both of which require identifying information when creating an account. Criminals are obviously keen to avoid this. However, extending beyond the long shadow cast by Skype and Google Voice are hundreds of smaller virtual call services that allow fraudsters to preserve their anonymity during account creation.
Criminals have flocked to these services that enable them to place authentic looking calls from anywhere in the world using any area code of their choosing. Not only do these services preserve anonymity and limit call tracing, but because they originate from apps that are not spoofed, they can receive a high-level STIR/SHAKEN attestation.
Criminals are already gravitating to virtual call services, with fraud attempts using virtual apps rising sharply over the past eighteen months. Market studies, such as the State of Call Center Authentication survey, also demonstrate a rapid adoption of virtual call apps to target call centers. As STIR/SHAKEN makes it more challenging to successfully place spoofed calls, expect to see an increasing number of criminals turn to virtual call services.
5 Proactive Considerations That Look Beyond First-Generation Caller ID Spoofing
The enactment of STIR/SHAKEN was the result of a broad cross-industry collaboration that will undoubtedly make call spoofing more difficult for criminals. But expecting it to prevent all future fraud is dangerous thinking. Inbound call centers will need to anticipate the alternative paths and vectors criminals will use to conduct their illegal activity.
Such considerations should include:
- Remember that the original intent of STIR/SHAKEN was to create a framework to help call tracing and reduce the utility of robocalls, not to protect against all potential vectors of fraud.
- Invest in call evaluation systems that can improve the identification of virtual call technology and, within that segment of calls, isolate calls coming from virtual apps.
- Partner with a phone call validation service to share information on attack patterns so your organization stays current on the latest virtual tools used by criminal networks. While the number and nature of these tools vary widely, efficient and timely information sharing within the call center industry can hamper their effectiveness.
- Deploy services to identify and stratify risk of virtual calls. Then develop call flows to treat callers using high-risk virtual apps appropriately. Consider employing risk-based, stepped-up authentication practices, routing callers to agents that specialize in high-risk engagements, and within this context, limit the scope of activities a flagged caller can perform.
- Monitor for other behavioral partners that can signal an account takeover attack, such as a recent number reassignment and anomalous calling patterns. Of course, remain vigilant for spoofed calls too, as enterprising fraudsters will identify new ways to mask their identity.
The STIR/SHAKEN framework will go a long way toward improving consumer trust in the phone calls they receive.
As an added benefit, STIR/SHAKEN should also make it more challenging for fraudsters to take over consumer accounts. However, if past is indeed prologue, we know that fraudsters are an enterprising bunch and will work assiduously to evolve their methods and techniques.
While these methods may change, by thinking proactively and investing in the right tools and processes, inbound call centers can better prepare for an unknown future.
Robert McKay is the senior vice president, risk solutions at Neustar, Inc.