Combating Caller ID Spoofing: FCC and CRTC Are Serving Up STIR/SHAKEN

It's official: when it comes to combating caller ID spoofing, FCC and CRTC are serving up STIR/SHAKEN.

Let's start from the top: phone scams and vishing (voice phishing) have long benefited from the ease with which a caller's phone number can be spoofed, contributing to the prevalence of these threats to both individual consumers and businesses. Vishing is a security buzzword referring to social engineering attacks aimed at extracting personal, financial, or security credentials via phone or other voice communication tools such as Skype. Vishing attacks often impersonate legitimate organizations, such as banks or government agencies. They can be used in tandem with stolen personal information, and even AI deep-fake technology to craft sophisticated and convincing scenarios to build trust or instil urgency, leading to hasty, ill-informed decisions by the victim. 

(It's worth mentioning that phone number spoofing is legal unless done with fraudulent intent or cause harm and has a rich and documented history.  Caller ID spoofing has been used extensively by collection agencies, law enforcement officials, and private investigators. The practice is not limited to scammers or cyber criminals.)

In this article, we will explain why spoofing phone numbers has been so easy in the past and examine recent efforts to reduce the impact of phone scams by preventing deceptive practices.

How Phone Number Spoofing Works

For a long time, phones didn't even attempt to provide any caller ID.  People were left to judge the authenticity of the caller based on what they had to say. Caller ID was only introduced in 1988, but the problem was that the ID presented on digital phones were not verified. The ability of attackers to spoof any phone number as the caller is therefore rooted in the lack of authentication mechanisms. Historically, telephone networks were designed with the assumption that access to them would be controlled and limited to trusted operators. 

Here is a broad description of how phone number spoofing works:

• Lack of Verification: When a call is placed, the originating telephone exchange sends signaling information, including the caller's number, to the destination exchange. However, the destination exchange does not verify whether the caller ID is legitimate or falsified.

• Exploitation of Protocols: Attackers exploit this vulnerability by manipulating the signaling information. Using specialized software or a VoIP (Voice over Internet Protocol) service that allows number spoofing, they can alter the caller ID information to display any desired number on the recipient's caller ID display.

• Ease of Access: The widespread availability of VoIP technology and caller ID spoofing services has made it easier for attackers, including scammers and cybercriminals, to conduct such operations without needing direct access to telecommunication infrastructure.

The trust-based nature of the Public Switched Telephone Network (PSTN) and its foundational technologies and protocols such as Integrated Services Digital Network (ISDN), TDM (Time-Division Multiplexing), Primary Rate Interface (PRI), the Signaling System No. 7 (SS7), and Session Initiation Protocol (SIP) creates an inherent security weakness. These technologies form the backbone of telecommunications, but their trust-based and open nature makes them susceptible to caller ID spoofing and other exploitation. Although some efforts have recently been initiated to address the problem, this oversight still presents a critical security gap, and consumers and businesses need to be aware in order to mitigate phone scams and vishing attacks.

How Attackers Leverage Phone Number Spoofing

• Spoofing caller location: Scammers can spoof local area codes to make it seem like a call is coming from a nearby location or familiar area code to gain a victim's trust

• Spoofing known business numbers: By spoofing common well-known phone numbers, scammers can trick victims into thinking the call is from a legitimate business or government organization. If you have an entry for a phone number in your contact app, the associated name will appear giving weight to the caller's claimed identity

• Combined with OSINT or stolen information: An estimated 28% of scam calls leverage personal information to coerce victims. Personal information can be gained from publicly available sources such as a search engine or social media search or from rogue data brokers who sell data stolen in cyber breaches

• Combined with deep-fake audio: Threat intelligence research has uncovered evidence of deep-fake audio being used in vishing attacks, and in one case, a CEO was exploited for over 250,000 USD. Used in tandem, A.I. deep-fake audio plus personal information represent a formidable social engineering scenario where victims may be tricked into providing passwords or access codes, transferring funds, remotely unlocking doors, or performing other actions to benefit an attacker

Mitigating The Risks Of Phone Number Spoofing

Industry regulation has been progressing towards more authenticated caller ID since at least 2020 when the Federal Communications Commision (FCC) mandated all originating and terminating telecom service providers implement a protocol known as STIR/SHAKEN. While previous regulatory policies have targeted spoofed caller ID used by illegal robocalls, STIR/SHAKEN marked a clear shift towards mandating a technical solution. There are also other measures individuals and businesses can take to protect themselves from phone number spoofing techniques being used in phone scam and vishing attacks. Let's take a look at what STIR/SHAKEN protocol is and what other options are available for mitigation.

The Evolution Of The STIR/SHAKEN Protocol

STIR/SHAKEN is a set of technical standards and protocols designed to authenticate caller IDs and mitigate caller ID spoofing in Voice over IP (VoIP) calls, enhancing telecommunications security. STIR/SHAKEN works by attaching a digital certificate to SIP (Session Initiation Protocol) headers in VoIP calls, verifying the caller's identity and preventing caller ID spoofing through cryptographic authentication. STIR (Secure Telephone Identity Revisited) was developed as an open standard by the IETF, and SHAKEN (Signature-based Handling of Asserted information using toKENs) developed by the ATIS/SIP Forum IP-NNI task force are complementary standards and protocols designed to combat caller ID spoofing. They work by ensuring that calls are digitally signed and verified by the originating phone network and by the receiving network. This process helps to validate caller ID information to ensure it is accurate and has not been tampered with.

Here is a timeline of regulatory actions in North America to implement STIR/SHAKEN:

• March 31, 2020 (FCC 20-42): The FCC mandated all originating and terminating voice service providers to implement STIR/SHAKEN by June 30, 2021.

• July 16, 2020 (FCC 20-96): The FCC implemented safe harbor provisions for call blocking based on analytics including STIR/SHAKEN data.

• September 29, 2020 (FCC 20-136): The FCC expanded STIR/SHAKEN requirements to include all voice service providers.

• November 30, 2021 (CRTC 2021-426): Canada's Canadian Radio-television and Telecommunications Commission (CRTC) enacted regulations requiring Canadian telecommunications service providers to certify caller identity for Internet Protocol-based voice calls.  Call for comments on STIR/SHAKEN had been active since 2019.

• May 20, 2022 (FCC 22-37): The FCC mandated Required gateway providers to implement STIR/SHAKEN for foreign-originated SIP calls by June 30, 2023.

• March 17, 2023 (FCC 23-18): The FCC mandated non-gateway intermediate providers receiving unauthenticated IP calls must use STIR/SHAKEN from December 21, 2023.

However, while the STIR/SHAKEN protocol can verify caller ID for IP-based voice calls, there are limitations. Not all calls can be verified due to network and device compatibility, especially calls not entirely over an IP voice network or calls involving TDM (Time Division Multiplexing) switches.

Other Potential Mitigation Options

• Network-Level Blocking and Filtering: Telecommunication providers can implement advanced analytics and AI-based call-pattern recognition algorithms to identify and block spoofed calls at the network level. This includes identifying numbers that are frequently used for spoofing or calls that exhibit suspicious calling patterns.

• Caller ID Authentication Apps: There are third-party apps and services that provide additional layers of security by screening incoming calls. These apps use databases of known scam numbers, user reports, and AI-driven analysis to identify and block potentially fraudulent calls.

• Education and Awareness: Educating consumers and employees about the risks of caller ID spoofing and how to recognize suspicious calls is crucial. This includes being cautious about sharing personal information over the phone and verifying the caller's identity through independent means.

• Use of Alternative Voice Applications: For critical communications, especially in business and finance, entities are moving towards alternative methods of authentication that do not rely on caller ID. This includes using alternative voice and video applications such as secure mobile applications.

Conclusion

Vishing and phone scams are a serious threat to individuals and organizations. One potent tool attackers may leverage is phone number spoofing (caller ID spoofing) which exploits the trust-based nature of telecommunication networks. The STIR/SHAKEN protocol is at the early stages of adoption and, among other tools, offers some refuge from the storm of ID manipulation. Because phone numbers cannot be reliably authenticated, we need to be aware of how sophisticated social engineering attacks could take place and understand our options for additional mitigation strategies, such as network-level blocking and caller ID authentication apps.

Are you ready to enhance your organization's security posture to combat caller ID spoofing? Reach out to our team today for your free, zero-obligation quote.