ConvergeOne Blog

How STIR/SHAKEN Will Affect Your Business’s Phone Strategy

Written by David Lover | Mar 2, 2021 3:00:00 PM

The hot pieces of legislation currently affecting the communications industry are Kari’s Law and the Ray Baum’s Act. At a high level, these two items deal with 911. Kari’s Law is about a company’s responsibility and requirement to ensure that users can dial 911 without needing to dial a code to get an outside line first. The Ray Baum Act is about making sure the system can identify and communicate the dispatchable location of that person who dialed 911.

However, there’s some other legislation going into effect this year that we should also be aware of. It’s certainly something that we, as consumers, will LOVE, but I also think we need to think about the ramifications of this for businesses. The FCC legislation that we’re talking about here is referred to as STIR/SHAKEN and is required to be implemented by “IP-based Communication Service Providers” (i.e., SIP trunk carriers) by June 30, 2021.

STIR/SHAKEN is a mechanism that has been in the works for a few years now. It helps to identify spoofed ANI (Automatic Number Identification), or what regular people would refer to as “Caller ID.” This is a common technique used by spam callers. We’ve all seen this. When your phone rings and you notice the Caller ID shows a local number or a number close to a known number, yet when you answer it, it’s someone trying to sell you a timeshare in Barbados. These are spam calls, frequently referred to by consumers as robocalls, and often processed by advanced communication systems like Predictive Dialers. Worse, bad guys will sometimes spoof the ANI of the call, trying to trick you into thinking they’re someone else. This could be used for toll fraud or unauthorized access to information, money, control, or more. ANI spoofing has been a very troublesome technique that has been very difficult and expensive to address. The FCC is going to mandate that carriers and communication service providers take some ownership in preventing this type of ANI spoofing.

STIR stands for Secure Telephony Identity Revisited, and SHAKEN stands for Secure Handling of Asserted information using toKENs. At the most simplistic level, it requires that the carrier verifies the validity of the call source and the calling number (i.e., ANI), making sure that it matches a DID owned by the person or business originating the call. Also, in the event that the carrier needs to pass the call to another carrier, they must pass along the appropriate certificate proving that original verification. This certificate must remain intact all the way to the service provider that is responsible for delivering the call to its final destination. You might have seen some early adoption of these spam elimination techniques, with your cell phone displaying “Spam Risk.” As of June 30th, I would expect those calls will get blocked or denied at the originating service provider.

So, how does this affect your business? Well, I think there are a couple of scenarios we need to pay attention to. Some businesses will spoof caller outbound ANI to provide anonymity or personal privacy. Doctors making phone calls directly to patients will substitute their actual extension/DID number with a different number so that patients can’t call them directly. Usually, they’re substituting it with a specific number that the patient should call back to, like their main listed number. I’m not a lawyer, but this seems to be a scenario that should not be impacted by STIR/SHAKEN, since the substituted number is one that is owned by the business.

However, there are some features in use by customers that pass along the ANI of an incoming number when being transferred to someone else out on the PSTN (Public Switched Telephone Network). It might be as literal as what we’d refer to as a “Blind Transfer” to someone external to the PBX: You receive a call. You want to transfer that call to someone else. That someone else is not an internal extension. The PBX will typically copy the incoming caller ID to the outbound call as the “originating ANI.” That definitely seems like it would be impacted by STIR/SHAKEN. The carrier receiving the call will look at the ANI and see that it’s not a number owned by the company, and that will mostly likely get blocked or tagged as spam.

There are features that can even automate this type of “transfer” action. Avaya introduced a feature called EC500 (Extension to Cellular) 15+ years ago. It allows you to automatically “forward” an incoming call to your cell phone. Those of us familiar with EC500 know that it’s certainly more sophisticated than automated “call forwarding,” but for the purpose of this example, we can simplify it to that. The Avaya system will copy the originating ANI to the outbound trunk call so that when your cell phone rings, you can see what the original caller ID was, not just that it’s coming from your enterprise PBX. I would expect STIR/SHAKEN to break the benefit of this very popular feature. Realistically, EC500 was a feature that predates modern mobile communication best practices. The use of the Avaya Workplace client on an iPhone or Android makes EC500 looks pretty archaic. But, again, this is still a very popular feature with legacy Avaya customers, so it might be the right time to consider a modernization strategy.

While STIR/SHAKEN is going to eliminate a common spammer technique that tricks people into answering their phone call, it’s not going to eliminate spam calls completely—but at least you’ll now know the REAL phone number of the person calling you. And while this legislation appears to be focused on the SIP service providers and carriers, forcing them to do some validation of their incoming calls from enterprises and other carriers, this will positively impact all of us personally and professionally.

It's important that you understand how your business’s outbound calls to carriers and service providers are currently formatted. This will go a long way to empowering you to make the right decisions on how those calls should be formatted so that they don’t get rejected or marked as spam.


[ON-DEMAND WEBINAR] Simplifying E911 Compliance: Using Cloud to Solve the New Hybrid Workforce

E911 is a hot topic for 2021. With new laws and regulations now in place, and more to come in 2022, organizations must plan to achieve a state of compliance. Access this on-demand webinar to hear about how to solve these challenges using the ConvergeOne Cloud Experience (C1CX) platform.