Home > Blog Articles > Security > Stirred, Not Shaken: New Tools to Defeat Robocallers
Share on share on Facebook share on Twitter share on Facebook share by email

Recently, I wrote a post regarding the plague of robocalls that has gotten worse in recent years and how you can filter out robocalls on an iPhone using the CiraSync GAL sync feature. However, as anyone who has tried to fight the plague of robocalls knows, a single solution is not perfect, nor permanent.

The FCC estimates over 11 million robocalls are made every single day within the U.S., and there is no end in sight. However, not all hope is lost. The FCC, telecom industry, and private companies are currently developing solutions and taking many measures to battle this scourge. This post provides a brief overview of these measures.

STIR and SHAKEN Protocol to Identify Robocalls

While the name of this FCC initiative may evoke images of an Ian Fleming character ordering a particular martini at a bar, we can assure you that there’s nothing watered down about this solution. Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted information using toKENs (SHAKEN) are a set of new standards being developed and implemented by the FCC in conjunction with telecom companies to help differentiate between spoofed and legitimate phone numbers.

To put it rather simply, the two protocols work together in order to verify an individual who is calling is in-fact who they claim to be. This works on two fronts:

  • The outbound caller’s phone contains a certificate verifying that the call is coming from the phone number associated with their certificate.
  • The phone call is passed along to the incoming phone carrier (AT&T, Verizon, etc.) which then checks the incoming public key against a private key in their database.

If the two keys match, the caller is verified, if not, it means the caller is not who they claim to be.

This is profoundly important because of the current method used by most robocalls to find success is to spoof phone numbers. What does this mean? By using widely available online VoIP services (most of which are hosted outside the U.S.) a robocaller is able to change their number, to appear as if it is coming from a local number. Everyone reading this post is likely to have experienced this phenomenon: a spam call originating from a phone number within your area code. The technique is both as insidious as it is clever.

Should the keys not match, the receiving caller would see an “x”, signifying that the number cannot be verified as legitimate.

This new STIR and SHAKEN protocol, however, does not come without its own host of issues. The effectiveness of the program relies heavily on cooperation between telecom industries and the FCC for implementation and execution. Along with that, it is a slow process to roll out, and even with these advanced techniques, it is highly likely we’ll still see calls that should not be getting through getting through.

What else is happening in this space?

Combating Robocalls with Third-Party Solutions

Unsurprisingly, some of the most effective methods for combating the robocall scourge have come from the private sector. Apps like Robokiller and Nomorobo aim to solve the robocall problem in a much more simplistic, but highly effective manner: through data collection, list management, and pre-screening tools. Most of the applications—enabled by the sheer volume of calls placed every day—have collected a database consisting of millions of spoofed numbers. Whenever the application detects one of these numbers coming into your phone, it automatically screens the call, blocks it, then goes one step further by eating the robocaller minutes with a highly curated playback recording of their own.

Again, this solution, while clever, is not without flaws: new numbers that previously have not been cataloged will still get through; there are few barriers (such as no prohibitive cost) to creating new phone numbers; and, finally, given that 9 billion combinations can be created from a 10 digit sequence (with some obvious limitations for area codes), it’s unlikely for these spoof callers to run out of numbers anytime soon.

It also creates another issue; a race to the bottom. The YouMail CEO Alex Quilici, claims that we have entered a cat-and-mouse era of sorts:

“If you don’t answer the phone the robocaller has to work harder, so they generate more calls. It’s a death spiral.”

However, he notes that not all is lost.

“Even though we’re at an all-time high, there’s some good news [ . . . ] the numbers may be creeping up a little bit, but the situation seems to be mostly stable at this point. We have not turned the corner, but maybe the corner is in sight.”

At the end of the day, this isn’t a simple problem to solve. The most effective solution to blocking robocalls will be one that doesn’t rely on a single treatment but is multi-pronged, flexible, and adaptable.

The CiraSync SaaS platform too uses a robust global whitelist feature that is already effective in dealing with robocalls: the added security provided by the upcoming STIR and SHAKEN protocol should provide even more reductions in robocalls for CiraSync customers.

More Tales from Tech Support