STIR/SHAKEN Is Now in Effect, but It’s Not Moving Me Yet
THE STIR/SHAKEN framework took effect in the United States June 30, and I am slightly optimistic, but more skeptical, that the effort will yield the desired results.
STIR/SHAKEN—which is short for Secure Telephony Identity Revisited (STIR) and Signature-based Handling of Asserted information using toKENs (SHAKEN) is supposed to stop unwanted robocalls and illegal call spoofing by enabling the authentication and verification of caller identities. The Federal Communications Commission (FCC) set June 30 as the deadline for all communications providers to adopt the framework to verify traffic across their networks.
In theory, STIR/SHAKEN is great. Something needs to be done to stop robocalls and scam calls. YouMail tracked more than 4.4 billion robocalls in the month of April alone. For context, that averages out to 147.6 million calls per day and 1,708 calls per second. I am convinced that most of them come to my landline and cell phones. I get a constant barrage of calls from a nonexistent company called Card Services, which is really just a phishing scam to get credit card information by promising to lower interest rates. I also get an endless stream of scam calls from fraudsters claiming to provide auto extended warranties, Medicare services reviews, and free solar panels; others claim that my Amazon account is being locked because of a suspected fraudulent iPhone purchase in Dayton, Ohio, and that my non-existent Coinbase account is being frozen for the same reason. And these are just the more common ones. Most of these fraudsters illegally spoof other phone numbers to fool caller ID systems into thinking that they are legitimate.
Both my cell and home numbers are listed on the Federal Trade Commission’s National Do Not Call List, and I report each and every violation on the FTC’s website, but so far the agency has been either unable or unwilling to do anything to hold the scammers accountable. The Card Services scam has been going on now for more than two and a half years.
So I don’t think that my skepticism is without merit. All other efforts to stop scam calls have been grossly inadequate, to say the least. The scammers always seem to be one step ahead, and with each new mechanism to stop them, they develop a work-around quickly and continue to carry out their criminal endeavors.
The problem isn’t limited to phone calls, either. At least as many scam text messages are being sent every month. Robokiller reports that Americans received 7.4 billion spam text messages in March alone. With more Americans now wary of answering phone calls from unknown numbers, recent trends show that scammers are relying more heavily on text messages as their weapon of choice to steal from more Americans.
Email this year marks its 50th anniversary—Ray Tomlinson invented it in 1971—but in all that time, no one has effectively dealt with the issue of spam, either. Sure, spam filters work to some degree, but spam still gets through, and even when it goes into a spam folder, it still clogs servers and networks. Nefarious email-based adware, spyware, ransomware, and other malware still do serious damage, and here too bad actors remain one step ahead of authorities and antivirus updates.
So why should STIR/SHAKEN be any different? The framework requires all inbound and outbound calls traveling through any connected phone network to have their caller IDs certified, but many businesses are still unsure exactly how to do this. You can be sure, though, that the criminal organizations have been working for months on ways to circumvent the STIR/SHAKEN framework. For them, the incentives are great. The FCC estimates that fraudulent robocall schemes cost Americans about $10 billion annually.
Just to be clear, I am not against STIR/SHAKEN. If it stops even just a few of the scam calls I receive every day, I will be happy. But on June 30, the day that the FCC set for all carriers to adopt the framework, I received three scam calls in just two hours. One was from a company pushing free diabetic glucose monitors as a way to get health insurance information, one was from the same jerks who have been peddling the Amazon scheme for months, and I didn’t answer the third, which was the only one of the three identified in caller ID as a “Spam Risk.”