Skip to content ↓ | Skip to navigation ↓

On a daily basis, many people receive automated machine calls, and importantly, more people are getting annoyed. The Federal Communications Commission (FCC) in the United States must have received and no doubt continues to receive many complaints about automated calls and caller ID spoofing. Apparently, these complaints forced the FCC to come up with a plan to protect consumers from caller ID spoofing which these machines are known to use.

Specifically, the FCC is pushing telecommunication companies to adopt call authentication to verify the caller ID reading. Ajit Pai, the FCC Chairman, is determined to have telecommunication companies adopt “robust call authentication” to combat illegitimate caller ID spoofing. The FCC hopes to have the call authentication framework in production in 2019.

What is the Authentication Method?

“Robust call authentication” uses two frameworks to verify the caller ID. The two frameworks are Secure Handling of asserted information using toKENs (SHAKEN) and Secure Telephony Identity Revisited (STIR). The process to verify a caller ID uses certificates to verify that the caller ID wasn’t manipulated to look like an authorized number.

This process can output three results. The first result is called full attestation, meaning that the caller has been verified by the service provider as having the necessary authorization to use the number in the caller ID. The second result is called partial attestation, meaning the service provider has verified the origin of the number and not if the caller has authorization to use the number in the caller ID. The third result is gateway attestation, meaning the service provider has not verified the source of the call because it might be coming from a company’s PBX.

How will it help?

By authenticating the caller ID, it will help mitigate the illegitimate use cases for caller ID spoofing. However, it seems like it will allow for legitimate use cases for caller ID spoofing. This seems that it would allow companies to spoof a number to redirect customers to the proper number if they miss a call. This seems like it can still allow legitimate uses of automated calling. Unfortunately, not all automated calls will disappear if this is enabled.

What is next?

I will write about how FreePBX and Asterisk can help mitigate automated calling machines.