Phone service providers have a new tool to fight robocalls, but it won't be enough
Good news for everyone sick of robocalls: The telephone industry hears you and is doing something about it.
Bad news: You’re still going to get robocalls.
Robocalls have skyrocketed in recent years, with the call-blocking service YouMail estimating that 5.2 billion calls were placed to U.S. numbers in March, up from 2.5 billion three years earlier.
But carriers are in the early stages of implementing new protocols aimed at stamping out one of the most common tactics used by robocall scammers. The protocols, STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs), will make it harder for scammers to hide their actual phone numbers — though experts warn it's unlikely that these calls will be gone for good any time soon.
Here’s how STIR and SHAKEN would work on a hypothetical phone call from Carrier A to Carrier B: When the caller on Carrier A hits the dial button, a digital signature is attached to the call with information about the phone number and carrier. When the call arrives on Carrier B’s network, the carrier checks to see if the signature is there and is valid. If it passes the test, the call is marked as verified to the recipient.
When rolled out across enough networks, the telephone industry hopes that STIR/SHAKEN will eliminate neighbor spoofing, where scammers trick a caller ID into believing that a call is coming from the recipient's area code. If a call has been verified, the number on the caller ID is definitely the number the call came from.
Industry experts say getting rid of spoofing’s biggest benefit will be that it allows call-blocking services to more accurately flag scam calls.
“It’s an important tool,” said Jim McEachern, principal technologist at the Alliance for Telecommunications Industry Solutions and one of the developers of the SHAKEN protocol. Call-blocking services make decisions based on the caller ID, he said, “but the caller ID can be spoofed. Once they have hard data, they'll be able to make much better decisions.”
These experts say eliminating spoofing will also increase the business costs of being shady. Because scammer’s underlying phone numbers will be exposed, and once they’re exposed the chances of their numbers being blocked is high, the scammers will ultimately have to buy more phone numbers more often.
“If they can’t spoof, it gets to be very expensive,” said Jonathan Nelson, director of product management at the call-blocking service Hiya, which powers AT&T’s call protect feature. “They either stick with the same phone numbers for longer or they have to keep returning and buying new phone numbers, which cuts into their profits.”
Getting rid of spoofing will also make it easier for government agencies to identify and prosecute scammers in the United States, Nelson said.
“The real strength comes from enforcement,” Nelson said. “It's going to be quicker for the government to go in and shut down these operators.”
The Federal Communications Commission has urged service providers to adopt STIR/SHAKEN and begin verifying calls this year. Verizon and T-Mobile, two of the largest wireless carriers in the country, already use the feature for calls inside their networks. Most other carriers anticipate their own rollouts by the end of 2019, although Sprint has said in letters to the FCC that it anticipates testing the feature in the second half of the year.
Carriers are taking time with the rollouts, McEachern said, to test the protocols for flaws and to make sure their networks can handle the additional data.
“This is active software, running every time you make a call, so it has the potential to break the network if you don't test it,” McEachern said.
There are limitations to STIR/SHAKEN. Carriers have to build the infrastructure to verify incoming calls from other networks, something that at the moment is only available on calls between certain T-Mobile and Comcast phones. Verizon and AT&T have conducted successful cross-network verification tests with Comcast.
Verification of overseas calls will require coordination between industry groups in individual countries. Canada is the only other country rolling out STIR/SHAKEN call authentication, and right now calls between the U.S. and Canada, even if both sides used the tools, wouldn’t be able to be verified. And although it won’t be hard to enable cross-country verification, it probably won’t be in place until next year.
Even if all major providers participate in call verification, it still might not make a dent in the number of robocalls. The six largest carriers — Verizon, AT&T, T-Mobile, Sprint, Comcast and CenturyLink — only account for about 13 percent of scam robocalls, according to a March report by Transaction Network Services, whose call blocking software is used by Verizon and Sprint. (Comcast owns NBCUniversal, the parent company of NBC News.)
Most scammers use internet-based Voice Over IP (VOIP) services to make calls, said Jim Tyrrell, senior director of project marketing for Transaction Network Services. And while some VOIP carriers, such as Vonage, have committed to signing calls, not all have.
Still, as the large carriers implement STIR/SHAKEN, it will increase pressure on the carriers that don’t, Nelson said.
Experts warn that STIR/SHAKEN will not stamp out scam robocalls. Scammers will still find their way around. For instance, they might respond by purchasing numbers or using providers that use STIR/SHAKEN. It might cost them more and they won’t be able to use the numbers for as long, but their scam calls would be verified. And experts are concerned about scammers using verified numbers.
YouMail CEO Alex Quilici said call authentication doesn’t mean that the name on the caller ID or the caller can be trusted.
“All it means is that the carrier owns the number,” he said.