Cyber Security

We need an industry-backed, tech-neutral resource to restore trust in voice communications

Published

on

With illegal robocalls now representing nearly half of all unwanted calls in the U.S., consumers are opting to simply not pick up their phones. In fact, studies show that in the U.S. alone, 76% of calls from an unidentified or unfamiliar number are left unanswered, and 58% of consumers only answer calls from numbers they recognize.

previous article exploring how businesses can protect their brands against the damages from illegal robocalls touched on industry initiatives that are helping consumers answer their phones again. The FCC Illegal Robocall Response Team and STIR/SHAKEN—the FCC-mandated initiative that provides a framework that voice service providers use to digitally sign each call that originates from their network—are an example of such initiatives.

But when unpacking the challenges that service providers and the industry face, it’s clear that a voice service provider’s robocall-mitigation strategy is only as effective as the information it’s based on. It’s even more important as countries such as the U.K. and France join the U.S. and Canada in considering or requiring service providers to use call authentication.

The driving principle of STIR/SHAKEN is that robocall mitigation is most effective when all receiving telephone companies know as much about the call’s origination as the originating telephone company does. This information also should be protected against tampering, bad actors and other fraudulent activity to help ensure that it always remains trustworthy. Most importantly, this system must work at scale.

The good news is that there has been extensive industry progress toward these goals, including common industry standards that have been defined and implemented. While the industry can certainly take a victory lap, there’s still more to do. One example is the diversity of how enterprises make phone calls—via outsourced contact centers or in-house direct—using third-party telephone numbers acquired separately from the company servicing each call. These variables complicate call authentication and highlight the need for a platform that serves as the industry standard source of trusted information.

In the U.S. alone, hundreds of voice service providers have deployed STIR/SHAKEN in the IP portions of their networks. Already, we are seeing STIR/SHAKEN work with legitimate traffic going through and suspicious traffic being stopped. And, as efforts continue to expand and become more robust, telephone companies are evolving their robocall mitigation efforts by building upon trusted information, which in turn benefits their enterprise customers.

Too many options lead to a Wild West

At the same time, some enterprises may feel that portions of their legitimate voice traffic may have been collateral damage caught in the web of the initial months of the STIR/SHAKEN launch. Valid enterprises want to be unequivocally known to their customers. They need deterministic and consistent outcomes for all the networks that their calls encounter in this new STIR/SHAKEN world, particularly as it relates to blocking, labeling and ultimately improving answer rates. They also do not want to have to fundamentally change their supply chains to achieve this consistency. This is something that’s very important, relative to how to support the entire ecosystem. So, as the industry moves forward, it remains heavily dependent on a very reliable trust model. Trusted data is a critical factor in support of STIR/SHAKEN and what underpins it.

There are a lot of players innovating in the robocall-mitigation space. That’s beneficial from an industry perspective, but the catch is that it can also feel like the Wild West.

Service providers and enterprises must wade through numerous solutions aiming to address the enterprise attestation gap. This ranges from gateway attestation, whereby the service provider has authenticated from where it received the call but cannot authenticate the actual call source, to full attestation, whereby the service provider has authenticated the calling party and they are authorized to use the calling number. Enterprises are being courted by many value-add suppliers promising dramatic answer-rate improvements even though they impact only one or two of the many networks that these enterprise calls will traverse. Furthermore, since many of these are proprietary solutions, ongoing investment and innovation are driven largely by commercial considerations rather than neutral, industry-based decision mechanisms.

On top of that, there is fragmentation when it comes to brand registration and verification because of the many solutions coaxing enterprises to come to their portal and enroll their company and phone numbers. Consider all the mobile apps providing robocall management, most of which have announced that a business registry now accompanies their consumer app. There are other solutions and vendors promoting their own registries, as well.

This fragmentation risks failing to restore consumer trust in voice calls because of inconsistencies that enterprises will see depending which networks are servicing their calls. If a carrier changes its chosen solution provider, then what happens to all those outcomes that were put in place for a caller and no longer operate as before? Service providers, of course, seek to differentiate, and they also need to collaborate to ensure trust is consistently in place across the industry.

At the STIR/SHAKEN Virtual Summit in July 2021, industry attendees responded to poll questions such as, “What is your primary thought with respect to the multiple brand registration vehicles in the industry?”

  • 42% said there are too many places to register or integrate.
  • 21% indicated that proprietary solutions may not yield enough of the desired outcomes.
  • 32% were unsure of the differentiation of the various options, while only 7% had no concerns with having multiple solutions to support.

Another poll about the primary value of a centralized, industry-backed source for trusted information, indicated that 73% of those surveyed said they value consistency and efficiency.

An industry-standard approach provides consistency

A centralized, industry-backed source for trusted information, where legitimate numbers can be registered, helps avoid confusion, unnecessary costs and inconsistency by providing a single, industry-standard framework. In 2021, the industry-led Secure Telephone Identity Governance Authority (STI-GA) announced that delegate certificates could now be used within the SHAKEN authentication ecosystem. These policy changes let enterprises and third-party calling services use delegate certificates to provide SHAKEN authentication when originating calls, whether from regular or toll-free numbers.

In addition to attestation to the calling party number, this approach provides a much richer, branded calling experience for engaging consumers. Proof of concepts have already demonstrated support for delegate certificates and the enriched calling party information, such as caller name, logo and call reason, that can be conveyed between networks and signed using these certificates.

Here’s how it works: A call is given the top level of attestation (A-level, full attestation) only if the service provider signing the call can attest to the customer’s right to use that telephone number for outbound calls. Furthermore, displaying richer information about the caller to the consumer should be limited to trusted data and those calls known to be authentic. A delegate certificate gives service providers a way to establish a customer’s right to use a telephone number when the service provider did not assign that number itself.

The use of a delegate certificate enables calls to receive the highest level of attestation along with sending enriched call data even when a company sends an outbound call through a service provider using a third-party number. To support this, a centralized, industry-backed source of legitimate, registered numbers verifies that the commercial caller is authentic. It also defines the set of telephone numbers that these callers can sign with delegate certificates, enabling phone companies to trust those digital signatures.

Fraudsters will take advantage of every opportunity and situation—including the global pandemic—to exploit consumers. Hence, the need for continuously evolving industry-backed policies from the STI-GA and others, along with a common and technology-neutral trust engine similarly driven by industry governance. It’s encouraging to see the progress by the industry so far, and no doubt we’ll continue to see service providers, governments and regulators, as well as the telecom ecosystem as a whole, work together to restore consumer confidence in answering their telephones.

Source: https://www.helpnetsecurity.com/2022/04/01/voice-service-providers/

Click to comment
Exit mobile version