STIR/SHAKEN (STIR: Secure Telephone Identity Revisited; SHAKEN: Signature-based Handling of Asserted Information Using toKENs) might sound like something from an old James Bond movie (after all, that’s where the idea came from), but it's one of the most important developments in robocall history. In simple terms, STIR/SHAKEN is a framework of protocols designed to prevent neighbor spoofing, a technique robocallers use to conceal their identities. The goal is to ensure caller ID information is reliable and accurate, even across multiple phone networks.
However, despite the government announcing the STIR/SHAKEN framework several years ago, we're only just beginning to see its effects — and so far, they haven’t been game-changing. Scammers are still stealing personal information like login credentials, Social Security numbers, and bank account details, getting away with tens of billions of dollars every year.
This guide will answer the following questions:
STIR/SHAKEN is a combination of protocols and standards that allow phone companies to verify caller ID information as a call moves from caller to recipient. STIR is the protocol for digitally signing (authenticating) caller ID information so the recipient knows who’s trying to reach them. SHAKEN is the framework, or the way STIR is implemented across voice service providers.
Spam and scam calls have become a massive problem in the United States. These calls are more than just annoying; they’re dangerous. Here are some facts you should know:
Fraudulent robocalls have been around since the '90s, but they’ve become an increasingly serious issue in recent years. As a result, the government took action to fight the problem.
In 2016, the FCC created the Robocall Strike Force to explore new ways to identify spam callers and combat scams, as well as provide people with more information about calls from unknown numbers. Eventually, the FCC followed up with a new protocol called STIR/SHAKEN. Here’s the simple version of how it works:
For a closer look, here’s an overview of how STIR/SHAKEN is intended to work.
Someone dials a phone number, sending the originating service provider (the caller’s carrier) a SIP (Session Initiation Protocol) INVITE, or a request to initiate a call.
The originating service provider adds information like the caller’s number, the originating network, the attestation level of the call, and how confident they are that the caller’s original source matches the phone number’s owner. The provider also adds an encrypted digital certificate of authentication.
The terminating service provider, or the phone carrier of the recipient of the phone call, receives the SIP INVITE with the added information from the originating carrier. Even if the call goes through intermediate networks, the information from the originating provider remains unchanged.
After receiving the SIP INVITE and its added information, the call recipient’s phone carrier sends the SIP information to be confirmed by a STIR/SHAKEN verification service.
Using certificate repositories, the verification service checks the digital signature in the SIP information to confirm the call is legitimate. The service then sends the information back to the recipient’s phone carrier.
With the call authenticated and verified along the way, the intended recipient receives the phone call with accurate caller ID information.
STIR/SHAKEN won't work without the widespread cooperation of phone carriers like Verizon, T-Mobile, and AT&T, who all need to implement the protocol for it to operate effectively. Unfortunately, STIR/SHAKEN costs money to execute, making some telephone service providers hesitant to comply with the framework. This is why the government introduced new legislation to make carriers adopt the STIR/SHAKEN protocol.
In 2019, the newly signed TRACED Act mandated that carriers implement call authentication technologies (like STIR/SHAKEN) and a robocall mitigation program or face penalties for non-compliance. Deadlines for different types of phone carriers varied, however, and the final deadline wasn’t until June 2023. Unfortunately, these staggered deadlines may be one reason STIR/SHAKEN’s full effect still remains to be seen.
STIR/SHAKEN aims to help restore consumer trust in caller ID information by preventing phone number spoofing, but it can’t stop spam calls or punish scammers.
Unfortunately, STIR/SHAKEN comes with a few limitations:
While the STIR/SHAKEN framework is a step in the right direction, it's not an all-encompassing solution. That’s why it’s important for consumers to know about the additional steps they can take to protect themselves.
Although STIR/SHAKEN has provided a much-needed framework for unifying our efforts against spam, it’s not a complete solution on its own. However, there are additional steps you can take to keep robocalls from spamming your phone.
The National Do Not Call Registry is a database of phone numbers that legitimate telemarketers are restricted from contacting. Unfortunately, the Do Not Call Registry only prevents legal, legitimate calls from telemarketers and not the illegal robocalls that try to steal your money.
There are many ways scammers can get your number, from buying stolen data off the dark web to simply browsing the Internet. Removing your telephone number from social media accounts and online profiles makes you less susceptible to robocalls. If you own a business, use a separate line for your listing.
Reporting spam texts, scam attempts, and robocalls to your phone service provider alerts the company to the severity of the issue and may help prevent the same phone numbers from harassing others in the future. If your carrier is not STIR/SHAKEN compliant, however, they can’t effectively prevent caller ID spoofing.
If you’ve lost money to a scammer over the phone, you should report the problem to your local police department. However, even if they can help you get your money back, this won't stop illegal robocallers from contacting you in the future.
The unfortunate reality is that none of these options are foolproof. Even if you use all of the above methods, chances are you’ll still receive robocalls. However, with the right technology, you can take back your privacy and make robocalls a thing of the past.
While inconsistent deadlines and lack of cohesion may have prevented government programs like STIR/SHAKEN from eliminating the problem altogether to this point, there are other ways to crack down on unwanted spam calls and texts from the user side. A dedicated spam-blocker app can eliminate these nuisances using cutting-edge technology and user feedback.
An audio fingerprint is like a regular fingerprint, but for a person’s voice. Spam-blocking apps that use this technology can detect voice patterns and common phrases used by robocallers, creating an audio ID that can be attributed to the spammers themselves — not just their current phone numbers.
When a company identifies a spammer or scam caller by their audio fingerprint, it adds the number they’re calling from to a universal database, preventing the caller from harassing anyone else. This is one of the most effective ways to reduce the robocall problem.
Third-party spam-blocking apps use predictive algorithms, global research, and user feedback to identify and block spammers, preventing harmful and annoying calls from reaching your phone in the first place. Not all spam-blocking apps are equally effective, however, so it’s important to choose the spam blocker that offers the most critical features and comprehensive protection from scams.
A third-party spam blocker is a necessity in the fight against spam, and choosing the right one is a must. Robokiller comes with crucial features that work alongside STIR/SHAKEN technology to help block unwanted calls and shut down spam. These features include:
STIR/SHAKEN provides some welcome relief in the battle against robocalls. However, the framework has its limitations. Although it improves caller ID reliability and makes things difficult for robocallers, it hasn’t scared away scammers altogether. With the final STIR/SHAKEN deadline passing, we will see if more consistent, unified efforts have a more substantial impact on the spam problem. Until then, Robokiller can help you live spam-call-free™.
STIR/SHAKEN stands for Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN). Put simply, it’s a framework of connected standards between different voice service providers that authenticates or “signs” phone numbers as legitimate. STIR/SHAKEN seeks to fight neighbor spoofing by ensuring that caller ID information is verified before calls can reach their targets.
A STIR/SHAKEN certificate is essentially confirmation that a call has been verified. These digital certifications allow voice providers to verify that the person placing the call is, in fact, who they say they are, not a potential scammer using neighbor spoofing to disguise their identity.
When someone calls your phone, STIR/SHAKEN attempts to identify the origin of the call — if the call is a possible scam, you’ll receive a warning on your caller ID. Using this information, you can decide to answer the call, reject it, block the number, or (depending on your carrier) send the call to voicemail.
While the STIR/SHAKEN protocol does represent a step toward actively fighting the spam problem, it’s not a complete strategy. It depends on not only national but worldwide cooperation, and it may take some time to become fully effective. STIR/SHAKEN may be more productive than the public realizes, however, as customers are generally unaware of the spam calls they don’t receive as a result of the framework.
An early version of STIR/SHAKEN was introduced to the public in 2019, but its various deadlines have made for a less-than-cohesive effort nationwide. As all voice service providers finally settle into the framework, we hope a more unified response leads to a more significant reduction in spam calls. Fortunately, you can still use spam-blocking apps like Robokiller to keep yourself safe from spam and scams.
STIR/SHAKEN is designed to help voice networks identify the source of illegal calls and assist agencies such as the FCC in shutting them down. However, holding accountable scammers from abroad is difficult — United States laws aren’t likely to dissuade fraudsters outside of its jurisdiction.