Q: When will the new caller ID authentication program go into effect?
We’re all dealing with a noticeable increase in robocalls that often use a “spoofed” caller ID in hopes that we will take the call and engage with the scammer on the other end.
One of the most common spoofs is referred to as “neighbor spoofing,” because it uses the same area code as your number and, often times, even the same prefix.
The technology that allows just about anyone with an internet-connected computer to perpetrate caller ID spoofing has gotten so inexpensive that it has grown exponentially. Just as anyone can write any return address they want on a piece of mail, or use whatever they want as a return address on a fake email message, the same is currently possible with caller ID.
This has led to most of us not picking up a call we don’t recognize and, even when we do recognize the number, we can’t fully trust what we are seeing because of spoofing.
Our current caller ID technology was developed without any consideration that it could be used nefariously and hasn’t changed much, while the technology to exploit it has exploded.
Federal Communications Commission Chairman Ajit Pai challenged the telecommunications industry in November 2018 to adopt a caller authentication system to combat this growing nuisance in 2019, or face regulatory intervention.
The result has been focused on a framework for developing a caller authentication system that’s been in works since 2016 called STIR/SHAKEN that all the major telecom providers are participating in.
STIR (Secure Telephony Identity Revisited) is the core of the authentication technology and SHAKEN (Secure Handling of Asserted information using toKENs) defines how STIR should be implemented.
How it works
As with many secure platforms on the internet, digital certificates that leverage public key cryptography will make it possible to verify that the caller ID that you see on your display is accurate.
Once implemented, whenever a call is placed, the caller’s telecom provider will check the reported caller ID through its own authentication service, then pass the call on to the recipient’s service provider, who would use a separate verification service that would check against the digital certificate database to ensure the caller ID was accurate.
It’s essentially a multi-factor verification process with digital certificates that would make spoofing a much more difficult process than it is today. To be realistic, this isn’t likely to curtail robocalls — much like anti-spam technology has done little to keep spammers from continuing to try working around our filters.
When will we see it?
Individual telecoms have successfully tested the protocol on a limited basis with each other, but in order for it to work properly, all providers will have to make sure they’re successfully communicating with all other providers.
The FCC’s hard deadlines for implementing the protocol is by the end of 2019, but we don’t have a definitive timeline yet. The FCC is hosting a Robocall Summit on July 11, where we’ll get an update from the industry and, hopefully, we’ll have a better idea when we can expect it to be up and running.