12 Nov There is a solution to the issue of unsolicited calls and phone number spoofing!
Confidence in the phone number has been dragged to a new low with the surge of unsolicited phone calls and of spoofed phone numbers. French telecom regulator ARCEP has recently taken a couple of measures on this issue but this boils down to letting operators take care of the problem, without asking them to solve it in real time. DGCCRF (the French consumer protection and fraud fighting office) is supporting a working group of the National Council for Consumer affairs, which is to take position on whether consumers should be asked to opt-in in order to receive marketing calls. Nothing is done in France to kill the beast in the egg, i.e. during the setup of the phone call. However, there is a technology, which enjoys an ultra-fast development and a massive adoption rate: the IETF Stir / Shaken set of protocols.
Stir means dire Secure Telephony Identity Revisited and Shaken Secure Handling of Asserted information using toKENs.
How does Shaken work? A VoIP call (a SIP INVITE) is received by a telephone operator. This operator authenticates the calling party number, creates a SIP Identity header, which includes the calling party number, the called party number, call date and time, an attestation and a unique identifier, before transmitting the call to the operator of the called party, together with this security certificate. The operator of the called party verifies the authenticity of the security certificate before transmitting the call to the called party.
Stir and Shaken are a technology, which allows to check the legitimacy of the calling number. A technology is not enough to provide a security function. One needs an operational model of the coordinated use of this technology between the actors in charge, namely telecom operators. This operational model is being defined in the USA within ATIS, the Alliance for Telecommunications Industry Solutions (atis.org) which has set up a test bed for Stir and Shaken.
In order for operators to do the same thing at the same time, there is only one way: the legislator or the regulator mandates it or gives it a strong blessing which is to be understood as an injunction. This is what the FCC (Federal Communications Commission) has done in the USA.
If I search for “Stir Shaken USA” on Google, I see the names of AT&T, of the FCC and the mention of fighting robocalls. If I search “Stir Shaken France”, I see only cocktail recipes.
This post is a call for the creation of an interest group about Stir and Shaken in France, in order to steer operators, cybersecurity firms and regulators toward an organisational and technical solution to the unsolicited calls issue, at the scale of the issue.