alt Hacker NewsWhat ever happened to SHAKEN/STIR? I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume? I still get loads of spam phone calls, so clearly something went wrong (or slow enough to be indistinguishable from wrong).
Replies
I'm not certain, but I think on my phone incoming calls that fail SHAKEN/STIR show the caller id in red rather than black text. I'm on T-Mobile. It also shows "Number Verified" or something like that.
According to a defcon talk, spammers just make sure all their spam gets routed through legacy TDM systems which discard the shaken/stir header because they're too old to support it. The other side then re-adds a "we got this from somewhere that didn't support this header" header.
Just because a call is a spam call doesn't mean it is spoofed. STIR/SHAKEN ends spoofing but anyone can ultimately buy a phone and make calls that are spammy.
STIR/SHAKEN up to this point has only been a self-certification that a telecom company has the right to use a number. What the FCC is trying to do is set up a legal obligation for the STIR/SHAKEN header to match a KYC verified identity.
If the FCC implements this, I expect a lot litigation because of the burden and legal liability this would place on telecom and VOIP companies. There are other less burdensome approaches to preventing spam that the FCC has not tried.
The FCC issued a report on this very subject[1]. TLDR, there have been four exceptions to the SHAKEN/STIR requirements:
- Providers that can't afford it implement it - Non-IP networks - Small voice service providers that originate calls via satellite using U.S. NANP - Providers that lack control over the network infrastructure necessary to implement
Nothing is going to change as long as those holes exist.
> I thought this was supposed to happen 5 years ago. Did they just chicken out on the prospect of actually shutting down telcos sending spam volume?
It would certainly hurt a consumption-based economy, for starters.
I love a good tortured acronym:
> SHAKEN system, short for Signature-based Handling of Asserted information using toKENs [...]
> The name was inspired by Ian Fleming's character James Bond, who famously prefers his martinis "shaken, not stirred". STIR having existed already, the creators of SHAKEN "tortured the English language until [they] came up with an acronym."
https://en.wikipedia.org/wiki/STIR/SHAKEN
(Unrelatedly, seeing a slash used casually within the URL slug feels so wrong)