At Quobis, we have always been conscious of the risks related with identity theft in the voice channel (voice spoofing).

In 2011 and from our participation in an R&D project call SecVoID, we created IdentityCall; a solution based on the insertion of personal digital certificates as a part of the SIP header. Essentially, in order to perform a call the user was required to have a certificate (like the one that comes with Spanish national ID). This allowed the callee to know whether the caller was identified in the network.

Later, and in a joint initiative between the FCC regulator and the service provider association ATIS, a protocol and architecture named STIR/SHAKEN was born:

• STIR (Secure Telephony Identity Revisited) is a protocol standardized by the IETF, it defines a signature in order to verify the calling number. It specifies as well how this certificate will be transported in a SIP header field of the call.
• SHAKEN (Signature-based Handling of Asserted information using toKENs) refers to the architecture defined by ATIS and the SIP Forum providing an implementation of the STIR protocol for the service providers.

From the point of view of the operator, complying with STIR/SHAKEN protocol requires some network adaptations. To support the certification field in the SIP Headers, exchange certification keys with other operators and validate the keys with the certification authority (each country designs its own authority), the operator has a couple of options:

• Using proprietary network elements such as SBCs.
• Using Open Source solutions like Kamailio.

The way the protocol works is by providing every call a “trust value” when originated. According to the available authentication grade, it shows whether there is total knowledge of the call, if it is validated in the origin but not the person (Ie. enterprise numbering on which you only know the enterprise but not the specific caller) and when its origin is suspicious (such as calls that come from international trunks).

Besides, operators are able to use the protocol to provide information to the end customer. This includes visual cues to show that the call was verified, logo and name of the calling company and even the reason of the call if this info was issued when the call was originated.

It is fundamental that the adoption of this solution is driven by the adoption of a specific legal framework that allows operators to block the calls. Considering this, some countries that have seen STIR/SHAKEN as a potential solution to the threat of identity theft using the voice channel (countries like USA, Canada and France) have already enacted laws around the topic.

Besides there are another dozen countries around the globe that are in the midst of studying how to implement similar security measures to reduce voice spoofing risks.

Nowadays there is no equivalent legislative proposal in Europe (except for France) nor in Latin America. Due to the rise of voice spoofing attacks, it is likely that in the coming years we see more countries enacting further legislation around this topic.

It is specially relevant the incentive of cybercriminals to perform this kind of attack on those countries on which it is easier to operate. This creates an environment on which the countries that regulate around this matter are more and more overexposed to risks.