From July 25, 2023, to fight against telephone scams, French operators will have to implement STIR/SHAKEN technology to block unauthenticated calls. A commendable but difficult measure to put in place.
Phone scams are a real pain. The most fashionable technique today is that known as vishing – contraction of voice and of phishing –, which consists of displaying a false incoming number in order to deceive the recipient, scammers and spammers having advanced means of modifying the numbers which are displayed. It is this trick that allows them to usurp the identity of official bodies, such as the Banque de France, the CNIL or even a bank adviser, in order to extract personal and sensitive information from their victims, who believe they have dealing with a legitimate interlocutor. Right to the CPF, Crit’Air labels… There are countless recent scams based on this detestable method. A practice which is added to the traditional commercial canvassing, and which encourages many users not to pick up their telephone when they receive a call from a number which they do not know.
STIR/SHAKEN: the absolute weapon against fraudulent calls?
It is precisely to fight against this type of fraudulent calls that the STIR/SHAKEN technology was developed, a set of protocols making it possible to authenticate incoming calls and limit identity theft. The good news is that French telephone operators will be forced to implement this identification system from July 25, 2023. And that they will have to systematically block unauthenticated calls in order to protect users from vishing scams. A significant measure, but which will, in practice, come up against several pitfalls.
This “revolutionary” measure stems directly from the Naegelen lawadopted in 2020, which aims regulate cold calling and fight against fraudulent calls. According to article L44, “when the authentication device [ndlr : il s’agit du protocole STIR/SHAKEN] is not used or that it does not make it possible to confirm the authenticity of a call or message intended for one of its end-user customers or passing through its network, the operator interrupts routing of the call or message“. In the event that the operators do not comply with this obligation, the Regulatory Authority for Electronic Communications, Posts and Press Distribution (Arcep) will be able to sanction them. A great step forward on paper, but difficult to put in place, especially in the time available…
STIR: a protocol to verify telephone identity
STIR/SHAKEN technology helps to better prevent vishing by adding new verification steps to the caller ID process. The two protocols work in a combined and complementary way. STIR (Secure Telephone Identity Revisited) aims to prevent fraudulent calls using VoIP technology, by verifying telephone identity using digital signatures and identity attestations. To put it simply, each call has an identity certificate, which is the association of a digital signature with the telephone number of the caller. This signature, which is a kind of digital certification, is created by the caller’s telephone service provider, which adds it to the so-called SIP header of a call. This allows him to verify whether the telephone number displayed during the communication is genuine or whether it has been falsified. If authentic, the caller is considered legitimate and the caller ID is confirmed. If identity attestation fails or no attestation is provided, it may be a sign that the phone number has been tampered with.
SHAKEN: a procedure to verify the authenticity and reliability of calls
If STIR aims to verify telephone identity, the SHAKEN protocol (Signature-based Handling of Asserted information using toKENs) takes care of authentication of telephone communications. It aims to provide tangible and reliable proof that the call is really coming from the identity it claims to be.
Each telephone call has its own token (a token) which contains information about the call, such as the identity of the caller or the time of the call. This token is issued by the caller’s telephone service provider. When the call is routed through the telephone network, the token is also transmitted to the recipient’s operator. The latter can then verify its authenticity using special security keys, in order to confirm that the call indeed comes from the alleged identity. It then evaluates the reliability of the calls according to different levels of confidence, in order to take the appropriate measures.
A level A authentication is complete and means that the operator certifies that the caller is authorized to use the number provided by the SIP communication. Level B authentication is partial and means that the operator certifies the endpoint originating the call, but cannot verify if the caller is authorized to make calls from that number. Finally, a level C authentication means that the caller’s operator can only certify the point of reception of the call, without being able to certify the source himself. It is the calls with a C certification that must be terminated. Note that this can pose a problem with international calls, since foreign operators are not subject to the legislation, and are therefore not obliged to certify telephone communications.
STIR/SHAKEN: a difficult protocol to implement
French legislation therefore requires operators to authenticate all telephone calls – on transmission – and to verify – on reception – that they are all authentic using the STIR/SHAKEN protocol. If the authentication is not complete, the telephony services should, in principle, interrupt the call. However, there is a small problem: the law does not provide an exception for aging technologies, such as the Public Switched Telephone Network (PSTN) or 2G and 3G mobile networks for example, which do not support the STIR/SHAKEN protocol – even if they are to gradually disappear. Moreover, this technology only works for VoIP calls. Therefore, these networks will not provide authentication and therefore violate the law.
In theory, all operators will have to apply the procedure by July 25, 2023, but the industrial reality is much more complicated, and the implementation of the law is likely to be much more gradual. Indeed, this procedure faces many difficulties. The authentication process shouldn’t pose too many problems, it’s the interruption that will be more delicate. Although all operators have had three years to comply with the law, the task is more difficult for small operators. In addition, some telecom players fear an increase in legislation, particularly in terms of free competition, with more and more mechanisms that increase the work of operators, as explained to us by Stanislas de Goriainoff, the CTO of Sewan.
STIR/SHAKEN: deployment longer than expected
Law enforcement deadlines are untenable, and the French Telecoms Federation (FFT) has already indicated that unauthenticated calls will not be blocked from July 25. Although the running-in phase of the application of the STIR/SHAKEN protocol began on June 30, the cut-off mechanism is not yet ready. In addition, the law being quite binary – you must either authenticate the call or block it – the application of the procedures will be done gradually, with an observation phase.
But, concretely, what will change for users from July 25? In the short term, absolutely nothing. Indeed, initially, operators will simply identify and authenticate calls without blocking anything. There will therefore be no “visible” effect on the daily life of the French. In the medium term, however, the calls they receive will be filtered beforehand – the spoofed numbers can no longer be used – and, subsequently, they could even have information on the calls which will be displayed directly on their terminal. Note that this will also allow the Directorate General for Competition, Consumer Affairs and Fraud Prevention (DGCRCF) to trace the origin of the call and punish the scammers. But it is above all a way for telephony players to restore user confidence in calls, and thus catch up with competitors like WhatsApp on this point.