Technical Note: STIR/SHAKEN Limitations in ANI Spoof Detection
The STIR/SHAKEN framework was introduced to combat illegal robocalls and Caller ID spoofing by verifying the authenticity of the calling number (Automatic Number Identification, or ANI). However, while the protocol is an important step towards mitigating spoofing on traditional telephony networks (PSTN), it has significant limitations that render it ineffective in many common scenarios, particularly in the context of modern communication methods and international calling.
There are many reasons why this is the case, such as:
STIR/SHAKEN Only Works on Traditional PSTN Networks
- The STIR/SHAKEN protocol is designed to work on Session Initiation Protocol (SIP) networks, primarily used in the United States for domestic VoIP and traditional telephony services.
- It relies on a chain of trust established by digital certificates issued by trusted certificate authorities, which are used to sign and verify call information.
- However, STIR/SHAKEN does not extend to over-the-top (OTT) VoIP services like WhatsApp, Skype, Telegram, or other internet-based calling platforms. These platforms operate outside of the PSTN infrastructure and do not utilize SIP-based signaling in a manner compatible with STIR/SHAKEN.
Implication: Fraudsters can easily bypass STIR/SHAKEN by using OTT VoIP services, which are increasingly popular for making international and domestic calls. These platforms do not participate in the STIR/SHAKEN ecosystem, making them a blind spot for ANI spoof detection.
STIR/SHAKEN Has Limited or No International Applicability
- The STIR/SHAKEN protocol was developed under the regulatory framework of the Federal Communications Commission (FCC) in the United States, with adoption largely limited to North American telecom providers.
- Internationally, there is no standardized adoption of STIR/SHAKEN, and many foreign carriers do not implement or recognize the protocol. As a result, calls originating from or routed through international VoIP carriers or foreign PSTN networks simply lack STIR/SHAKEN attestation.
- Fraudsters can exploit this gap by originating calls from outside the United States or routing calls through international carriers, effectively bypassing the STIR/SHAKEN validation process.
Implication: ANI spoof detection becomes ineffective for a significant portion of calls, particularly those from international sources, where no attestation is available, or the attestation cannot be verified.
VoIP Spoofing is Not Prevented by STIR/SHAKEN
- VoIP platforms can easily manipulate Caller ID information, as they often provide flexible options for setting outbound Caller ID, which can be used legitimately for business purposes but also opens the door for abuse.
- Since STIR/SHAKEN relies on a digital signature attached by the originating carrier, it does not account for the numerous VoIP service providers that do not participate in the protocol. This allows fraudsters to use unregulated VoIP services to spoof ANI data without detection.
Implication: Fraudsters favor VoIP platforms precisely because they offer more control over Caller ID and are outside the scope of STIR/SHAKEN enforcement. This makes VoIP-based spoofing a preferred method for bypassing ANI validation.
Summary
While the STIR/SHAKEN framework can be a valuable tool for reducing spoofing on compliant domestic SIP networks, it is ineffective at detecting or preventing ANI spoofing in several key scenarios:
- VoIP platforms (e.g., WhatsApp, Skype, Telegram): These services operate independently of the traditional telephony infrastructure and do not use the STIR/SHAKEN protocol.
- International calls: Lack of global adoption and inconsistent implementation limits the effectiveness of STIR/SHAKEN across borders.
- Unregulated VoIP services: Fraudsters can easily bypass the protocol by using VoIP providers that are not part of the STIR/SHAKEN ecosystem.
Conclusion:
The protocol’s limited scope means that fraudsters will continue to use these undetectable methods for ANI spoofing, as STIR/SHAKEN does not address the primary channels exploited by modern telephony fraud.
Therefore, for robust ANI spoof detection, more comprehensive solutions are required—particularly those that can analyze call metadata and verify caller identity across VoIP and international platforms, outlined as follows:
Voice Biometric Authentication
- Validsoft’s Voice biometrics analyses the unique characteristics of a speaker’s voice (e.g., pitch, tone, cadence) to verify identity. This can be applied to detect when a caller’s voice does not match the expected voice profile for the ANI being used.
Key Advantage: Detects spoofed calls based on the caller’s voice characteristics, regardless of the Caller ID or platform used.
AI-Based Deepfake Detection Technologies
- Deepfake Audio Detection: With the rise of AI-generated voice deepfakes, ValidSoft’s Voice Verity™ solution offers real-time analysis of audio signals to detect synthetic voices. By analysing speech patterns, audio artifacts, and other indicators of manipulation, these technologies can identify when the caller’s voice has been altered, injected or is entirely synthetic.
- Integration with Existing Call Infrastructure: These systems can be integrated with call centre platforms, VoIP platforms and call routing systems to verify the caller’s voice (even before the call is connected), providing an additional layer of protection against ANI spoofing.
Key Advantage: Provides a defence against the latest forms of generative AI deepfake audio fraud, including deepfake voice manipulation and many other forms of synthetic speech attacks.
Digital Identity and Authentication Solutions
- Multi-Factor Authentication (MFA): For enterprise access (PAM/IAM), sensitive transactions or high-risk calls, requiring additional forms of authentication (e.g., a PIN sent via SMS, one-time passcode), ValidSoft’s See-Say technology can also be deployed such that the user speaks the passcode in order to confirm the caller’s identity to the highest level of mathematical probability, and is also capable of achieving irrevocability, non-repudiation and data immutability.
Key Advantage: Uniquely strengthens identity verification to the highest security level through additional security layers and tamper-proof records.