# Bibliography on Cost/Effectiveness of STIR/SHAKEN ###### tags: `bibliography` # Papers **STIR/SHAKEN statistics from April 2023** [https://transnexus.com/blog/2023/shaken-statistics-april/] - [MD] This webpage provides informations regarding the effectiveness of STIR/SHAKEN in preventing robocalls which apparently, it's not effective. Robocallers started to sign their calls, so that, the robocalls are getting A-level attestation. **An Analysis of Applying STIR/SHAKEN to Prevent Robocalls** [https://link.springer.com/chapter/10.1007/978-3-030-71017-0_20] * [MD] This paper refers to three following majors issues that could have impact on the effectiveness of STIR/SHAKEN: 1. **Poorly protected enterprise IP-PBX:** If an enterprise IP-PBX is inadequately protected against hacking, it can be easily compromised. In this scenario, a hacker can exploit a compromised IP-PBX to impersonate a legitimate user within the enterprise network. By utilizing the IP-PBX, the hacker can then initiate robocalls. Since the calls originate from a genuine enterprise user, the Internet Telephony Service Providers (ITSP) may not be able to detect the hacking activity. 2. **Untrustworthy service providers**: An ITSP can assign legitimate telephone numbers (known as E.164 numbers) to its customers. When receiving incoming calls from customers, the ITSP must verify the customer's phone number and apply attestation to it. However, if a lower-tier ITSP fails to provide or provides incorrect attestation, it is unclear how the upper-tier ITSP can verify the attestation. STIR/SHAKEN enables traceability of call origination, allowing identification of untrustworthy ITSPs that neglect call authentication or provide incorrect attestation. Nonetheless, tracing back to these dishonest ITSPs would require significant efforts from upper-tier ITSPs and law enforcement. 3. **Lack of support of Q.1912.5, the interworking standard between IP and PSTN**: Due to a lack of peering agreement for SIP trunking between top-tier ITSPs, VoIP calls between them are routed to the PSTN, as shown in Fig. 10. To ensure call identity and signature on the callee side, this information needs to be transmitted via the SS7 network. The originating ITSP must adhere to the Q.1912.5 standard to transfer passport information from the SIP header to the ISUP (ISDN(Integrated Services Digital Network) User Part) IAM (Initial Address Message) message, while the termination ITSP needs to extract this information from the IAM message and include it in the SIP header. Compliance with the Q.1912.5 standard poses a challenge for ITSPs, and none of the commitment letters from phone companies to the FCC address how they handle the interworking issue between the IP network and PSTN. One possible solution to address this problem is to authenticate call identity in the PSTN. Calls without authenticated identities should be rejected from entering the PSTN, which is not an issue on the UNI (User to Network Interface) side of the PSTN. However, on the NNI (Network to Network Interface) side, an ITSP would need to reject all calls with "C" attestation. While such a policy would alleviate the SIP-to-ISUP interworking requirement, it remains unclear if any ITSP would adopt it without a legal mandate. **How to shut down robocallers: The STIR/SHAKEN protocol will stop scammers from exploiting a caller ID loophole** [https://ieeexplore.ieee.org/abstract/document/8913833/authors#authors] * [MD] SHAKEN does not directly prevent robocalls, however, it serves as a crucial tool in the fight against illegal robocallers. Its main purpose is to assist in identifying, locating, and prosecuting robocall offenders at a much higher rate. Over time, it is anticipated that SHAKEN will play a significant role in decreasing the success rate of robocall scams and discouraging new individuals from engaging in fraudulent activities. * [MD] A drawback of SHAKEN is that it does not determine if a call is a scam solely based on the legitimacy of the number. Even if a call has "full attestation," indicating high verification, it could still be a scam. Scammers can acquire temporary access to fully verified numbers and disappear before anyone realizes they are utilizing those phone numbers. To address this issue, SHAKEN has been developed to streamline the call traceback process, making it easier to trace the origin of such calls. **New FCC Requirements Creating Quite a STIR for Telecom Providers, Leaving Many SHAKEN** [https://www.clearlyip.com/2022/10/17/stir-shaken-201/] - [MD] This webpage gives an estimate to become STIR/SHAKEN compliant: * Year 1 A Provider should be expecting to spend a significant amount of time and expense, approximately $4-5k in costs to become STIR/SHAKEN Compliant. There is also potential for a telecom back tax audit, these costs are impossible to forecast. * Year 2 & Beyond Following years will be approximately $2-3k/mo for tax collecting and remittance and compliance. Then another $300+/mo to maintain your STIR/SHAKEN compliancy. Expect a budget of $30k annually minimum.