STIR/SHAKEN and MAN: A New Era in Telecom Security

‍

STIR/SHAKEN: Securing Caller Identity

STIR/SHAKEN (Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using Tokens) is a groundbreaking framework designed to combat caller ID spoofing, a technique where malicious actors disguise their identity by manipulating the information transmitted to the recipient’s caller ID. The STIR/SHAKEN protocol works by utilizing cryptographic certificates to verify the authenticity of calls. This verification occurs at two main points: the originating operator, which authenticates the call, and the terminating operator, which verifies the call's authenticity before delivering it to the recipient.

Introduced in the United States in June 2021, the STIR/SHAKEN framework laid the groundwork for enhancing trust in telecommunication systems. It aims to protect consumers from fraudulent calls, ensuring that legitimate callers are recognized while fraudulent calls can be flagged or blocked. As a result, it represents a significant step towards securing telecommunications in an era where cyber threats reign.

Understanding MAN: A French Approach to Call Authentication

The Mécanisme d’Authentification des Numéros (MAN) is a French initiative introduced in July 2023, directly influenced by the STIR/SHAKEN framework. MAN serves as a regulatory measure aimed at restoring consumer confidence by providing robust mechanisms for call authentication. The French government recognized the growing threats posed by spoofing and financial fraud over the phone, prompting the need for an effective solution.

The MAN program involves all operators utilizing the French numbering system, mandating that they adopt strict rules to ensure all calls passing through their networks are authenticated. This comprehensive approach aims to create a secure environment where consumers can trust that the identity of the caller is genuine, and mitigating the risks associated with fraudulent calls.

The Evolution of Call Authentication Systems

The evolution of call authentication systems has been driven by the rising threat of telecommunications fraud. As technology advanced, so did the sophistication of scams targeting consumers. Early measures to combat fraud primarily relied on consumer awareness campaigns and basic verification processes. However, with the proliferation of Voice over Internet Protocol (VoIP) and the internet, scammers became adept at bypassing these initial protections.

The introduction of STIR/SHAKEN in North America marked a turning point in the evolution of call authentication. By employing cryptographic techniques to verify caller identity, it created a standardized method for securing calls across networks. This innovation prompted other countries, like France with the implementation of MAN, to adopt similar strategies, emphasizing the global shift towards more secure telecommunications.

From Legislation to Implementation: Key Milestones of MAN

The journey towards the implementation of the MAN in France has been marked by significant steps:

• 2020: The French government recognizes the need for enhanced call authentication measures, initiating discussions on the Loi Naegelen, aimed at regulating telemarketing and fraud prevention.
• 2023: The MAN is officially introduced in July, establishing a clear regulatory framework for call authentication and mandating all telecom operators in France to comply.
• June 2024: All operators are required to deploy the MAN across their networks, ensuring that by this date, calls are authenticated before reaching consumers.
• October 1, 2024: A significant enforcement milestone, marking the cutoff for all non-authenticated calls, aims to protect consumers effectively and significantly reduce instances of fraud.

These milestones reflect the commitment of both regulatory bodies and telecom operators to create a safer telecommunications environment.

The Impact of STIR/SHAKEN and MAN on Telecom Security

The combined implementation of STIR/SHAKEN and MAN has had a profound impact on the security landscape of telecommunications. These frameworks not only enhance consumer protection but also promote a culture of accountability among telecom operators. By necessitating the authentication of calls, operators are now incentivized to invest in technologies and processes that boost security.

As a result, we are witnessing a decline in successful spoofing attacks, which historically resulted in significant financial losses. The introduction of these measures has empowered consumers, allowing them to feel more secure while engaging in telephone communications. Furthermore, these frameworks encourage international collaboration, as countries recognize the need to address the global nature of telecommunications fraud.

The Growing Threat of Spoofing in Telecommunication

Spoofing remains a pressing issue in the telecommunications landscape. In 2023, it was estimated that scammers exploited this technique to steal approximately 379 million euros from unsuspecting consumers. The rising sophistication of these scams poses significant risks, highlighting the urgent need for effective solutions like STIR/SHAKEN and MAN.

Telecom operators must remain vigilant and adapt to the evolving tactics employed by fraudsters. Consumer education campaigns will be crucial in empowering individuals to recognize and report suspicious calls, further reinforcing the efficacy of these authentication frameworks.

Justine's Story: A Cautionary Tale of Fraud and the Role of MAN in Prevention

Justine, a 33-year-old teacher from Marseille France, fell victim to a phone scam that cost her over 4,000 euros. In August 2023, she received a call from a supposed French bank advisor claiming her bank account had been hacked. The scammer manipulated the caller ID to display the bank's legitimate number, convincing her of their authenticity.

During a 45-minute conversation, the scammer directed Justine to make several transactions under the guise of protecting her funds. Despite her initial doubts, the scammer's confidence and knowledge made her feel pressured to comply. Ultimately, Justine transferred funds to what she believed was a secure account.

Justine's experience underscores the urgent need for systems like the MAN, which aim to prevent such occurrences by ensuring that callers can be verified. As the MAN becomes fully operational, stories like Justine’s highlight the critical role of authentication in safeguarding consumers against fraudulent activities.

‍