STIR/SHAKEN Isn't Enough — Here's What's Missing

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) was designed to solve a specific problem: caller ID spoofing. By cryptographically signing call origination, it lets downstream carriers verify that the caller ID hasn't been tampered with.

It works. For that specific problem. But robocalls haven't slowed down, because spoofing was never the only — or even the primary — vector.

What STIR/SHAKEN actually proves

An A-level attestation means the originating carrier vouches that the caller is authorized to use that number. B-level means they know the customer but can't verify the specific number. C-level means it's a gateway call with no verification at all.

Here's the problem: a robocaller with a legitimate SIP trunk from a compliant carrier gets full A-level attestation on every call. The attestation is technically valid — the carrier did assign that number to that customer. The fact that the customer is using it to run warranty scam campaigns is invisible to the protocol.

The attestation gap

STIR/SHAKEN validates identity but says nothing about intent. A fully attested call can still be a robocall. A fully attested call can still be a social engineering attack. A fully attested call can still carry a deepfake voice trying to authorize a wire transfer.

The protocol was designed for a world where the main threat was spoofing. But modern voice fraud has evolved far beyond spoofing — it's behavioral, it's AI-powered, and it uses legitimately issued numbers.

What's actually needed

Effective call protection requires multiple layers beyond attestation:

• Behavioral analysis — Is this number making 500 calls per hour? That's a robocaller, regardless of attestation level.
• Infrastructure fingerprinting — Is this call coming from a known auto-dialer platform? Attestation doesn't check the dialer.
• Audio analysis — Is the voice synthetic? Is the script matching known scam patterns? STIR/SHAKEN can't hear.
• Reputation learning — Has this caller, infrastructure, or pattern been flagged before? Static attestation has no memory.

STIR/SHAKEN is one input into a much larger scoring equation. It's necessary but nowhere near sufficient. The carriers that rely on it alone are the ones still passing illegal traffic and getting hit with FCC enforcement actions.

The compliance angle

The FCC's Robocall Mitigation Database requires providers to describe "specific and reasonable steps" they're taking to prevent illegal robocalls. Simply implementing STIR/SHAKEN is no longer enough — the FCC has explicitly stated that attestation alone doesn't constitute adequate mitigation. Providers need active call analytics, behavioral detection, and demonstrable enforcement to stay in the RMD.