The SIM swap API provides a programmable interface for developers and other users (capabilities consumers) to request the last date of a SIM swap performed on the mobile line, or, to check whether a SIM swap has been performed during a past period.

Introduction

The SIM Swap API performs real-time checks on the last SIM Swap event.

The SIM Swap API is useful to prevent fraud by reducing the risk of account takeover fraud by strengthening SIM based authentication processes such as SMS One-time passwords. Fraudsters are using SIM swap techniques to intercept SMS messages and reset passwords or receive verification codes that allow them to access protected accounts.

The SIM Swap API can also be used to protect non-automated actions. For example, when a call center expert contacts a user to clarify or confirm a sensitive operation.

This API is used by an application to get information about a mobile line latest SIM swap date. It can be easily integrated and used through this secured API and allows SPs (Service Provider) to get this information an easy & secured way. The API provides management of 2 endpoints answering 2 distinct questions:

• When did the last SIM swap occur?
• Has a SIM swap occurred during last n hours?

Relevant terms and definitions

SIM swap: A SIM swap is a process in which a user's mobile phone number (MSISDN) is associated with a new SIM card (IMSI). This is typically done by contacting the user's mobile service provider and requesting a new SIM card for various reasons, such as a lost or damaged SIM card or upgrading to a new phone.

SIM swap also happens during other actions like changing user's phone number, changing mobile service provider keeping user's mobile phone number or when activating a new SIM associated to the same phone number, known as multisim service. New subscription is considered as a SIM swap as well, the MSISDN which can be used by another person earlier, is associated with a SIM card it was not associated before.

API functionality

The API provides 2 operations:

• POST retrieve-date : Provides timestamp of latest SIM swap, if any, for a given phone number. If no swap has been performed, the API will return the SIM activation date (the timestamp of the first time that the sim connected to the network) by default, unless this is not possible due to local regulations preventing the safekeeping of the information for longer than the stated period of time. If this is the case, a null value will be returned.

• POST check: Checks if SIM swap has been performed during a past period (defined in the request with 'maxAge' attribute) for a given phone number.

Authorization and authentication

The "Camara Security and Interoperability Profile" provides details on how a client requests an access token. Please refer to Identify and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the Profile.

Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.

Identifying a phone number from the access token

This specification defines the phoneNumber field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the phone number can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the information associated with the access token used to invoke the API.

Handling of phone number information:

Optional phoneNumber field for 3-legged tokens:

• When using a 3-legged access token, the phone number associated with the access token must be considered as the phone number for the API request. This means that the phoneNumber field is not required in the request, and if included it must identify the same phone number, therefore it is recommended NOT to include it in these scenarios to simplify the API usage and avoid additional validations.

Validation mechanism:

• The server will extract the phone number identification from the access token, if available.
• If the API request additionally includes a phoneNumber field when using a 3-legged access token, the API will validate that the phone number provided matches the one associated with the access token.
• If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the phone number information in the request does not match the token.

Error handling for unidentifiable phone number:

• If the phoneNumber field is not included in the request and the phone number information cannot be derived from the 3-legged access token, the server will return a 422 UNIDENTIFIABLE_PHONE_NUMBER error.

Restrictions for tokens without an associated authenticated phone number:

• For scenarios which do not have a phone number associated to the token during the authentication flow, e.g. 2-legged access tokens, the phoneNumber field MUST be provided in the API request. This ensures that the phone number is explicit and valid for each API call made with these tokens.

Further info and support

GSMA Mobile Connect Account Takeover Protection specification was used as source of input for this API. For more about Mobile Connect, please see Mobile Connect website.

(FAQs will be added in a later version of the documentation)