sim-swap
/
3Legged Authentication Flow

SIM Swap APIs (1.0.0)

The SIM swap API provides a programmable interface for developers and other users (capabilities consumers) to request the last date of a SIM swap performed on the mobile line, or, to check whether a SIM swap has been performed during a past period.

Product documentation at Camara

Introduction

The SIM Swap API performs real-time checks on the last SIM Swap event.

The SIM Swap API is useful to prevent fraud by reducing the risk of account takeover fraud by strengthening SIM based authentication processes such as SMS One-time passwords. Fraudsters are using SIM swap techniques to intercept SMS messages and reset passwords or receive verification codes that allow them to access protected accounts.

The SIM Swap API can also be used to protect non-automated actions. For example, when a call center expect contacts a user to clarify or confirm a sensitive operation.

This API is used by an application to get information about a mobile line latest SIM swap date. It can be easily integrated and used through this secured API and allows SPs (Service Provider) to get this information an easy & secured way. The API provides management of 2 endpoints answering 2 distinct questions:

  • When did the last SIM swap occur?
  • Has a SIM swap occurred during last n hours?

Depending on the network provider implementation, legal enforcement, etc... either one or both endpoints could be implemented.

Relevant terms and definitions

SIM swap: A SIM swap is a process in which a user's mobile phone number (MSISDN) is associated with a new SIM card (IMSI). This is typically done by contacting the user's mobile service provider and requesting a new SIM card for various reasons, such as a lost or damaged SIM card or upgrading to a new phone.

SimSwap also happens during other actions like changing user's phone number, changing mobile service provider keeping user's mobile phone number or when activating a new SIM associated to the same phone number, known as multisim service.

API functionality

The API provides 2 operations:

  • POST retrieve-date : Provides timestamp of latest SIM swap, if any, for a given phone number. If no swap has been performed, the API will return the SIM activation date (the timestamp of the first time that the sim connected to the network) by default, unless this is not possible due to local regulations preventing the safekeeping of the information for longer than the stated period of time. If this is the case, a null value will be returned.

  • POST check: Checks if SIM swap has been performed during a past period (defined in the request with 'maxAge' attribute) for a given phone number.

Authorization and authentication

CAMARA guidelines defines a set of authorization flows which can grant API clients access to the API functionality, as outlined in the document CAMARA-API-access-and-user-consent.md. Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.

Further info and support

GSMA Mobile Connect Account Takeover Protection specification was used as source of input for this API. For more about Mobile Connect, please see Mobile Connect website.

(FAQs will be added in a later version of the documentation)

Download OpenAPI description
sim_swap.json
sim_swap.yaml
Overview
E-mail

awsgsma@u.com.my

License

Apache 2.0

Terms of Service

Languages
Servers
Mock server

https://developers.opgw.u.com.my/_mock/sim-swap/sim_swap/

https://developers.opgw.u.com.my/{apiRootAuth}/

https://developers.opgw.u.com.my/{apiRootSIMSwap}/

3Legged Authentication Flow

Operations

authenticationRequest

Request

The SP makes a request to Backchannel Authentication Endpoint to ask for end-user authorization. NIOP validates the MSISDN is a valid MSISDN and checks consent. If successful, it passes the request to the NIOP for processing. Once NIOP processing is successful, an “auth_req_id” is provided in the response to the SP.

Headers
Authorizationstring

“Basic “ + base_64_encode (client_id + “:” + client_secret)

Example: Basic d3lCOHF1R0RPWTdXTnUyVUV2eGF5Sk9aNVpTSU1KM1Y6V2ZHQUJqSUJpRDIySg==
x-correlatorstring

unique trace id to trace end to end system call

Bodyapplication/x-www-form-urlencodedrequired

The SP makes a request to Backchannel Authentication Endpoint to ask for end-user authorization. NIOP validates the MSISDN is a valid MSISDN and checks consent. If successful, it passes the request to the NIOP for processing. Once NIOP processing is successful, an “auth_req_id” is provided in the response to the SP.

login_hintstring

End-user for whom the authentication is being requested. This is MSISDN in the format “tel:+{MSISDN}”, where +" prefix is optional. Examples: “tel:+447123456789” or “tel:34712345678”.

Example: "tel:+447123456789"
scopestring

Authorization request MUST contain the scope value.

Example: "retrieve-sim-swap-date"
requeststring
client_assertion_typestring

This parameter commonly used in OAuth 2.0 and OpenID Connect protocols to specify the type of client assertion being used for authentication in a client-server interaction.

Example: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertionstring

The client_assertion is a security measure used in authentication processes, especially within OAuth 2.0 and OpenID Connect, to authenticate the client (such as a web application, mobile app, or service) to an authorization server.

Example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllZW50LWlkI........"
curl -i -X POST \
  https://developers.opgw.u.com.my/_mock/sim-swap/sim_swap/openIDConnectCIBA/v1/bc-authorize \
  -H 'Authorization: Basic d3lCOHF1R0RPWTdXTnUyVUV2eGF5Sk9aNVpTSU1KM1Y6V2ZHQUJqSUJpRDIySg==
' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'x-correlator: string' \
  -d 'login_hint=tel:+447123456789' \
  -d scope=retrieve-sim-swap-date \
  -d request=string \
  -d client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
  -d client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllZW50LWlkI........

Responses

OK If the authorization request is successfully completed (i.e. without error), an authorization id (auth_req_id) is returned by ID Gateway, in an HTTP 200 response in json payload with parameters.

Bodyapplication/json
auth_req_idstring

Unique Id of this authorization (to be used in the token request).

Example: "39da5b19-457a-4d30-a5c4-047c62dcca3b"
expires_innumber(number)

The timeout available to make a request to the token endpoint. i.e. The request must be made before the “expires_in” time is reached.

Example: 300
intervalnumber(number)

The time required to wait between receiving the authorization endpoint response and making the polling endpoint request (in seconds). This value can be ignored.

Example: 0
Response
application/json
{
  "auth_req_id": "39da5b19-457a-4d30-a5c4-047c62dcca3b",
  "expires_in": 300,
  "interval": 0
}

tokenRequest

Request

The request to the token endpoint must be sent using the HTTP POST method and have parameters populated in accordance with the rules

Headers
Authorizationstring

“Basic “ + base_64_encode (client_id + “:” + client_secret)

Example: Basic d3lCOHF1R0RPWTdXTnUyVUV2eGF5Sk9aNVpTSU1KM1Y6V2ZHQUJqSUJpRDIySg==
x-correlatorstring

unique trace id to trace end to end system call

Bodyapplication/x-www-form-urlencodedrequired

The request to the token endpoint must be sent using the HTTP POST method and have parameters populated in accordance with the rules.

auth_req_idstringrequired

The auth_req_id received in the successful authorization endpoint response.

Example: "39da5b19-457a-4d30-a5c4-047c62dcca3b"
grant_typestringrequired

For all token requests the value of the grant_type parameter MUST have the value: "urn:openid:params:mc:grant-type:ciba" (Note: must be url encoded)

Example: "urn:openid:params:mc:grant-type:ciba"
client_assertion_typestring

This parameter commonly used in OAuth 2.0 and OpenID Connect protocols to specify the type of client assertion being used for authentication in a client-server interaction.

Example: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertionstring

The client_assertion is a security measure used in authentication processes, especially within OAuth 2.0 and OpenID Connect, to authenticate the client (such as a web application, mobile app, or service) to an authorization server.

Example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllZW50LWlkI........"
curl -i -X POST \
  https://developers.opgw.u.com.my/_mock/sim-swap/sim_swap/openIDConnectCIBA/v1/token \
  -H 'Authorization: Basic d3lCOHF1R0RPWTdXTnUyVUV2eGF5Sk9aNVpTSU1KM1Y6V2ZHQUJqSUJpRDIySg==
' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'x-correlator: string' \
  -d auth_req_id=39da5b19-457a-4d30-a5c4-047c62dcca3b \
  -d grant_type=urn:openid:params:mc:grant-type:ciba \
  -d client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
  -d client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllZW50LWlkI........

Responses

OK If the token request is successfully completed (i.e. without error), an acess_token is returned by Gateway, in an HTTP 200 response in json payload with parameters.

Bodyapplication/json
access_tokenstring

OAuth 2.0 access_token used to gain access to the end-user information. This token CANNOT can be reused

Example: "dUk4Bs0qgKQKujbGxQDvIdXkI6Bz"
token_typestring

The timeout available to make a request to the token endpoint. i.e. The request must be made before the “expires_in” time is reached.

Example: "Always \"Bearer\""
expires_innumber(number)

Expiration time of the Access Token in seconds since the response was generated.

Example: 3599
refresh_tokenstring
Example: "eyJraWQiOiJ0ZXN0IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYeyJpc3MiOiJodHRwczovL2FwaXN0YWdpbmdyZWYuZGV2ZWxvcGVyLnZvZGFmb25lLmNvbSIsInN1YiI6ImRhNTNhOWRlLTljMmQtNGZkYy1hODY1LWE4OWZiZThmZGE2MyIsImF1ZCI6ImJSdlJKZVBHaGlMQndmelJSdEx3Z3REVFZ4UFdSQU1BIiwiZXhwIjoxNjA2OTE2Mzc2LCJpYXQiOjE2MDY5MTI3NzYsImF1dGhfdGltZSI6MTYwNjkxMjc1Niwibm9uY2UiOiI0NTI1OTUtOWRhMS00NDZiLWE0MmEtMWJkZmJmMTRhOGJjIiwiYXRfaGFzaCI6Ik9FRkZRVFpCTURCQ09FTkJRVVZFT0RnMU1qRTRSalJCUXpaQ1FUVXdRa1E0TWtRM1JFSTVSamsyT1RVMVJEbERPRE5GUkVFM05qa3hOVFl4UWpjM09BPT0iLCJhY3IiOiIwIiwiYW1yIjpbIk5PX0FVVEhOIl0sImF6cCI6IjU0NjEyNTk1LTlkYTAtNDQ2Yi1hNDJhLTFiZGZiZjE0YThhZiIsImhhc2hlZF9sb2dpbl9oaW50IjoiQUVBNkEwMEI4Q0FBRUQ4ODUyMThGNEFDNkJBNTBCRDgyRDdEQjlGOTY5NTVEOUM4M0VEQTc2OTE1NjFCNzc4In0.8Y4SArYeLdwyVUF7zjW9hyWTULiANn_MbvfXkxk62mKdPEeTI0HNOAG9tsItR1KVhHQdotAZOcoTNLRn66w4TMphQ1K2wfRcWTWKrTXtUA3Xuyx_bhZTkm7Zkz8k944JgpxejWgCjVUejlOiaQJZhu23UWufpd1An4x8UY7JU1LsKJj_OFMleESuM4xoJru0fPUkMMcNKB9D76sfBeSaZeMdqUARBhoWLyO_cb79sFfpu1Uf9V8SFB3NLRuktu0KANwqipwc_5c4LtxzP_rw3A_hWcaGpT67Qk1-tisW6ITCvrFKzZ5aqn8qWPEcte-XGoCXwd7pp0HKzgd1G8xw"
id_tokenstring
Example: "dUk4Bs0qgKQKujbGxQDvIdXkI6Bz"
Response
application/json
{
  "access_token": "dUk4Bs0qgKQKujbGxQDvIdXkI6Bz",
  "token_type": "Always \"Bearer\"",
  "expires_in": 3599,
  "refresh_token": "eyJraWQiOiJ0ZXN0IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYeyJpc3MiOiJodHRwczovL2FwaXN0YWdpbmdyZWYuZGV2ZWxvcGVyLnZvZGFmb25lLmNvbSIsInN1YiI6ImRhNTNhOWRlLTljMmQtNGZkYy1hODY1LWE4OWZiZThmZGE2MyIsImF1ZCI6ImJSdlJKZVBHaGlMQndmelJSdEx3Z3REVFZ4UFdSQU1BIiwiZXhwIjoxNjA2OTE2Mzc2LCJpYXQiOjE2MDY5MTI3NzYsImF1dGhfdGltZSI6MTYwNjkxMjc1Niwibm9uY2UiOiI0NTI1OTUtOWRhMS00NDZiLWE0MmEtMWJkZmJmMTRhOGJjIiwiYXRfaGFzaCI6Ik9FRkZRVFpCTURCQ09FTkJRVVZFT0RnMU1qRTRSalJCUXpaQ1FUVXdRa1E0TWtRM1JFSTVSamsyT1RVMVJEbERPRE5GUkVFM05qa3hOVFl4UWpjM09BPT0iLCJhY3IiOiIwIiwiYW1yIjpbIk5PX0FVVEhOIl0sImF6cCI6IjU0NjEyNTk1LTlkYTAtNDQ2Yi1hNDJhLTFiZGZiZjE0YThhZiIsImhhc2hlZF9sb2dpbl9oaW50IjoiQUVBNkEwMEI4Q0FBRUQ4ODUyMThGNEFDNkJBNTBCRDgyRDdEQjlGOTY5NTVEOUM4M0VEQTc2OTE1NjFCNzc4In0.8Y4SArYeLdwyVUF7zjW9hyWTULiANn_MbvfXkxk62mKdPEeTI0HNOAG9tsItR1KVhHQdotAZOcoTNLRn66w4TMphQ1K2wfRcWTWKrTXtUA3Xuyx_bhZTkm7Zkz8k944JgpxejWgCjVUejlOiaQJZhu23UWufpd1An4x8UY7JU1LsKJj_OFMleESuM4xoJru0fPUkMMcNKB9D76sfBeSaZeMdqUARBhoWLyO_cb79sFfpu1Uf9V8SFB3NLRuktu0KANwqipwc_5c4LtxzP_rw3A_hWcaGpT67Qk1-tisW6ITCvrFKzZ5aqn8qWPEcte-XGoCXwd7pp0HKzgd1G8xw",
  "id_token": "dUk4Bs0qgKQKujbGxQDvIdXkI6Bz"
}

2Legged Authentication Flow

Operations

Retrieve SIM swap date

Operations

Check SIM swap

Operations