Skip to content

Commit

Permalink
cleaning repo
Browse files Browse the repository at this point in the history
DT-DawidWroblewski committed Jul 26, 2023

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
1 parent 2e63814 commit 6843563
Showing 7 changed files with 166 additions and 48 deletions.
Empty file removed code/API_definitions/README.MD
Empty file.
Original file line number Diff line number Diff line change
@@ -2,9 +2,9 @@ openapi: 3.0.3
info:
title: SIM Swap
description: |
SIM Swap API provides the customer the ability to obtain information on any recent SIM pairing change
related to the User's mobile account.
SIM Swap API provides the customer the ability to obtain information on any recent SIM pairing change related to the User's mobile account.
This API derives from the GSMA Mobile Connect Account Takeover Protection specification [Mobile Connect Account Takeover Protection](https://www.gsma.com/identity/wp-content/uploads/2022/12/IDY.24-Mobile-Connect-Account-Takeover-Protection-Definition-and-Technical-Requirements-v2.0.pdf). For more about Mobile Connect, please see [about Mobile Connect](https://mobileconnect.io/).
The API provides 2 operations:
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Overview

The SIM Swap API provides a programmable interface for developers and other users (capabilities consumers) to request the last date of a SIM swap performed on the mobile line, or, to check whether a SIM swap has been performed during a past period.
This API derives from the GSMA Mobile Connect Account Takeover Protection specification [Mobile Connect Account Takeover Protection](https://www.gsma.com/identity/wp-content/uploads/2022/12/IDY.24-Mobile-Connect-Account-Takeover-Protection-Definition-and-Technical-Requirements-v2.0.pdf). For more about Mobile Connect, please see [about Mobile Connect](https://mobileconnect.io/).


## 1\. Introduction
157 changes: 157 additions & 0 deletions documentation/API_documentation/Check_sim_swap_API.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
# Overview

The SIM Swap API provides a programmable interface for developers and other users (capabilities consumers) to request the last date of a SIM swap performed on the mobile line, or, to check whether a SIM swap has been performed during a past period.
This API derives from the GSMA Mobile Connect Account Takeover Protection specification [Mobile Connect Account Takeover Protection](https://www.gsma.com/identity/wp-content/uploads/2022/12/IDY.24-Mobile-Connect-Account-Takeover-Protection-Definition-and-Technical-Requirements-v2.0.pdf). For more about Mobile Connect, please see [about Mobile Connect](https://mobileconnect.io/).


## 1\. Introduction

The SIM Swap API performs real-time checks on the activation date of a SIM card on the mobile network. It reveals if an individual mobile phone number (MSISDN) has been ported to another SIM card.

The SIM Swap API is useful to prevent fraud by reducing the risk of account takeover fraud by strengthening SIM based authentication processes such as SMS One-time passwords. Fraudsters are using Simswap techniques to intercept SMS messages and reset passwords or receive verification codes that allow them to access protected accounts.

The SIM Swap API is used by an application to get information about a mobile line latest simswap date. It can be easily integrated and used through this secured API and
allows SPs (Service Provider) to get this information an easy & secured way. The API provides management of 2 resources answering 2 distinct questions:
- When did the last SIM swap occur?
- Has a SIM swap occurred during last n hours?

Depending on the network provider implementation, legal enforcement, etc... either one or both resources could be implemented.

__Note__: SIM swap is covered as well in the Mobile Connect (MC) ATP (Account-Takeover-Protection) process. The MC pattern is exposed in another Camara API from the SIM Swap API family. Network providers are free to implement the MC version, this version, or both.



## 2\. Quick Start

The usage of the API is based on distinct resources.

Before starting to use the API, the developer needs to know about the specified details below:


**API service endpoint**

2 endpoints are defined in the SIM Swap API:

- /sim-swap/v0/retrieve-date : a MSISDN is passed in the request, and the last SIM swap date is provided in the response
- /sim-swap/v0/check : a MSISDN and a max age are passed in the request, and a boolean is provided in the response, telling whether the MSISDN has been 'swapped' to another SIM within the max age period.

**Authentication**

SIM Swap API considers 2 security models: Three-legged access tokens with dedicated scopes, and OAuth 2.0 client credentials, which is applicable for server to server use cases involving trusted partners or when protected user data is not involved.

**Identifier for the the mobile line to be checked**

In order to identify the mobile line to be checked, a MSISDN must be provided.


Sample API invocations are presented in Section 4.6.

## 3\. Authentication and Authorization

The SIM Swap API could make use of the OAUTH 2.0 client credentials grant which is applicable for server to server use cases involving trusted partners
or clients without any protected user data involved.
In this method the API invoker client is registered as a confidential client with an authorization grant type of client_credentials [[1]](#1).
The SIM Swap API could also be protected through a 3-legged process, in order to be combined with end user consent gathering, before any personal information is provided.

Depending on local legal regulation, Network provider may require the 3-legged process to provide SIM swap information.



## 4\. API Documentation

### 4.1 API Version

0.4.0

### 4.2 Details

#### 4.2.1 Endpoint Definition

Following table defines API endpoints of exposed REST based for SIM Swap API operations.

| **Endpoint** | **Operation** | **Description** |
| -------- | --------- | ----------- |
| POST /sim-swap/v0/retrieve-date | **Request last SIM swap date** | Create request in order to get the latest SIM swap date |
| POST /sim-swap/v0/check | **SIM Swap** | Create request to check if a SIM swap occurred during a defined period (like last 48hours) |



#### 4.2.2 SIM Swap API Resource Operations
<br>

| **Request last simswap date** |
| -------------------------- |
| **HTTP Request**<br> POST /sim-swap/v0/retrieve-date<br>**Query Parameters**<br> No query parameters are defined.<br>**Path Parameters**<br> No path parameter are defined <br>**Request Body Parameters**<br> **msisdn**: Subscriber number in E.164 format (starting with country code). Optionally prefixed with '+'.|
|**Response**<br> **200: Contains information about sim swap change**<br> Response body: <br>**latestSimChange** : timestamp of latest SIM swap performed. <br> **400:** **INVALID_ARGUMENT**<br> **401:** **UNAUTHENTICATED** <br> **403:** **PERMISSION_DENIED** <br> **409:** **Conflict** <br> **500:** **INTERNAL** <br> **503:** **UNAVAILABLE**<br> **504:** **TIMEOUT** <br>|

<br>


| **SIM Swap** |
| -------------------------- |
| **HTTP Request**<br> POST /sim-swap/v0/check<br>**Query Parameters**<br> No query parameters are defined.<br>**Path Parameters**<br> No path parameter are defined <br>**Request Body Parameters**<br> **msisdn**: Subscriber number in E.164 format (starting with country code). Optionally prefixed with '+'.<br> **maxAge**: Delay in hours to be checked for simswap.
|**Response**<br> **200: Contains information about SIM swap check**<br> Response body: <br>**swapped** : Indicates whether the SIM card has been swapped during the delay. Should be valued only if an age is passed in the request. <br> **400:** **INVALID_ARGUMENT**<br> **401:** **UNAUTHENTICATED** <br> **403:** **PERMISSION_DENIED** <br> **409:** **Conflict** <br> **500:** **INTERNAL** <br> **503:** **UNAVAILABLE**<br> **504:** **TIMEOUT** <br>|

<br>

### 4.3 Errors

Since CAMARA SIM Swap API is based on REST design principles and blueprints, well defined HTTP status codes and families specified by community are followed [[2]](#2).

Details of HTTP based error/exception codes for SIM Swap API are described in Section 4.2 of each API REST based method.
Following table provides an overview of common error names, codes, and messages applicable to SIM Swap API.

| No | Error Name | Error Code | Error Message |
| --- | ---------- | ---------- | ------------- |
|1 |400 | INVALID_ARGUMENT | "Client specified an invalid argument, request body or query param" |
|2 |401 | UNAUTHENTICATED | "Request not authenticated due to missing, invalid, or expired credentials" |
|3 |403 | PERMISSION_DENIED | "Client does not have sufficient permissions to perform this action" |
|4 |500 | INTERNAL | "Server error" |
|5 |503 | UNAVAILABLE | "Service unavailable" |
|6 |504 | TIMEOUT | "Request timeout exceeded. Try later." |

<br>

### 4.4 Policies

N/A
<br>
### 4.5 Code Snippets
<br>
<span class="colour" style="color:rgb(36, 41, 47)">Snippets elaborates REST based API call with "*curl"* to request </span>


Please note, the credentials for API authentication purposes need to be adjusted based on target security system configuration.

| Snippet 1. Request last simswap date |
| ----------------------------------------------- |
| curl -X 'POST' `https://sample-base-url/sim-swap/v0/retrieve-date` <br> -H 'accept: application/json' <br> -H 'Content-Type: application/json'<br> -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbG...."<br> -d '{ "msisdn": "+33068741256"}' |
| response will be: <br> 200 <br> -d '{ "latestSimChange": "2020-10-11T13:33:26.618Z" }'|
<br>

| Snippet 2. Request last simswap date |
| ----------------------------------------------- |
| curl -X 'POST' `https://sample-base-url/sim-swap/v0/check` <br> -H 'accept: application/json' <br> -H 'Content-Type: application/json'<br> -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbG...."<br> -d '{ "msisdn": "+33068741256", <br> "maxAge": 240}' |
| response will be: <br> 200 <br> -d '{ "swapped": "false" }'|
<br>



### 4.6 FAQ's

(FAQs will be added in a later version of the documentation)

### 4.7 Terms

N/A

### 4.8 Release Notes

N/A


## References


<a name="1">[1] [CAMARA Commonalities : Authentication and Authorization Concept for Service APIs](https://github.com/camaraproject/WorkingGroups/blob/main/Commonalities/documentation/Working/CAMARA-AuthN-AuthZ-Concept.md) <br>
<a name="2">[2] [HTTP Status codes spec](https://restfulapi.net/http-status-codes/) <br>
50 changes: 5 additions & 45 deletions documentation/API_documentation/README.MD
Original file line number Diff line number Diff line change
@@ -4,56 +4,20 @@

### Introduction

CAMARA Sim Swap API aims to deliver information about last SIM change event to prefent Account Takeover fraud.

CAMARA community agreed to enable SIM swap API in two complementary flavours:

1. Based on CAMARA standardization guidelines, that enables API service on a dedicated endpoint and follows CAMARA AuthN/AuthZ concept. [More details available here](#details)
2. Based on GSMA Mobile Connect standardized family of Identity APIs, that delivers Account Takeover Protection service. [More details available here](#details)
CAMARA Sim Swap API aims to deliver information about last SIM change event to prevent Account Takeover fraud. This API derives from the GSMA Mobile Connect Account Takeover Protection specification [Mobile Connect Account Takeover Protection](https://www.gsma.com/identity/wp-content/uploads/2022/12/IDY.24-Mobile-Connect-Account-Takeover-Protection-Definition-and-Technical-Requirements-v2.0.pdf). For more about Mobile Connect, please see [about Mobile Connect](https://mobileconnect.io/).

### Quick start

1. Download one of yaml files.
1. Download one of yaml file.
2. Contact CAMARA API maintainers to get guidance on the onboarding process:

* [Deutsche Telekom - Dawid Wróblewski](https://github.com/DT-DawidWroblewski)
* [Telefonica - José Luis Urien](https://github.com/jlurien)
* [Orange - Ludovic Robert](https://github.com/bigludo7)

### Onboarding process for Mobile Connect

1. Describe your Use case within *Use Case Declaration Form* - provided by MNO employee that guides you through the whole process. MNOs require you to provide data like (it is a subject to local market/MNO conditions what is required):

* Name/Address/Website/Contact
* Business Type
* Mobile Connect product that is required for a use case
* Use case description, from the consumer point of view (preferably with screenshots, sequence diagrams, and information about where Mobile Connect product shall be used)
* Purpose - the reason for using Mobile Connect
* Privacy Policy details
* Consent Policy details, including the process of consent acquisition

2. Register *redirect_uri*
3. Register MSISDNs you would like to test ATP/Sim Swap API
4. Register MSISDN to pass secrets (e.g. client_secret or API-key)

Upon successful onboarding following details are shared:

1. **client_id** - used for requesting Mobile Connect services
2. **client_secret** - passed in a secured way, e.g. by SMS to MSISDN provided during onboarding

## Authentication and/or Authorization

* [Camara AuthN/AuthZ Concept]()
* [Mobile Connect ATP use OAUTH2.0 Client Credendials for Authentication](https://www.gsma.com/identity/wp-content/uploads/2022/12/IDY.56-Mobile-Connect-Client-Credentials-Profile-v1.0.pdf)

## Documentation

### Details

|Flavour|Details Page|
|---|---|
|CAMARA|[DetailsPage](../../documentation/API_documentation/CAMARA/Check_sim_swap_API.md)|
|Mobile Connect|[DetailsPage](../../documentation/API_documentation/MobileConnect/MobileConnectATP.md)|
[DetailsPage](../../documentation/API_documentation/CAMARA/Check_sim_swap_API.md)


### Endpoint definitions
@@ -63,8 +27,6 @@ Upon successful onboarding following details are shared:
|---|---|---|
|CAMARA|AuthN/AuthZ||
||resource|/retrieve-date<br>/check|
|Mobile Connect|AuthN|/token|
||resource|/userinfo|

### Errors

@@ -75,10 +37,8 @@ Described inside yaml files.
|No|Version|Changelog|
|:---:|---:|:---|
|1|0.5.0|Camara & Mobile Connect flavours available|
|2|0.6.0|Camara only version<br>(Mobile Connect archived)|

## API Spec
[API definition (code)](../../code/API_definitions/CAMARA/checkSimSwap-v0.3.0.camara.swagger.yaml)

|Flavour|yaml|
|---|---|
|CAMARA SIM swap|[yaml](../../code/API_definitions/CAMARA/checkSimSwap-v0.3.0.camara.swagger.yaml)|
|Mobile Connect Account Takeover Protection|[yaml](../../code/API_definitions/MobileConnect/MC_ATP.yaml)|

0 comments on commit 6843563

Please sign in to comment.