Prevent Burner Account Creation Using the SIM Swap API
There are many scenarios in which people may want to create burner, one-time, or temporary accounts, and there are ways to verify their authenticity.
For instance, in some scenarios where you can only create one account for a specific game or business, some people might try to cheat the game, and let’s say if they have two surnames, they might create an account with one. Another with the other surname, and yes, there are some ways you can try and double check, similar name, exact date of birth, and try to find human mistakes.
However, another approach, which I will demonstrate in this blog post, is how to prevent malicious burner accounts where the creator is using a potentially stolen phone number by utilizing the Vonage SIM Swap API to verify against phone numbers.
Vonage API Account To complete this tutorial, you will need a Vonage API account. If you don’t have one already, you can sign up today and start building with free credit. Once you have an account, you can find your API Key and API Secret at the top of the Vonage API Dashboard.
You can find the full Code on the GitHub repository.
Note: Check that your Communication Service Provider and Country are supported in this available list.
You may use, or know someone who uses, their phone to authenticate their identity across various accounts, like a bank or social media.
SIM swap fraud occurs when someone with malicious intentions convinces a Mobile Network Provider to link the victim's phone number with a SIM card they control, using personal information obtained through phishing or data breaches.
Consider what can be done then: this bad actor can intercept SMS messages, reset passwords, make and receive phone calls, access accounts protected by two-factor authentication, and a lot more.
Now that we understand what SIM Swap is, let’s create the Vonage application to make use of the Vonage SIM Swap API and our demonstration web app solution.
To create an application, go to the Create an Application page on the Vonage Dashboard, and define a Name for your Application.
If needed, click on "generate public and private key". A private key (.key file) will be generated. Download and store it securely. This key is needed for authentication when making API requests. Note: Private keys will not work unless the application is saved.
Choose the capabilities you need (e.g., Voice, Messages, RTC, etc.) and provide the required webhooks (e.g., event URLs, answer URLs, or inbound message URLs). These will be described in the tutorial.
To save and deploy, click "Generate new application" to finalize the setup. Your application is now ready to use with Vonage APIs.
When working with the Network APIs, there are two different environments:
The Production environment returns live data from the supported Operators in some countries. Access to the production environment requires approval from the Mobile Operators. You can learn how to request access.
The Playground is a safe and controlled testing environment where API calls return live data only for a small group of allowlisted phone numbers. It does not require approval from the Network Operators. Additionally, the Playground provides access to the Virtual Operator, a simulated Operator that generates fake but deterministic responses.
On the application creation step, toggle ‘Network Registry’ capability, select ‘Playground’, and click to create the application in the bottom right of the page.
Network Registry Capability
Copy it from the .env.example file, create a new .env file for your project, and add the environment variables in the code snippet below.
MAX_AGE: period in hours to be checked, from 1 to 2400 (optional, default set to 240). If you’re using the virtual operator for testing, add a very high number to this field, such as 2400, to force the SIM Swap to equal true for testing purposes.
# .env
# Number of hours to check SIM Swap events
MAX_AGE=2400
VONAGE_APPLICATION_ID= The Vonage Project Application ID
VONAGE_PRIVATE_KEY=./private.keyNote: Refer to Michael's blog post for an explanation of using environment variables in Node.js.
In the project's package.json file, you will find the following dependencies: dotenv, express, and nodemon. All can be installed with one command from the command line.
npm install
The server.js file implements the backend side of our application. It serves the static pages. It also contains an authentication function for using the SIM Swap API to facilitate server authentication. Additionally, it has a function to check the SIM for swaps. It contains two endpoints for handling user registration and login, and makes the server run on port 3000.
For this tutorial, we are checking for potential burner accounts. But I wanted to also mention that the SIM Swap API provides real-time verification of the activation date of a SIM card on the mobile network through two endpoints:
/checkdetermines if a SIM swap has occurred within a specified period. This endpoint answers the question: Has a SIM swap happened in the last specified hours? (This is the one we're using on this tutorial)/retrieve-datereturns the date of the most recent SIM swap event. This endpoint answers the question: When did the last SIM swap occur?
You can also check the SIM Swap API Reference page.
The content page for index.html will allow you to create a new user and add a username, password, and a phone number. We will add a check to ensure the same phone number is not added to two different accounts as a first step to reduce the risk of creating duplicate accounts with the same phone number. You can then log in with the credentials you’ve created.
The information we added to the HTML page will be passed to the client.js file once the form is submitted. This then sends the data to the server.js endpoints to handle registration, login, and SIM swap checks. If the login is successful, the user will be redirected to the /main.html page.
Run the server JavaScript file to initialize the web application.
npm run start:devGo ahead and test it out by creating a new user and trying to log in. If you’re using the virtual operator test with a phone number starting with +990 followed by some number, for instance +99012345, and add a MAX_AGE of a high number, for instance 2400, to force a SIM Swap for testing purposes.
If you have Network Registry approval and a phone number from an accepted CSP, you can select the production option from the dashboard and test it with the real phone number, adding the correct value for the environment variable MAX_AGE to see when a SIM Swap has occurred.
Got any questions or comments? Join our thriving Developer Community on Slack, follow us on X (formerly Twitter), or subscribe to our Developer Newsletter. Stay connected, share your progress, and keep up with the latest developer news, tips, and events!
Read more about the SIM Swap API in the API Reference and on our developer blog.
Improve Your Multifactor Auth With Verify and SIM Swap APIs.
){kind=small}