Security Analysis of the Open Banking Account and Transaction API Protocol
- URL: http://arxiv.org/abs/2003.12776v2
- Date: Sat, 03 May 2025 09:39:11 GMT
- Title: Security Analysis of the Open Banking Account and Transaction API Protocol
- Authors: Paolo Modesti, Leo Freitas, Qudus Shotomiwa, Abdulaziz Almehrej,
- Abstract summary: This paper presents a formal modelling and security analysis of the UK Open Banking Standard's APIs.<n>Our methodology employs the extended Alice and Bob notation (AnBx) to create a formal model of the protocol.<n>We integrate our formal analysis with practical security testing of some necessary conditions to demonstrate verified security-goals.
- Score: 0.0
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: The Second Payment Services Directive (PSD2) of the European Union aims to create a consumer-friendly financial market by mandating secure and standardised data sharing between banking operators and third parties. Consequently, EU countries and the United Kingdom have adopted Open Banking, a standardised data-sharing API. This paper presents a formal modelling and security analysis of the UK Open Banking Standard's APIs, with a specific focus on the Account and Transaction API protocol. Our methodology employs the extended Alice and Bob notation (AnBx) to create a formal model of the protocol, which is then verified using the OFMC symbolic model checker and the Proverif cryptographic protocol verifier. We extend previous work by enabling verification for unlimited sessions with a strongly typed model. Additionally, we integrate our formal analysis with practical security testing of some necessary conditions to demonstrate verified security-goals in the NatWest Open Banking sandbox, evaluating mechanisms such as authorisation and authentication procedures.
Related papers
- Mapping Industry Practices to the EU AI Act's GPAI Code of Practice Safety and Security Measures [0.10539847330971804]
This report provides a detailed comparison between the Safety and Security measures proposed in the EU AI Act's General-Purpose AI (GPAI) Code of Practice (Third Draft) and the current commitments and practices voluntarily adopted by leading AI companies.<n>Our analysis focuses on the draft's Safety and Security section (Commitments II.1-II.16), documenting excerpts from current public-facing documents that are relevant to each individual measure.<n>This report is not meant to be an indication of legal compliance, nor does it take any prescriptive viewpoint about the Code of Practice or companies' policies.
arXiv Detail & Related papers (2025-04-21T15:44:01Z) - Are You Getting What You Pay For? Auditing Model Substitution in LLM APIs [60.881609323604685]
Large Language Models (LLMs) accessed via black-box APIs introduce a trust challenge.<n>Users pay for services based on advertised model capabilities.<n> providers may covertly substitute the specified model with a cheaper, lower-quality alternative to reduce operational costs.<n>This lack of transparency undermines fairness, erodes trust, and complicates reliable benchmarking.
arXiv Detail & Related papers (2025-04-07T03:57:41Z) - Private, Auditable, and Distributed Ledger for Financial Institutes [1.8911961520222993]
This paper proposes a framework for a private, audit-able, and distributed ledger (PADL) that adapts easily to fundamental use-cases within financial institutes.<n>PADL employs widely-used cryptography schemes combined with zero-knowledge proofs to propose a transaction scheme for a table' like ledger.<n>We show that PADL supports smooth-lined inter-assets auditing while preserving privacy of the participants.
arXiv Detail & Related papers (2025-01-07T14:21:24Z) - Balancing Confidentiality and Transparency for Blockchain-based Process-Aware Information Systems [46.404531555921906]
We propose an architecture for blockchain-based PAISs aimed at preserving both confidentiality and transparency.<n>Smart contracts enact, enforce and store public interactions, while attribute-based encryption techniques are adopted to specify access grants to confidential information.
arXiv Detail & Related papers (2024-12-07T20:18:36Z) - Trustless Audits without Revealing Data or Models [49.23322187919369]
We show that it is possible to allow model providers to keep their model weights (but not architecture) and data secret while allowing other parties to trustlessly audit model and data properties.
We do this by designing a protocol called ZkAudit in which model providers publish cryptographic commitments of datasets and model weights.
arXiv Detail & Related papers (2024-04-06T04:43:06Z) - Towards an Enforceable GDPR Specification [49.1574468325115]
Privacy by Design (PbD) is prescribed by modern privacy regulations such as the EU's.
One emerging technique to realize PbD is enforcement (RE)
We present a set of requirements and an iterative methodology for creating formal specifications of legal provisions.
arXiv Detail & Related papers (2024-02-27T09:38:51Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - Provably Secure Commitment-based Protocols over Unauthenticated Channels [0.0]
We build a theoretic security framework to cover protocols whose characteristics may not always concur with existing models for authenticated exchanges.
We propose a number of Commitment-based protocols to establish a shared secret between two parties, and study their resistance over unauthenticated channels.
This means analyzing the security robustness of the protocol itself, and its robustness against Man-in-the-Middle attacks.
arXiv Detail & Related papers (2023-07-28T10:35:35Z) - FedSOV: Federated Model Secure Ownership Verification with Unforgeable
Signature [60.99054146321459]
Federated learning allows multiple parties to collaborate in learning a global model without revealing private data.
We propose a cryptographic signature-based federated learning model ownership verification scheme named FedSOV.
arXiv Detail & Related papers (2023-05-10T12:10:02Z) - Risk Framework for Bitcoin Custody Operation with the Revault Protocol [0.0]
We present a risk model in the form of a library of attack-trees for Revault -- an open-source custody protocol.
Our work exemplifies an approach that can be used independent of which custody protocol is being considered.
arXiv Detail & Related papers (2021-02-13T11:26:15Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.