Security Analysis of the Open Banking Account and Transaction API Protocol
To counteract the lack of competition and innovation in the financial services industry, the EU has issued the Second Payment Services Directive (PSD2) encouraging account servicing payment service providers to share data. The UK, similarly to other European countries, has promoted a standard API for data sharing: the Open Banking Standard. We present a formal security analysis of its APIs, focusing on the correctness of the Account and Transaction API protocol. The work relies on a previously proposed methodology, which provided a practical approach to protocol modelling and verification.
READ FULL TEXT