Security analysis of the open banking account and transaction API protocol

Paolo Modesti; Leo Freitas; Qudus Shotomiwa; Abdulaziz Almehrej

doi:10.1016/j.csa.2025.100097

Security analysis of the open banking account and transaction API protocol

Paolo Modesti, Leo Freitas, Qudus Shotomiwa, Abdulaziz Almehrej

Research output: Contribution to journal › Article › peer-review

21 Downloads (Pure)

Abstract

The Second Payment Services Directive (PSD2) of the European Union aims to create a consumer-friendly financial market by mandating secure and standardised data sharing between banking operators and third parties. Consequently, EU countries and the United Kingdom have adopted Open Banking, a standardised data-sharing API. This paper presents a formal modelling and security analysis of the UK Open Banking Standard’s APIs, with a specific focus on the Account and Transaction API protocol. Our methodology employs the extended Alice and Bob notation (AnBx) to create a formal model of the protocol, which is then verified using the OFMC symbolic model checker and the ProVerif cryptographic protocol verifier. We extend previous work by enabling verification for unlimited sessions with a strongly typed model. Additionally, we integrate our formal analysis with practical security testing of some necessary conditions to demonstrate verified security-goals in the NatWest Open Banking sandbox, evaluating mechanisms such as authorisation and authentication procedures.

Original language	English
Article number	100097
Number of pages	31
Journal	Cyber Security and Applications
Volume	3
Early online date	10 Jun 2025
DOIs	https://doi.org/10.1016/j.csa.2025.100097
Publication status	E-pub ahead of print - 10 Jun 2025

Access to Document

10.1016/j.csa.2025.100097Licence: CC BY-NC-ND

Full TextFinal published version, 3.74 MBLicence: CC BY-NC-ND

Cite this

@article{0545e8db0e9646ab8b685a4c6e80e611,

title = "Security analysis of the open banking account and transaction API protocol",

abstract = "The Second Payment Services Directive (PSD2) of the European Union aims to create a consumer-friendly financial market by mandating secure and standardised data sharing between banking operators and third parties. Consequently, EU countries and the United Kingdom have adopted Open Banking, a standardised data-sharing API. This paper presents a formal modelling and security analysis of the UK Open Banking Standard{\textquoteright}s APIs, with a specific focus on the Account and Transaction API protocol. Our methodology employs the extended Alice and Bob notation (AnBx) to create a formal model of the protocol, which is then verified using the OFMC symbolic model checker and the ProVerif cryptographic protocol verifier. We extend previous work by enabling verification for unlimited sessions with a strongly typed model. Additionally, we integrate our formal analysis with practical security testing of some necessary conditions to demonstrate verified security-goals in the NatWest Open Banking sandbox, evaluating mechanisms such as authorisation and authentication procedures.",

author = "Paolo Modesti and Leo Freitas and Qudus Shotomiwa and Abdulaziz Almehrej",

year = "2025",

month = jun,

day = "10",

doi = "10.1016/j.csa.2025.100097",

language = "English",

volume = "3",

journal = "Cyber Security and Applications",

issn = "2772-9184",

}

TY - JOUR

T1 - Security analysis of the open banking account and transaction API protocol

AU - Modesti, Paolo

AU - Freitas, Leo

AU - Shotomiwa, Qudus

AU - Almehrej, Abdulaziz

PY - 2025/6/10

Y1 - 2025/6/10

N2 - The Second Payment Services Directive (PSD2) of the European Union aims to create a consumer-friendly financial market by mandating secure and standardised data sharing between banking operators and third parties. Consequently, EU countries and the United Kingdom have adopted Open Banking, a standardised data-sharing API. This paper presents a formal modelling and security analysis of the UK Open Banking Standard’s APIs, with a specific focus on the Account and Transaction API protocol. Our methodology employs the extended Alice and Bob notation (AnBx) to create a formal model of the protocol, which is then verified using the OFMC symbolic model checker and the ProVerif cryptographic protocol verifier. We extend previous work by enabling verification for unlimited sessions with a strongly typed model. Additionally, we integrate our formal analysis with practical security testing of some necessary conditions to demonstrate verified security-goals in the NatWest Open Banking sandbox, evaluating mechanisms such as authorisation and authentication procedures.

AB - The Second Payment Services Directive (PSD2) of the European Union aims to create a consumer-friendly financial market by mandating secure and standardised data sharing between banking operators and third parties. Consequently, EU countries and the United Kingdom have adopted Open Banking, a standardised data-sharing API. This paper presents a formal modelling and security analysis of the UK Open Banking Standard’s APIs, with a specific focus on the Account and Transaction API protocol. Our methodology employs the extended Alice and Bob notation (AnBx) to create a formal model of the protocol, which is then verified using the OFMC symbolic model checker and the ProVerif cryptographic protocol verifier. We extend previous work by enabling verification for unlimited sessions with a strongly typed model. Additionally, we integrate our formal analysis with practical security testing of some necessary conditions to demonstrate verified security-goals in the NatWest Open Banking sandbox, evaluating mechanisms such as authorisation and authentication procedures.

U2 - 10.1016/j.csa.2025.100097

DO - 10.1016/j.csa.2025.100097

M3 - Article

SN - 2772-9184

VL - 3

JO - Cyber Security and Applications

JF - Cyber Security and Applications

M1 - 100097

ER -

Security analysis of the open banking account and transaction API protocol

Abstract

Access to Document

Fingerprint

Cite this