6. Automated Assistance to the Security Assessment of API for Financial Services

This chapter presents the challenges related to the security assessment and the auto- mated synthesis of mitigation measures of APIs for financial services. The focus is on the APIs supporting the implementation of the new Payment Services Directive. It also gives an overview of an innovative approach to address these challenges by (i) the automated identification and mitigation of security misconfigurations underlying sessions based on Transport Layer Security, which is ubiquitously used to build a foundation layer of security; and (ii) the automated penetration testing and synthesis of mitigations for the functionalities provided by APIs built on top of it, both business (e.g., payments) and security (e.g., authentication or authorization). The main novelty of the proposed approach lies in the tight integration of identification and mitigation phases by means of actionable measures that allow users to significantly strengthen the security posture of the entire API ecosystem

Solución tecnológica que permita mejorar la experiencia y accesibilidad del cliente en el sistema financiero basada en el OpenBanking

El presente proyecto tiene como objetivo proponer una solución tecnológica que permita mejorar la experiencia y accesibilidad del cliente al momento de realizar la solicitud de un préstamo en una entidad financiera. A través de un Portal Web y/o Aplicación Móvil el cliente solicitará un préstamo donde podrá visualizar, comparar alternativas de créditos en línea que las entidades financieras nos otorguen y elegir la oferta que mejor le convenga. Estas integraciones que se tendrá con las entidades financieras se lograrán cumpliendo normativas y regulaciones internacionales como el PSD2 y estándares como el Open Banking las cuales promueven la innovación, competencia y favorece la adaptación de los servicios bancarios a las nuevas tecnologías. Dependiendo del monto que solicite el cliente, la Fintech podrá financiar el préstamo solicitado. En caso de que el monto supere lo permitido por la Fintech, la solicitud de préstamo se deriva a las diferentes entidades financieras suscritas en el Portal Web. Generando mecanismos de competencia, mejorando la oferta hacia el cliente y promoviendo la inclusión financiera tanto a personas bancarizadas, como no bancarizadas. El otorgamiento de crédito a un cliente debe pasar por un proceso de pre-evaluación, dicho proceso emplea un modelo predictivo de riesgos basados en datos no paramétricos, que permita evaluar el nivel de riesgo, su promesa de pago y el compromiso del cliente para con el préstamo.The objective of this project is to propose a technological solution to improve the experience and accessibility of the client when applying for a loan in a financial institution. Through a Web Portal and/or Mobile Application, the client who wants to request a loan will be able to view, compare online credit alternatives that financial entities grant us and choose the offer that best suits him or her. The integrations that we will have with financial entities will be achieved by complying with international regulations and regulations such as PSD2 and international standards such as Open Banking, which promote innovation and competition, and it also favor the adaptation of banking services to new technologies. Depending on the loan amount requested by the client, the Fintech would finance the request, but if the amount exceeds what is allowed by the Fintech, the loan request is derived to the different financial entities subscribed to the Web Portal, generating competition mechanisms, improving the offer to the client, and promoting financial inclusion for both banked and unbanked people. The granting of credit to a client must go through a pre-evaluation process. This process uses a predictive risk model based on non-parametric data, which allows the evaluation of the client’s level of risk, the payment promise and the client's commitment to the loan.Tesi

Formal Security Analysis of the OpenID FAPI 2.0: Accompanying a Standardization Process

In recent years, the number of third-party services that can access highly-sensitive data has increased steadily, e.g., in the financial sector, in eGovernment applications, or in high-assurance identity services. Protocols that enable this access must provide strong security guarantees. A prominent and widely employed protocol for this purpose is the OpenID Foundation\u27s FAPI protocol. The FAPI protocol is already in widespread use, e.g., as part of the UK\u27s Open Banking standards and Brazil\u27s Open Banking Initiative as well as outside of the financial sector, for instance, as part of the Australian government\u27s Consumer Data Rights standards. Based on lessons learned from FAPI 1.0, the OpenID Foundation has developed a completely new protocol, called FAPI 2.0. The specifications of FAPI 2.0 include a concrete set of security goals and attacker models under which the protocol aims to be secure. Following an invitation from the OpenID Foundation\u27s FAPI Working Group (FAPI WG), we have accompanied the standardization process of the FAPI 2.0 protocol by an in-depth formal security analysis. In this paper, we report on our analysis and findings. Our analysis incorporates the first formal model of the FAPI 2.0 protocol and is based on a detailed model of the web infrastructure, the Web Infrastructure Model, originally proposed by Fett, Küsters, and Schmitz. Our analysis has uncovered several types of attacks on the protocol, violating the aforementioned security goals set by the FAPI WG. We subsequently have worked with the FAPI WG to fix the protocol, resulting in several changes to the specifications. After adapting our model to the changed specifications, we have proved the security properties to hold under the strong attacker model defined by the FAPI WG