ARE YOU PREPARED FOR THE BANKING REVOLUTION?

Europe through the Revised Directive on Payment Services (PSD2) as well as the Competition and Markets Authority (CMA) in the UK are imposing measures on retail banks to open access to customer’s account information.

In order to comply with those directives, banks will expose a set of public APIs, giving access to customer accounts, bank details, credit cards and loans to other banks and fintech actors.

SECURING OPEN
BANKING APIs

While we can all agree OpenBanking will greatly benefit consumers, one question is left open: how secure will be the access to this very personal and sensitive data? As The Register points out,  “APIs can provide an easy route for attackers if not properly secure”. The N26 bank experienced this first-hand late 2016: the attacker demonstrated how he could advantage of badly secured APIs to hijack accounts.

Our solution supports the latest standards such as OAuth2, OpenID Connect or PKCE. We are also working with the Financial APIs standard (FAPI) working group. which defines specific financial profiles for OAuth2, allowing data access in read-only and read-write modes. FAPI relies on other companion standards such as OAuth token binding, to prevent OAuth tokens theft.

FINANCIAL SECURITY STANDARDS

Our Solution

42C Open Banking API firewall

  • Default rules generated from the OpenBanking specifications, which ensure data integrity and stop typical attacks listed by OWASP, such as session hijacking, cross-site scripting (XSS), cross-site request forgery (CSRF), insecure references, headers manipulation or injections (such as SQL injection).
  • Custom rules enforcing the security considerations as per the OpenID Connect and OAuth2 specifications: timing attacks, token reuse, request disclosure and many more.
  • Validation of OpenID connect and OAuth flows, to prevent token substitution for example.
  • Support for PSD2 X2A requirements, through the highest standards for the exchange of data: TLS, strong ciphers and key sizes, payload encryption (JWE), digital signatures (JWS), two-factor authentication.
  • Support for OAuth2 PKCE, a standard designed to prevent a malicious mobile application from obtaining access to an OAuth2 authorization code.

API Mediation to other banks

Validating API data and authentication flows outbound.

A vulnerability assessment toolkit

Validate your deployment at development and runtime: SecDevOps made easy

A client SDK

Helps banking APIs consumers to build safer web and mobile applications.

BE THE FIRST TO TEST OUR PLATFORM

BROUGHT TO YOU BY A TEAM OF WORLDWIDE SECURITY EXPERTS

Our technical team has a long history in corporate security, integration and APIs. They have been designing, developing and deploying best of breed Web application firewalls, IAM and Web SSO solutions, XML/SOA gateways as well as API Management solutions for the last 15 years. Together, they bring a wealth of expertise to the 42Crunch platform.