Abstract
In 2015, the European Union passed the PSD2 regulation, with the aim of transferring ownership of bank accounts to the private person. As a result, Open Banking has become an emerging concept, which provides third-party financial service providers open access to bank APIs, including consumer banking, transaction, and other financial data. However, such openness may also incur many security issues, especially when the data can be exposed by an API to a third party. Focused on this challenge, the primary goal of this work is to develop one innovative web solution to the market. We advocate that the solution should be able to trigger transactions based on goals and actions, allowing users to save up money while encouraging positive habits. In particular, we propose a solution with an architectural model that ensures clear separation of concern and easy integration with Nordea’s (the largest bank in the Nordics) Open Banking APIs (sandbox version), and a technological stack with the microframework Flask, the cloud application platform Heroku, and persistent data storage layer using Postgres. We analyze and map the web application’s security threats and determine whether or not the technological frame can provide suitable security level, based on the OWASP Top 10 threats and threat modelling methodology. The results indicate that many of these security measures are either handled automatically by the components offered by the technical stack or are easily preventable through included packages of the Flask Framework. Our findings can support future developers and industries working with web applications for Open Banking towards improving security by choosing the right frameworks and considering the most important vulnerabilities.
Highlights
Traditional banks often run their services independently and maintain their own users, while it is hard to obtain the data from other customers
(i) We investigate the Nordea Open Banking Application Programming Interfaces (APIs) by collaborating with Nordea Bank in Denmark, regarding access authorization, account information services, and payment initialization services (ii) We design a web application and introduce the system architecture based on the Model-View-Controller architecture (MVC), including three parts such as model, controller, and view
(iii) To identify potential risks and threats, we use the methodology of Open Web Application Security Project (OWASP) Top 10 with a threat modelling method for categorizing the threats in six different areas, such as threat agents, exploitability, weakness prevalence, weakness detectability, technical impacts, and business impacts (iv) Our results found that many security threats like Broken Authentication can be handled automatically by the components offered by the technical stack or can be preventable through included packages of the Flask Framework
Summary
Traditional banks often run their services independently and maintain their own users, while it is hard to obtain the data from other customers. The Flask can mitigate many security threats by default, supplemented by a number of renowned third-party extensions and packages authenticated by the Flask community, which can be customizable according to the demands. It provides out-of-the-box abstraction layers for communicating with the popular object relational database-PostgreSQL [5] and the cloud application platform-Heroku [6] for deployment. The framework is compliment with the WSGI server standard [7]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
