Security

We are aware that security is one of the most important aspects of using banking APIs. There are important issues regarding encryption of communication, bank customer and 3rd party company application authentication, examining permissions for particular resources and protection against possible security attacks.

FinTechAPI delivers not only API itself. There is also a Developers Portal for establishing and managing subscriptions. Both of them are publicly available and therefore the communication with them is encrypted using server SSL certificate, signed by one of trusted certification authorities. There is no exception to this rule on the FinTechAPI production environment as the data exchanged through the API is confidential (bank customer sensitive data and security metadata).

FinTechAPI uses OAuth2 authorization flow. OAuth2 is a protocol and an industry standard described by RFC documentation. Using this framework means that authorization is token-based so each and every client application, that wants to integrate with bank through FinTechAPI, has to obtain the security token which is further required by every API call. Valid security token is the evidence for API that this application has all essential permissions to perform this particular call. FinTechAPI provides all the necessary OAuth2 mechanisms (http endpoints) for acquiring, renewing and validating security tokens.

OAuth2 authorization flow delegates customer authentication to bank by eg. redirecting his user-agent (usually an internet browser) to bank site or portal that he knows and trusts. Furthermore this should be so-called ‘Strong Customer Authentication’ in terms of regulations mentioned by PSD2 European Union directive (see Regulatory Technical Standards).

The second authentication mechanism is for identifying each of 3rd party company applications that are connecting to the banking API. In order to provide such identification FinTechAPI requires subscribing for production API access in its Developer Portal. Each successful subscription lets application to acquire a pair of authentication information (Consumer key, Consumer secret – where Consumer should be interpreted as an application consuming banking API). Authentication information is used for two reasons:

• to identify application calling API. This is required by PSD2 directive but is also used for other internal purposes (e.g. permissions, statistics, access management).

• It is required by OAuth2 authorization flow in order to generate and validate security tokens.

FinTechAPI products are protected (natively or by appropriate network configuration) against such risks as i.a.:

• XSS

• CSRF

• CRLF

• DOS attacks