Die Financial-grade API (FAPI) | Datenschutz und Datensicherheit - DuD Skip to main content
Springer Nature Link
Log in

Die Financial-grade API (FAPI)

PSD2-konforme Absicherung von APIs im Finanzsektor

  • Aufsätze
  • Published:
Datenschutz und Datensicherheit - DuD Aims and scope Submit manuscript

Zusammenfassung

Die Digitalisierung des Finanzsektors ist eine anspruchsvolle Aufgabe: Durch die Verarbeitung hochsensibler Daten und die Rechte zur Ausführung von Zahlungstransaktionen sind IT-Systeme von Banken attraktive Angriffsziele. Die Financial- grade API (FAPI) ist eine Lösung, um regulatorische Vorschriften im Autorisierungs-Kontext umzusetzen und dabei einen hohen Sicherheitsstandard zu erfüllen. Das FAPI-Profil ist eine Erweiterung für die weitverbreiteten Autorisierungs-Protokolle OAuth und OpenID Connect.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Literatur

  1. The European Parliament and the Council of the European Parliament. Directive (eu) 2015/ of the european parliament and of the council of 25 november 2015on payment services in the internal market, amending directives 2002/65/ec, 2009/110/ec and 2013/36/eu and regulation (eu) no 1093/2010, and repealing directive 2007/64/ec. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366&from=DE, visited on 10/11/2022.

  2. Statistisches Bundesamt. 3.4 Zahl der Banken geht zurück. https://service.destatis.de/DE/WirtschaftJahrtausendwendeEuropa/bloc-3d.html, visited on 10/11/2022.

  3. Fapi – financial grade api, 2022. https://fapi.openid.net/, visited on 10/11/2022.

  4. Financial-grade api (fapi) wg | openid, 2016. https://openid.net/wg/fapi/, visited on 10/11/2022.

  5. N. Sakimura and A. Saxena. Openid foundation fapi wg: June 2017 update, 2017. https://www.slideshare.net/nat_sakimura/openid-foundation-fapi-wg-june-2017-update , visited on 10/11/2022.

  6. PSD2 | Deutsche Bundesbank https://www.bundesbank.de/de/aufgaben/unbarer-zahlungsverkehr/psd2/psd2-775434, visited on 10/11/2022.

  7. D. Hardt (Editor). Rfc 6749 – the oauth 2.0 authorization framework, 2012. https://datatracker.ietf.org/doc/html/rfc6749, visited on 10/11/2022.

  8. Final: Openid connect core 1.0 incorporating errata set 1, 11/8/2014. https://openid.net/specs/openid-connect-core-1_0.html, visited on 1/27/2022.

  9. Final: Financial-grade api security profile 1.0 – part 1: Baseline, 3/12/2021. https://openid.net/specs/openid-financial-api-part-1-1_0.html , visited on 1/27/2022.

  10. Final: Financial-grade api security profile 1.0 – part 2: Advanced, 3/12/2021. https://openid.net/specs/openid-financial-api-part-2-1_0.html, visited on 1/27/2022.

  11. openid / fapi / fapi_2_0_attacker_model.md — bitbucket. https://bitbucket.org/openid/fapi/src/c1095f10f13c17c93a425081ec5669796245ff9c/FAPI_2_0_Attacker_Model.md?at=master, visited on 4/25/2022.

  12. openid / fapi / fapi_2_0_baseline_profile.md — bitbucket. https://bitbucket.org/openid/fapi/src/47c71db3d6d535b805ac207f89119b7f32b1f74e/FAPI_2_0_Baseline_Profile.md?at=master, visited on 4/25/2022.

  13. openid / fapi / fapi_2_0_advanced_profile.md — bitbucket. https://bitbucket.org/openid/fapi/src/596057dff73d039ffa9a6213256bb529eb7e2ab9/FAPI_2_0_Advanced_Profile.md?at=master, visited on 4/25/2022.

  14. D. Tonge et al. Financial-grade api: Client initiated backchannel authentication profile, 8/16/2019. https://openid.net/specs/openid-financial-api-ciba.html, visited on 4/25/2022.

  15. Rfc 9101 – the oauth 2.0 authorization framework: Jwt-secured authorization request (jar). https://datatracker.ietf.org/doc/html/rfc9101, visited on 4/25/2022.

  16. Rfc 9126 – oauth 2.0 pushed authorization requests. https://datatracker.ietf.org/doc/html/rfc9126, visited on 4/25/2022.

  17. draft-ietf-oauth-rar-11. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar, visited on 4/25/2022.

  18. Draft-02: Financial-grade api: Jwt secured authorization response mode for oauth 2.0 (jarm). https://openid.net/specs/openidfinancial-api-jarm.html, visited on 1/27/2022.

  19. Rfc 8705 – oauth 2.0 mutual-tls client authentication and certificate-bound access tokens. https://datatracker.ietf.org/doc/html/rfc8705, visited on 4/25/2022.

  20. Rfc 7636 – proof key for code exchange by oauth public clients. https://datatracker.ietf.org/doc/html/rfc7636, visited on 1/27/2022.

  21. draft-ietf-oauth-dpop-07. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop, visited on 4/26/2022.

  22. draft-ietf-oauth-security-topics-19. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics, visited on 1/27/2022.

  23. Openid certification | openid. https://openid.net/certification/, visited on 1/27/2022.

  24. Owasp. Cross Site Request Forgery (CSRF). https://owasp.org/www-community/attacks/csrf, visited on 10/11/2022.

  25. Owasp. Session Fixation. https://owasp.org/www-community/attacks/Session_fixation, visited on 10/17/2022.

  26. Anzahl der Online-Girokonten in Deutschland bis 2021. https://de.statista.com/statistik/daten/studie/39539/umfrage/anzahl-der-online-gefuehrten-konten-in-deutschland/ , visited on 11/17/2022

  27. OAuth 2.0. https://oauth.net/2/, visited on 11/17/2022.

  28. Positionspapier zur Nutzung von „Screenscraping” im Kontext von Artikel 98 PSD II. https://die-dk.de/media/files/2016-11-10_DK-Positionspapier_Screen-Scraping_final.pdf, visited on 11/17/2022.

Download references

Author information

Authors and Affiliations

  1. Bochum, Deutschland

    Johanna Schenkel

  2. Hackmanit GmbH, Bochum, Deutschland

    Christian Mainka

Authors
  1. Johanna Schenkel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Mainka
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Johanna Schenkel.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Schenkel, J., Mainka, C. Die Financial-grade API (FAPI). Datenschutz Datensich 47, 154–159 (2023). https://doi.org/10.1007/s11623-023-1736-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11623-023-1736-6

Search

Navigation