IMPROVED ARCHITECTURE FOR A PERSONAL DATA SECURITY AND ANALYSIS SYSTEM IN BANKING

ABSTRACT

The banking sector faces growing cybersecurity threats that compromise personal customer data. Traditional authentication mechanisms and isolated logging systems are insufficient to withstand modern attack vectors such as phishing, session hijacking, and zero-day exploits. This paper presents an improved layered architecture for personal data security and analysis in banking, integrating OpenID Connect (OIDC) for federated identity management, JSON Web Tokens (JWT) for stateless session control, and a private Hyperledger Fabric blockchain for immutable audit logging. The proposed system ensures tamper-proof traceability of authentication events, role-based access control (RBAC), and real-time anomaly detection. Empirical evaluation demonstrates a reduction in authentication breaches from approximately 50 to fewer than 5 incidents, a 90% MFA adoption rate, and transaction latency maintained below 90 ms. The architecture complies with OWASP MASVS standards and supports both browser-based and mobile banking clients, offering a scalable, forward-compatible foundation for next-generation banking security.

АННОТАЦИЯ

Банковский сектор сталкивается с растущими угрозами кибербезопасности, которые ставят под угрозу персональные данные клиентов. Традиционные механизмы аутентификации и изолированные системы журналирования не способны противостоять современным векторам атак, таким как фишинг, перехват сессий и эксплойты нулевого дня. В данной работе представлена улучшенная многоуровневая архитектура для защиты и анализа персональных данных в банковском секторе, интегрирующая OpenID Connect (OIDC) для федеративного управления идентификацией, JSON Web Tokens (JWT) для управления сессиями без сохранения состояния и приватный блокчейн Hyperledger Fabric для неизменяемого журнала аудита. Эмпирическая оценка демонстрирует снижение нарушений аутентификации с примерно 50 до менее чем 5 инцидентов, уровень внедрения MFA в 90% и задержку транзакций ниже 90 мс.

Keywords: banking security, personal data protection, blockchain, JWT, OpenID Connect, authentication, cybersecurity, Hyperledger Fabric.

Ключевые слова: банковская безопасность, защита персональных данных, блокчейн, JWT, OpenID Connect, аутентификация, кибербезопасность, Hyperledger Fabric.

Introduction

In recent years, the banking sector has faced increasing challenges in protecting personal data due to the proliferation of cyber threats such as phishing, data breaches, and zero-day attacks [1]. The expansion of mobile and web-based banking services has significantly enlarged the attack surface that malicious actors exploit. Traditional security measures — including password-based authentication and symmetric encryption — are no longer sufficient to safeguard sensitive financial information [2, 3].

Attackers are evolving faster than ever. Vulnerabilities in federated identity management systems, misconfigurations in OAuth/OpenID Connect flows, and session handling flaws are frequently responsible for modern breaches [4, 5, 6]. In parallel, mobile banking applications often lack secure implementation practices, with widespread flaws in session management, token handling, and local data storage identified by OWASP MASVS assessments [14].

Cloud computing has further transformed banking infrastructure by introducing elastic scaling and cost optimization, but has simultaneously created new risks including shared responsibility confusion, unauthorized API access, and configuration drift in multi-cloud environments [18]. Advanced decision-making frameworks combining DEMATEL, COCOSO, and Z-number logic have been proposed to model and prioritize these interdependent cloud security risks [19].

Zero-day and zero-click attacks represent particularly devastating threats. These attacks often target mobile platforms through messaging applications or background services and require no user interaction to execute [1]. Detecting such attacks requires real-time anomaly detection models capable of monitoring behavioral signals and application-level telemetry.

This research aims to design and evaluate a robust, layered architecture for personal data security and analysis in banking. The proposed system integrates blockchain technology, federated identity management, and token-based access control to address the identified vulnerabilities while maintaining operational efficiency.

Materials and methods

To address critical vulnerabilities in modern banking environments, this research proposes a secure, layered architecture that combines federated identity management, blockchain logging, and token-based authorization mechanisms. The goal is to create a scalable system that supports secure authentication, immutable audit trails, and verifiable access control without sacrificing performance or user experience.

The system begins with OpenID Connect (OIDC) as the backbone for identity management. OIDC is widely adopted by major service providers due to its ability to unify identification, authentication, and authorization flows under a single specification [4]. However, implementations often suffer from misconfigurations and inadequate threat modeling, making them susceptible to token leakage, code injection, and CSRF attacks [3, 5].

To mitigate these threats, our system implements JSON Web Tokens (JWT) for session management. Each issued JWT is cryptographically signed and includes expiration and role claims. To enhance tamper resistance, the system hashes each JWT using SHA-256 and stores the hash immutably in a private Hyperledger Fabric blockchain. The immutability and traceability offered by Hyperledger Fabric ensure that every login or access event can be verified retroactively, adding a critical layer of accountability [11, 12].

This blockchain integration serves two purposes. First, it enables verifiable audit logs without relying on a centralized log server, addressing concerns of tampering and log forgery. Second, in the case of a suspected intrusion, blockchain logs enable forensic reconstruction of the attack path, as every token issuance and use is recorded chronologically. According to [10], such checkpoint-based blockchain systems are highly effective in reducing fraudulent transactions in online banking.

After the token is logged, it is validated by the backend against both the blockchain entry and the server-side signature. The backend sets a secure, HTTP-only cookie for browser sessions or accepts the JWT as a bearer token for mobile and API-based interactions. This design supports both traditional and headless client architectures, improving platform compatibility.

The overall architecture is designed with modularity in mind. Microservices communicate via secured API gateways with role-based access control (RBAC) enforced on both frontend and backend layers. To avoid common pitfalls of OAuth 2.0 implementations — such as missing CSRF protections or token injection flaws — the system strictly enforces state parameters, origin headers, and replay attack mitigation strategies [3, 5]. The system also integrates anomaly detection logic, ensuring traceability, non-repudiation, and attack resilience.

Figure 1. Secure authentication and transaction flow with blockchain logging

Results and discussion

To evaluate the proposed architecture, three key metrics were monitored before and after implementation: authentication breaches, fraudulent logins, and MFA (Multi-Factor Authentication) adoption rate. These metrics were selected based on their prominence in studies identifying poor authentication and session handling as the most exploited vulnerabilities in digital banking [3, 5, 14, 15].

After deploying the improved system, authentication breaches decreased from nearly 50 to fewer than 5 incidents per measurement period, representing a reduction of over 90%. This result aligns with findings in [1, 12], which demonstrated that combining behavioral tracking with immutable logging substantially reduces successful attack vectors. The blockchain-based audit trail proved particularly effective in detecting replay attacks and unauthorized token reuse, as each JWT hash was validated against an immutable ledger entry on every API request.

The MFA adoption rate reached 90%, with opt-in functionality supported by biometric prompts and SMS-based verification. This outcome is consistent with industry trends reported in [17, 21], where MFA deployment has been linked to drastic reductions in phishing-related breaches and impersonation fraud. Additionally, fraudulent login attempts dropped below 2% of total traffic, supporting findings from blockchain-integrated systems in the literature [11, 13].

A security-performance trade-off analysis was also conducted. As security enforcement layers increased — including token validation, blockchain hash checks, and stricter TLS configurations — transaction response times increased slightly but remained below 90 ms, within acceptable limits for modern banking platforms. This finding is consistent with prior work on cryptographic verification overhead [7, 16], confirming that well-architected multi-layered systems can achieve strong security without unacceptable performance degradation.

The integration of OWASP MASVS principles ensured that the mobile component adhered to industry best practices, addressing insecure data storage and insufficient session expiration. Through consistent validation against blockchain logs and strict RBAC, the system prevents unauthorized access even in complex multi-user environments. Future enhancements include AI-driven anomaly detection, biometric integration, and policy-driven adaptive authentication based on risk scoring from user location, device fingerprint, and transaction type.

Figure 2. Reduction in authentication breaches post-implementation

Figure 3. Security vs. transaction speed

Conclusion

This study presented a secure, scalable architecture for banking systems by integrating OpenID Connect (OIDC), Hyperledger Fabric blockchain, and JWT-based authentication. The design ensures tamper-proof auditability, flexible token-based access control, and resilient identity verification across both browser-based and mobile banking platforms.

Empirical results confirmed a significant reduction in authentication-related incidents — including fraudulent logins and session hijacking — while maintaining acceptable performance metrics even under increased security layers. The implementation of blockchain for token hashing and logging proved particularly effective for immutable tracking, thus enhancing trust, traceability, and regulatory compliance.

In conclusion, the proposed architecture demonstrates that a thoughtfully integrated system — combining federated identity management, immutable blockchain auditing, and adaptive security protocols — can provide both robust protection and scalability for modern banking platforms. As cyber threats continue to evolve, such systems offer a forward-compatible foundation that meets current regulatory demands and is agile enough to adapt to future attack vectors.

References:

1. Yasmeen K., Adnan M. Zero-day and zero-click attacks on digital banking: a comprehensive review of double trouble // Risk Management. – 2023. – Vol. 25. – P. 1–24.
2. Wodo W., Blaskiewicz P., Stygar D., Kuzma N. Evaluating the security of electronic and mobile banking // Computer Fraud Security. – 2021. – P. 8–14.
3. Singh J., Chaudhary N.K. OAuth 2.0: Architectural design augmentation for mitigation of common security vulnerabilities // Journal of Information Security and Applications. – 2022. – Vol. 65.
4. Navas J., Beltran M. Understanding and mitigating OpenID Connect threats // Computers and Security. – 2019. – Vol. 84. – P. 1–16.
5. Arshad E., Benolli M., Crispo B. Practical attacks on login CSRF in OAuth // Computers and Security. – 2022. – Vol. 121.
6. Schmelk S. et al. Privacy and security of mobile banking: A PRISMA-centric review of Android finance applications // Lecture Notes in Networks and Systems. – 2024. – Vol. 1155. – P. 11–29.
7. Awotunde J.B. et al. An enhanced hybrid cryptography model for online banking authentication and security // Lecture Notes in Networks and Systems. – 2024. – Vol. 1123. – P. 287–293.
8. Cinar A.C., Kara T.B. The current state and future of mobile security in the light of recent mobile security threat reports // Multimedia Tools and Applications. – 2023. – Vol. 82. – P. 20269–20281.
9. Zheng M. Generalized implicit-key attacks on RSA // Journal of Information Security and Applications. – 2023. – Vol. 77.
10. Chorey P.A., Sahu N. Enhancing banking transaction security with a hybrid access control consensus algorithm through blockchain-enabled checkpoint model // SN Computer Science. – 2024. – Vol. 5. – P. 1–17.
11. Tsai C.H., Liou D.K., Lee H.L. Blockchain-supported online banking scheme // Egyptian Informatics Journal. – 2024. – Vol. 27. – P. 100516.
12. Salle A.L., Kumar A., Jevtic P., Boscovic D. Joint modeling of Hyperledger Fabric and Sybil attack: Petri net approach // Simulation Modelling Practice and Theory. – 2023. – Vol. 122.
13. Poston H. Mapping the OWASP Top Ten to blockchain // Procedia Computer Science. – 2020. – Vol. 177. – P. 613–617.
14. Chiboora T.H. et al. Evaluating mobile banking application security posture using the OWASP's MASVS framework // COMPASS 2023. – 2023. – P. 99–106.
15. Sharma A. et al. Security of Android banking mobile apps: Challenges and opportunities // Lecture Notes in Networks and Systems. – 2023. – Vol. 599. – P. 406–416.
16. Sabir B.E. et al. Authentication and load balancing scheme based on JSON token for multi-agent systems // Procedia Computer Science. – 2019. – Vol. 148. – P. 562–570.
17. Wen S.F., Katt B. A quantitative security evaluation and analysis model for web applications based on OWASP ASVS // Computers and Security. – 2023. – Vol. 135.
18. Vinoth S. et al. Application of cloud computing in banking and e-commerce and related security threats // Materials Today: Proceedings. – 2022. – Vol. 51. – P. 2172–2175.
19. Nguyen P.H. et al. Assessing cybersecurity risks and prioritizing top strategies in Vietnam's finance and banking system // Heliyon. – 2024. – Vol. 10. – P. e37893.
20. Negueroles S.C. et al. A blockchain-based digital twin for IoT deployments in logistics and transportation // Future Generation Computer Systems. – 2024. – Vol. 158. – P. 73–88.
21. Wilhelm T. Web application attack techniques. – Elsevier, 2025. – P. 401–446.