Hacking your bank with Ruby & reverse engineering Madrid.rb 29/01/2015 viernes, 30 de enero de 15
Hacking your bank with Ruby and reverse engineering (Madrid.rb)
Jul 17, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Hacking your bank with Ruby
& reverse engineering
Madrid.rb 29/01/2015
viernes, 30 de enero de 15
About me:Javier Cuevas@javier_dev
Ruby on rails shop p2p marketplace for dog owners
viernes, 30 de enero de 15
About
javiercuevas
victorviruete
ricardogarcia
brunobayón
artur Chruszcz
viernes, 30 de enero de 15
Before we get started...
viernes, 30 de enero de 15
LET’S MAKE SOMETHING CLEAR
Before we get started...
viernes, 30 de enero de 15
By 2030
viernes, 30 de enero de 15
BITCOIN WILL RULE THE WORLD
By 2030
viernes, 30 de enero de 15
By 2030
viernes, 30 de enero de 15
BANKS WILL DISAPPEAR
By 2030
viernes, 30 de enero de 15
By 2030
viernes, 30 de enero de 15
COLLECTING EUROS WILL BE A HOBBY
By 2030
viernes, 30 de enero de 15
COLLECTING EUROS WILL BE A HOBBY
By 2030
viernes, 30 de enero de 15
COLLECTING EUROS WILL BE A HOBBY
By 2030
viernes, 30 de enero de 15
By 2030
viernes, 30 de enero de 15
GOVERNMENTS WILL COLLAPSE
By 2030
viernes, 30 de enero de 15
Until then...
viernes, 30 de enero de 15
WE CAN MAKE BANKS SUCK LESS
Until then...
viernes, 30 de enero de 15
viernes, 30 de enero de 15
now let’s get started
viernes, 30 de enero de 15
the ROOT OF problem
• Charging our clients per hour of work
• Charging our clients every 15 days
In Diacode we have two rules for invoicing
viernes, 30 de enero de 15
the problem
viernes, 30 de enero de 15
the problem
Sending biweekly invoices means checking our bank account every 2 weeks
to make sure we’ve been paid
viernes, 30 de enero de 15
the problem
Sending biweekly invoices means checking our bank account every 2 weeks
to make sure we’ve been paid
Or every week if we’re working for 2 clients simultaneously.
viernes, 30 de enero de 15
the problem
This how I was doing this.
viernes, 30 de enero de 15
the problem
viernes, 30 de enero de 15
the problemfacepalm_count = 1
viernes, 30 de enero de 15
the problemfacepalm_count = 1
viernes, 30 de enero de 15
the problemfacepalm_count = 2
Our user is not our NIF, nor our email.It’s a weird number impossible to remember
viernes, 30 de enero de 15
the problemfacepalm_count = 3
Where do I see the last transactions?Maybe on “Transferencias”? Nope.
viernes, 30 de enero de 15
the problemfacepalm_count = 3
viernes, 30 de enero de 15
the problemfacepalm_count = 4
viernes, 30 de enero de 15
the problemfacepalm_count = 4
We only have one account.Why the f*ck I have to select it every time?
viernes, 30 de enero de 15
the problemfacepalm_count = 5
Concept = “Transfers”SUPER HELPFUL.
viernes, 30 de enero de 15
the problemfacepalm_count = 5
Concept = “Transfers”SUPER HELPFUL.
Do you see that tiny icon?That’s what I had to click to
find out who paid us
viernes, 30 de enero de 15
the problem
TL;DR
5 facepalms and 30 clicks laterI could see if our last invoice was paid
viernes, 30 de enero de 15
the problem
TL;DR
5 facepalms and 30 clicks laterI could see if our last invoice was paid
This thing every week.
viernes, 30 de enero de 15
the problem
viernes, 30 de enero de 15
viernes, 30 de enero de 15
this is me today
viernes, 30 de enero de 15
the solution
viernes, 30 de enero de 15
the solution
viernes, 30 de enero de 15
the solution
viernes, 30 de enero de 15
the solution
viernes, 30 de enero de 15
the solution
viernes, 30 de enero de 15
the solution
viernes, 30 de enero de 15
the solution
viernes, 30 de enero de 15
viernes, 30 de enero de 15
(YOU)wow!
that was cool!how did you do it?
viernes, 30 de enero de 15
Making off: hacking bbva
BBVA’s website sucks.
BUT they have a pretty good mobile app...
viernes, 30 de enero de 15
Making off: hacking bbva
BBVA’s website sucks.
BUT they have a pretty good mobile app...
viernes, 30 de enero de 15
...which probably uses an API, right?
Making off: hacking bbva
BBVA’s website sucks.
BUT they have a pretty good mobile app...
viernes, 30 de enero de 15
Making off: hacking bbva
What if we use reverse engineering to discover the
API used by the mobile app?
viernes, 30 de enero de 15
Making off: hacking bbva
Madrid.rb, please meet Charles Proxy
viernes, 30 de enero de 15
Making off: hacking bbva
Charles Proxy allows you to inspect the network traffic
generated on your computer... or on your phone.
Yes, even with SSL.
Installation guide -> http://bit.ly/1DbqsZi
viernes, 30 de enero de 15
Making off: hacking bbva
Login endpoint
viernes, 30 de enero de 15
Making off: hacking bbva
Bank Accounts endpoint
viernes, 30 de enero de 15
Making off: hacking bbva
Bank Accounts endpoint
WTFviernes, 30 de enero de 15
Making off: hacking bbva
Transactions endpoint
viernes, 30 de enero de 15
Making off: hacking bankinter
After hacking BBVA, my friend @ismaGNU
decided to hack Bankinter.
This time with an (old school) approach: web scrapping with Nokogiri
viernes, 30 de enero de 15
Making off: hacking bankinter
But... there was one trap.
Bankinter’s website needs to execute a random Javascript function
that changes in every request.
So we cannot predict its output.
viernes, 30 de enero de 15
Making off: hacking bankinter
Solution:
Using execjs gem to execute Javascript code from Ruby.
viernes, 30 de enero de 15
Making off: hacking bankinter
viernes, 30 de enero de 15
Making off: hacking ing direct
@raulmarcosljoined the party to hack ING Direct.
ING has both a good mobile app and a good web app.
The web app turned out to be a single page app using the
same API than the mobile app.
viernes, 30 de enero de 15
Making off: hacking ing direct
BUTThere was a big problem:
A virtual keyboard.
viernes, 30 de enero de 15
Making off: hacking ing direct
BUTThere was a big problem:
A virtual keyboard.
viernes, 30 de enero de 15
Each number of the keyboard is an image sent by the API
encoded in base64.
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
Each number of the keyboard is an image sent by the API
encoded in base64.
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
And in each request, the base64 string was different for all numbers.
In other words: some pixels were different even if they looked the same.
Making off: hacking ING DIRECT
!=
viernes, 30 de enero de 15
Solution:
Take one sample for every number.
Then use rmagick gem to iterate over each pixel
(for each number) and calculate how different
they’re from the sample.
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
Decoding the received pinpad (keyboard)
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
Recognizing what numbers are they
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
Filling the required gaps
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
one gem to rule them all.
introducing:
bank_scrapviernes, 30 de enero de 15
bank_scrap is a Ruby gem with one goal: becoming to banks what ActiveMerchant is
to payment gateways:
A common abstraction layer for fetching bank data.
bank_Scrap
viernes, 30 de enero de 15
bank_scrap has a Ruby API and a Command Line Interface (CLI).
bank_Scrap
viernes, 30 de enero de 15
Here is how it works from your Ruby code:
bank_Scrap
viernes, 30 de enero de 15
Last version (0.0.8) supports fetching accounts balance and transactions for BBVA & ING Direct
(Bankinter will get up-to-date soon)
bank_Scrap
viernes, 30 de enero de 15
Each bank implements its adapter with a new class that inherits from Bank
bank_Scrap
viernes, 30 de enero de 15
bank_Scrap
Gem dependencies
mechanize HTTP requests
thor Implementing the CLI
activesupport Rails candies, like Date.today - 2.months
money Currency formatting and exchange
rmagick To hack virtual keyboards (used by ING adapter)
nokogiri Parsing HTML (used by Bankinter adapter)
execjs Executing JS on ruby (used by Bankinter adapter)
viernes, 30 de enero de 15
Once you have your bank data as Ruby objects the sky is the limit.
(The sky or your imagination).
bank_Scrap
viernes, 30 de enero de 15
Some free ideas:
Use bank_scrap to automate email reminders for expired payments.
Use bank_scrap and Twilio to get SMS notifications of your transactions
(as some banks don’t offer this)
bank_Scrap
viernes, 30 de enero de 15
New stuff we would like to add to bank_scrap:
• More bank adapters.
• Exporters API (CSV, YAML, etc.).
• A complementary gem for creating a dashboard of your bank data (like the one we have in Diacode).
• Support for write operations (creating transactions)?
• Tests. Yeah.
bank_Scrap
viernes, 30 de enero de 15
For doing all of this we need your help. Especially for writing new adapters for other banks.(we don’t have as many bank accounts as Bárcenas).
So please, fork the code and contribute!https://github.com/ismaGNU/bank_scrap
bank_Scrap
viernes, 30 de enero de 15
viernes, 30 de enero de 15
takeaways
viernes, 30 de enero de 15
#1
viernes, 30 de enero de 15
BITCOIN WILL RULE THE WORLD
#1
viernes, 30 de enero de 15
#2
viernes, 30 de enero de 15
BANKS SUCKS, BUT WE CAN MAKE SOMETHING ABOUT IT
#2
viernes, 30 de enero de 15
#3
viernes, 30 de enero de 15
BUILDING SOMETHING YOU NEED IS THE BEST WAY TO DOOPEN SOURCE
#3
viernes, 30 de enero de 15
#4
viernes, 30 de enero de 15
WRITING RUBY WITHOUT RAILSIS COOL (AND F*CKING FAST)
#4
viernes, 30 de enero de 15
#5
viernes, 30 de enero de 15
DON’T TAKE TESTING AS YOUR OWN YIHAD.
MAKE SURE YOU’RE BUILDING SOMETHING USEFUL FIRST.
#5
viernes, 30 de enero de 15
#6
viernes, 30 de enero de 15
BE GOOD API CITIZENS (OR YOU MAY GET BANNED)
#6
viernes, 30 de enero de 15
#7
viernes, 30 de enero de 15
CHARLES PROXY IS AN AWESOME TOOL
#7
viernes, 30 de enero de 15
questions?Special mention for bank_scrap contributors:
@ismaGNU, @raulmarcosl, @ferblape
Thank you.
viernes, 30 de enero de 15
Related Documents
![Ruby on Rails [ Ruby On Rails.ppt ] - [Ruby-Doc.org: Documenting ...](https://static.cupdf.com/doc/110x72/554f9e1eb4c9057b298b4732/ruby-on-rails-ruby-on-railsppt-ruby-docorg-documenting-.jpg)
