Upload File

Download - Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Transcript
Page 1: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Hacking your bank with Ruby

& reverse engineering

Madrid.rb 29/01/2015

viernes, 30 de enero de 15

Page 2: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

About me:Javier Cuevas@javier_dev

Ruby on rails shop p2p marketplace for dog owners

viernes, 30 de enero de 15

Page 3: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

About

javiercuevas

victorviruete

ricardogarcia

brunobayón

artur Chruszcz

viernes, 30 de enero de 15

https://twitter.com/a_chru
https://twitter.com/a_chru
Page 4: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Before we get started...

viernes, 30 de enero de 15

Page 5: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

LET’S MAKE SOMETHING CLEAR

Before we get started...

viernes, 30 de enero de 15

Page 6: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

By 2030

viernes, 30 de enero de 15

Page 7: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

BITCOIN WILL RULE THE WORLD

By 2030

viernes, 30 de enero de 15

Page 8: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

By 2030

viernes, 30 de enero de 15

Page 9: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

BANKS WILL DISAPPEAR

By 2030

viernes, 30 de enero de 15

Page 10: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

By 2030

viernes, 30 de enero de 15

Page 11: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

COLLECTING EUROS WILL BE A HOBBY

By 2030

viernes, 30 de enero de 15

Page 12: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

COLLECTING EUROS WILL BE A HOBBY

By 2030

viernes, 30 de enero de 15

Page 13: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

COLLECTING EUROS WILL BE A HOBBY

By 2030

viernes, 30 de enero de 15

Page 14: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

By 2030

viernes, 30 de enero de 15

Page 15: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

GOVERNMENTS WILL COLLAPSE

By 2030

viernes, 30 de enero de 15

Page 16: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Until then...

viernes, 30 de enero de 15

Page 17: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

WE CAN MAKE BANKS SUCK LESS

Until then...

viernes, 30 de enero de 15

Page 18: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

viernes, 30 de enero de 15

Page 19: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

now let’s get started

viernes, 30 de enero de 15

Page 20: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the ROOT OF problem

• Charging our clients per hour of work

• Charging our clients every 15 days

In Diacode we have two rules for invoicing

viernes, 30 de enero de 15

Page 21: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

viernes, 30 de enero de 15

Page 22: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

Sending biweekly invoices means checking our bank account every 2 weeks

to make sure we’ve been paid

viernes, 30 de enero de 15

Page 23: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

Sending biweekly invoices means checking our bank account every 2 weeks

to make sure we’ve been paid

Or every week if we’re working for 2 clients simultaneously.

viernes, 30 de enero de 15

Page 24: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

This how I was doing this.

viernes, 30 de enero de 15

Page 25: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

viernes, 30 de enero de 15

Page 26: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 1

viernes, 30 de enero de 15

Page 27: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 1

viernes, 30 de enero de 15

Page 28: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 2

Our user is not our NIF, nor our email.It’s a weird number impossible to remember

viernes, 30 de enero de 15

Page 29: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 3

Where do I see the last transactions?Maybe on “Transferencias”? Nope.

viernes, 30 de enero de 15

Page 30: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 3

viernes, 30 de enero de 15

Page 31: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 4

viernes, 30 de enero de 15

Page 32: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 4

We only have one account.Why the f*ck I have to select it every time?

viernes, 30 de enero de 15

Page 33: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 5

Concept = “Transfers”SUPER HELPFUL.

viernes, 30 de enero de 15

Page 34: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problemfacepalm_count = 5

Concept = “Transfers”SUPER HELPFUL.

Do you see that tiny icon?That’s what I had to click to

find out who paid us

viernes, 30 de enero de 15

Page 35: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

TL;DR

5 facepalms and 30 clicks laterI could see if our last invoice was paid

viernes, 30 de enero de 15

Page 36: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

TL;DR

5 facepalms and 30 clicks laterI could see if our last invoice was paid

This thing every week.

viernes, 30 de enero de 15

Page 37: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the problem

viernes, 30 de enero de 15

Page 38: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

viernes, 30 de enero de 15

Page 39: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

this is me today

viernes, 30 de enero de 15

Page 40: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the solution

viernes, 30 de enero de 15

Page 41: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the solution

viernes, 30 de enero de 15

Page 42: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the solution

viernes, 30 de enero de 15

Page 43: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the solution

viernes, 30 de enero de 15

Page 44: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the solution

viernes, 30 de enero de 15

Page 45: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the solution

viernes, 30 de enero de 15

Page 46: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

the solution

viernes, 30 de enero de 15

Page 47: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

viernes, 30 de enero de 15

Page 48: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

(YOU)wow!

that was cool!how did you do it?

viernes, 30 de enero de 15

Page 49: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

BBVA’s website sucks.

BUT they have a pretty good mobile app...

viernes, 30 de enero de 15

Page 50: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

BBVA’s website sucks.

BUT they have a pretty good mobile app...

viernes, 30 de enero de 15

Page 51: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

...which probably uses an API, right?

Making off: hacking bbva

BBVA’s website sucks.

BUT they have a pretty good mobile app...

viernes, 30 de enero de 15

Page 52: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

What if we use reverse engineering to discover the

API used by the mobile app?

viernes, 30 de enero de 15

Page 53: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

Madrid.rb, please meet Charles Proxy

viernes, 30 de enero de 15

Page 54: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

Charles Proxy allows you to inspect the network traffic

generated on your computer... or on your phone.

Yes, even with SSL.

Installation guide -> http://bit.ly/1DbqsZi

viernes, 30 de enero de 15

http://bit.ly/1DbqsZi
http://bit.ly/1DbqsZi
Page 55: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

Login endpoint

viernes, 30 de enero de 15

Page 56: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

Bank Accounts endpoint

viernes, 30 de enero de 15

Page 57: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

Bank Accounts endpoint

WTFviernes, 30 de enero de 15

Page 58: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bbva

Transactions endpoint

viernes, 30 de enero de 15

Page 59: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bankinter

After hacking BBVA, my friend @ismaGNU

decided to hack Bankinter.

This time with an (old school) approach: web scrapping with Nokogiri

viernes, 30 de enero de 15

Page 60: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bankinter

But... there was one trap.

Bankinter’s website needs to execute a random Javascript function

that changes in every request.

So we cannot predict its output.

viernes, 30 de enero de 15

Page 61: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bankinter

Solution:

Using execjs gem to execute Javascript code from Ruby.

viernes, 30 de enero de 15

Page 62: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking bankinter

viernes, 30 de enero de 15

Page 63: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking ing direct

@raulmarcosljoined the party to hack ING Direct.

ING has both a good mobile app and a good web app.

The web app turned out to be a single page app using the

same API than the mobile app.

viernes, 30 de enero de 15

Page 64: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking ing direct

BUTThere was a big problem:

A virtual keyboard.

viernes, 30 de enero de 15

Page 65: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Making off: hacking ing direct

BUTThere was a big problem:

A virtual keyboard.

viernes, 30 de enero de 15

Page 66: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Each number of the keyboard is an image sent by the API

encoded in base64.

Making off: hacking ING DIRECT

viernes, 30 de enero de 15

Page 67: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Each number of the keyboard is an image sent by the API

encoded in base64.

Making off: hacking ING DIRECT

viernes, 30 de enero de 15

Page 68: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

And in each request, the base64 string was different for all numbers.

In other words: some pixels were different even if they looked the same.

Making off: hacking ING DIRECT

!=

viernes, 30 de enero de 15

Page 69: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Solution:

Take one sample for every number.

Then use rmagick gem to iterate over each pixel

(for each number) and calculate how different

they’re from the sample.

Making off: hacking ING DIRECT

viernes, 30 de enero de 15

Page 70: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Decoding the received pinpad (keyboard)

Making off: hacking ING DIRECT

viernes, 30 de enero de 15

Page 71: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Recognizing what numbers are they

Making off: hacking ING DIRECT

viernes, 30 de enero de 15

Page 72: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Filling the required gaps

Making off: hacking ING DIRECT

viernes, 30 de enero de 15

Page 73: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

one gem to rule them all.

introducing:

bank_scrapviernes, 30 de enero de 15

Page 74: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

bank_scrap is a Ruby gem with one goal: becoming to banks what ActiveMerchant is

to payment gateways:

A common abstraction layer for fetching bank data.

bank_Scrap

viernes, 30 de enero de 15

Page 75: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

bank_scrap has a Ruby API and a Command Line Interface (CLI).

bank_Scrap

viernes, 30 de enero de 15

Page 76: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Here is how it works from your Ruby code:

bank_Scrap

viernes, 30 de enero de 15

Page 77: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Last version (0.0.8) supports fetching accounts balance and transactions for BBVA & ING Direct

(Bankinter will get up-to-date soon)

bank_Scrap

viernes, 30 de enero de 15

Page 78: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Each bank implements its adapter with a new class that inherits from Bank

bank_Scrap

viernes, 30 de enero de 15

Page 79: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

bank_Scrap

Gem dependencies

mechanize HTTP requests

thor Implementing the CLI

activesupport Rails candies, like Date.today - 2.months

money Currency formatting and exchange

rmagick To hack virtual keyboards (used by ING adapter)

nokogiri Parsing HTML (used by Bankinter adapter)

execjs Executing JS on ruby (used by Bankinter adapter)

viernes, 30 de enero de 15

Page 80: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Once you have your bank data as Ruby objects the sky is the limit.

(The sky or your imagination).

bank_Scrap

viernes, 30 de enero de 15

Page 81: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Some free ideas:

Use bank_scrap to automate email reminders for expired payments.

Use bank_scrap and Twilio to get SMS notifications of your transactions

(as some banks don’t offer this)

bank_Scrap

viernes, 30 de enero de 15

Page 82: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

New stuff we would like to add to bank_scrap:

• More bank adapters.

• Exporters API (CSV, YAML, etc.).

• A complementary gem for creating a dashboard of your bank data (like the one we have in Diacode).

• Support for write operations (creating transactions)?

• Tests. Yeah.

bank_Scrap

viernes, 30 de enero de 15

Page 83: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

For doing all of this we need your help. Especially for writing new adapters for other banks.(we don’t have as many bank accounts as Bárcenas).

So please, fork the code and contribute!https://github.com/ismaGNU/bank_scrap

bank_Scrap

viernes, 30 de enero de 15

https://github.com/ismaGNU/bank_scrap
https://github.com/ismaGNU/bank_scrap
Page 84: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

viernes, 30 de enero de 15

Page 85: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

takeaways

viernes, 30 de enero de 15

Page 86: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

#1

viernes, 30 de enero de 15

Page 87: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

BITCOIN WILL RULE THE WORLD

#1

viernes, 30 de enero de 15

Page 88: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

#2

viernes, 30 de enero de 15

Page 89: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

BANKS SUCKS, BUT WE CAN MAKE SOMETHING ABOUT IT

#2

viernes, 30 de enero de 15

Page 90: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

#3

viernes, 30 de enero de 15

Page 91: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

BUILDING SOMETHING YOU NEED IS THE BEST WAY TO DOOPEN SOURCE

#3

viernes, 30 de enero de 15

Page 92: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

#4

viernes, 30 de enero de 15

Page 93: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

WRITING RUBY WITHOUT RAILSIS COOL (AND F*CKING FAST)

#4

viernes, 30 de enero de 15

Page 94: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

#5

viernes, 30 de enero de 15

Page 95: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

DON’T TAKE TESTING AS YOUR OWN YIHAD.

MAKE SURE YOU’RE BUILDING SOMETHING USEFUL FIRST.

#5

viernes, 30 de enero de 15

Page 96: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

#6

viernes, 30 de enero de 15

Page 97: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

BE GOOD API CITIZENS (OR YOU MAY GET BANNED)

#6

viernes, 30 de enero de 15

Page 98: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

#7

viernes, 30 de enero de 15

Page 99: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

CHARLES PROXY IS AN AWESOME TOOL

#7

viernes, 30 de enero de 15

Page 100: Hacking your bank with Ruby and reverse engineering (Madrid.rb)

questions?Special mention for bank_scrap contributors:

@ismaGNU, @raulmarcosl, @ferblape

Thank you.

viernes, 30 de enero de 15


Top Related

Hacking sin herramientas hacking
Hacking sin herramientas hacking
Introduction to the Tools and Techniques of Car Hacking€¦ ·  · 2017-03-12Introduction to the Tools and Techniques of Car Hacking ... Reverse Engineering ... ★ Smartphone Apps
Introduction to the Tools and Techniques of Car Hacking€¦ ·  · 2017-03-12Introduction to the Tools and Techniques of Car Hacking ... Reverse Engineering ... ★ Smartphone Apps
BlackHat Hacking - Hacking VoIP
BlackHat Hacking - Hacking VoIP
Hacking the EULA: Reverse Benchmarking Web Application Security
Hacking the EULA: Reverse Benchmarking Web Application Security
Hacking Web 2.0 JavaScript - Reverse Engineering ... · PDF file2 Hacking JavaScript | Blueinfy Solutions Pvt. Ltd. Problem Domain JavaScript as we know is a client side technology
Hacking Web 2.0 JavaScript - Reverse Engineering ... · PDF file2 Hacking JavaScript | Blueinfy Solutions Pvt. Ltd. Problem Domain JavaScript as we know is a client side technology
Hacking the EULA: Reverse Benchmarking Web Application Security Scanners Toorcon 2007
Hacking the EULA: Reverse Benchmarking Web Application Security Scanners Toorcon 2007
Happy Life Hacking Ruby on Rails
Happy Life Hacking Ruby on Rails
Ethical Hacking: Hacking GMail. Teaching Hacking
Ethical Hacking: Hacking GMail. Teaching Hacking