About me:Javier Cuevas@javier_dev
Ruby on rails shop p2p marketplace for dog owners
viernes, 30 de enero de 15
About
javiercuevas
victorviruete
ricardogarcia
brunobayón
artur Chruszcz
viernes, 30 de enero de 15
the ROOT OF problem
• Charging our clients per hour of work
• Charging our clients every 15 days
In Diacode we have two rules for invoicing
viernes, 30 de enero de 15
the problem
Sending biweekly invoices means checking our bank account every 2 weeks
to make sure we’ve been paid
viernes, 30 de enero de 15
the problem
Sending biweekly invoices means checking our bank account every 2 weeks
to make sure we’ve been paid
Or every week if we’re working for 2 clients simultaneously.
viernes, 30 de enero de 15
the problemfacepalm_count = 2
Our user is not our NIF, nor our email.It’s a weird number impossible to remember
viernes, 30 de enero de 15
the problemfacepalm_count = 3
Where do I see the last transactions?Maybe on “Transferencias”? Nope.
viernes, 30 de enero de 15
the problemfacepalm_count = 4
We only have one account.Why the f*ck I have to select it every time?
viernes, 30 de enero de 15
the problemfacepalm_count = 5
Concept = “Transfers”SUPER HELPFUL.
Do you see that tiny icon?That’s what I had to click to
find out who paid us
viernes, 30 de enero de 15
the problem
TL;DR
5 facepalms and 30 clicks laterI could see if our last invoice was paid
viernes, 30 de enero de 15
the problem
TL;DR
5 facepalms and 30 clicks laterI could see if our last invoice was paid
This thing every week.
viernes, 30 de enero de 15
Making off: hacking bbva
BBVA’s website sucks.
BUT they have a pretty good mobile app...
viernes, 30 de enero de 15
Making off: hacking bbva
BBVA’s website sucks.
BUT they have a pretty good mobile app...
viernes, 30 de enero de 15
...which probably uses an API, right?
Making off: hacking bbva
BBVA’s website sucks.
BUT they have a pretty good mobile app...
viernes, 30 de enero de 15
Making off: hacking bbva
What if we use reverse engineering to discover the
API used by the mobile app?
viernes, 30 de enero de 15
Making off: hacking bbva
Charles Proxy allows you to inspect the network traffic
generated on your computer... or on your phone.
Yes, even with SSL.
Installation guide -> http://bit.ly/1DbqsZi
viernes, 30 de enero de 15
Making off: hacking bankinter
After hacking BBVA, my friend @ismaGNU
decided to hack Bankinter.
This time with an (old school) approach: web scrapping with Nokogiri
viernes, 30 de enero de 15
Making off: hacking bankinter
But... there was one trap.
Bankinter’s website needs to execute a random Javascript function
that changes in every request.
So we cannot predict its output.
viernes, 30 de enero de 15
Making off: hacking bankinter
Solution:
Using execjs gem to execute Javascript code from Ruby.
viernes, 30 de enero de 15
Making off: hacking ing direct
@raulmarcosljoined the party to hack ING Direct.
ING has both a good mobile app and a good web app.
The web app turned out to be a single page app using the
same API than the mobile app.
viernes, 30 de enero de 15
Making off: hacking ing direct
BUTThere was a big problem:
A virtual keyboard.
viernes, 30 de enero de 15
Making off: hacking ing direct
BUTThere was a big problem:
A virtual keyboard.
viernes, 30 de enero de 15
Each number of the keyboard is an image sent by the API
encoded in base64.
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
Each number of the keyboard is an image sent by the API
encoded in base64.
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
And in each request, the base64 string was different for all numbers.
In other words: some pixels were different even if they looked the same.
Making off: hacking ING DIRECT
!=
viernes, 30 de enero de 15
Solution:
Take one sample for every number.
Then use rmagick gem to iterate over each pixel
(for each number) and calculate how different
they’re from the sample.
Making off: hacking ING DIRECT
viernes, 30 de enero de 15
bank_scrap is a Ruby gem with one goal: becoming to banks what ActiveMerchant is
to payment gateways:
A common abstraction layer for fetching bank data.
bank_Scrap
viernes, 30 de enero de 15
Last version (0.0.8) supports fetching accounts balance and transactions for BBVA & ING Direct
(Bankinter will get up-to-date soon)
bank_Scrap
viernes, 30 de enero de 15
Each bank implements its adapter with a new class that inherits from Bank
bank_Scrap
viernes, 30 de enero de 15
bank_Scrap
Gem dependencies
mechanize HTTP requests
thor Implementing the CLI
activesupport Rails candies, like Date.today - 2.months
money Currency formatting and exchange
rmagick To hack virtual keyboards (used by ING adapter)
nokogiri Parsing HTML (used by Bankinter adapter)
execjs Executing JS on ruby (used by Bankinter adapter)
viernes, 30 de enero de 15
Once you have your bank data as Ruby objects the sky is the limit.
(The sky or your imagination).
bank_Scrap
viernes, 30 de enero de 15
Some free ideas:
Use bank_scrap to automate email reminders for expired payments.
Use bank_scrap and Twilio to get SMS notifications of your transactions
(as some banks don’t offer this)
bank_Scrap
viernes, 30 de enero de 15
New stuff we would like to add to bank_scrap:
• More bank adapters.
• Exporters API (CSV, YAML, etc.).
• A complementary gem for creating a dashboard of your bank data (like the one we have in Diacode).
• Support for write operations (creating transactions)?
• Tests. Yeah.
bank_Scrap
viernes, 30 de enero de 15
For doing all of this we need your help. Especially for writing new adapters for other banks.(we don’t have as many bank accounts as Bárcenas).
So please, fork the code and contribute!https://github.com/ismaGNU/bank_scrap
bank_Scrap
viernes, 30 de enero de 15
DON’T TAKE TESTING AS YOUR OWN YIHAD.
MAKE SURE YOU’RE BUILDING SOMETHING USEFUL FIRST.
#5
viernes, 30 de enero de 15