Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Download Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Post on 17-Jul-2015

972 views

Category:

Software

11 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>Hacking your bank with Ruby </p><p>&amp; reverse engineering</p><p>Madrid.rb 29/01/2015</p><p>viernes, 30 de enero de 15</p></li><li><p>About me:Javier Cuevas@javier_dev</p><p>Ruby on rails shop p2p marketplace for dog owners</p><p>viernes, 30 de enero de 15</p></li><li><p>About </p><p>javiercuevas</p><p>victorviruete</p><p>ricardogarcia</p><p>brunobayn</p><p>artur Chruszcz</p><p>viernes, 30 de enero de 15</p></li><li><p>Before we get started...</p><p>viernes, 30 de enero de 15</p></li><li><p>LETS MAKE SOMETHING CLEAR</p><p>Before we get started...</p><p>viernes, 30 de enero de 15</p></li><li><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>BITCOIN WILL RULE THE WORLD</p><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>BANKS WILL DISAPPEAR</p><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>COLLECTING EUROS WILL BE A HOBBY</p><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>COLLECTING EUROS WILL BE A HOBBY</p><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>COLLECTING EUROS WILL BE A HOBBY</p><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>GOVERNMENTS WILL COLLAPSE</p><p>By 2030</p><p>viernes, 30 de enero de 15</p></li><li><p>Until then...</p><p>viernes, 30 de enero de 15</p></li><li><p>WE CAN MAKE BANKS SUCK LESS</p><p>Until then...</p><p>viernes, 30 de enero de 15</p></li><li><p>viernes, 30 de enero de 15</p></li><li><p>now lets get started</p><p>viernes, 30 de enero de 15</p></li><li><p>the ROOT OF problem</p><p> Charging our clients per hour of work</p><p> Charging our clients every 15 days</p><p>In Diacode we have two rules for invoicing</p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>Sending biweekly invoices means checking our bank account every 2 weeks </p><p>to make sure weve been paid </p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>Sending biweekly invoices means checking our bank account every 2 weeks </p><p>to make sure weve been paid </p><p>Or every week if were working for 2 clients simultaneously.</p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>This how I was doing this.</p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 1</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 1</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 2</p><p>Our user is not our NIF, nor our email.Its a weird number impossible to remember</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 3</p><p>Where do I see the last transactions?Maybe on Transferencias? Nope.</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 3</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 4</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 4</p><p>We only have one account.Why the f*ck I have to select it every time?</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 5</p><p>Concept = TransfersSUPER HELPFUL.</p><p>viernes, 30 de enero de 15</p></li><li><p>the problemfacepalm_count = 5</p><p>Concept = TransfersSUPER HELPFUL.</p><p>Do you see that tiny icon?Thats what I had to click to </p><p>find out who paid us</p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>TL;DR</p><p>5 facepalms and 30 clicks laterI could see if our last invoice was paid</p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>TL;DR</p><p>5 facepalms and 30 clicks laterI could see if our last invoice was paid</p><p>This thing every week.</p><p>viernes, 30 de enero de 15</p></li><li><p>the problem</p><p>viernes, 30 de enero de 15</p></li><li><p>viernes, 30 de enero de 15</p></li><li><p>this is me today</p><p>viernes, 30 de enero de 15</p></li><li><p>the solution</p><p>viernes, 30 de enero de 15</p></li><li><p>the solution</p><p>viernes, 30 de enero de 15</p></li><li><p>the solution</p><p>viernes, 30 de enero de 15</p></li><li><p>the solution</p><p>viernes, 30 de enero de 15</p></li><li><p>the solution</p><p>viernes, 30 de enero de 15</p></li><li><p>the solution</p><p>viernes, 30 de enero de 15</p></li><li><p>the solution</p><p>viernes, 30 de enero de 15</p></li><li><p>viernes, 30 de enero de 15</p></li><li><p>(YOU)wow! </p><p>that was cool!how did you do it?</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>BBVAs website sucks.</p><p>BUT they have a pretty good mobile app...</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>BBVAs website sucks.</p><p>BUT they have a pretty good mobile app...</p><p>viernes, 30 de enero de 15</p></li><li><p>...which probably uses an API, right?</p><p>Making off: hacking bbva</p><p>BBVAs website sucks.</p><p>BUT they have a pretty good mobile app...</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>What if we use reverse engineering to discover the </p><p>API used by the mobile app?</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>Madrid.rb, please meet Charles Proxy</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>Charles Proxy allows you to inspect the network trac </p><p>generated on your computer... or on your phone.</p><p>Yes, even with SSL.</p><p>Installation guide -&gt; http://bit.ly/1DbqsZi </p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>Login endpoint</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>Bank Accounts endpoint</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>Bank Accounts endpoint</p><p>WTFviernes, 30 de enero de 15</p></li><li><p>Making off: hacking bbva</p><p>Transactions endpoint</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bankinter</p><p>After hacking BBVA, my friend @ismaGNU</p><p>decided to hack Bankinter.</p><p>This time with an (old school) approach: web scrapping with Nokogiri</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bankinter</p><p>But... there was one trap.</p><p>Bankinters website needs to execute a random Javascript function </p><p>that changes in every request.</p><p>So we cannot predict its output.</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bankinter</p><p>Solution:</p><p>Using execjs gem to execute Javascript code from Ruby.</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking bankinter</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking ing direct</p><p>@raulmarcosljoined the party to hack ING Direct.</p><p>ING has both a good mobile app and a good web app. </p><p>The web app turned out to be a single page app using the </p><p>same API than the mobile app.</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking ing direct</p><p>BUTThere was a big problem:</p><p>A virtual keyboard.</p><p>viernes, 30 de enero de 15</p></li><li><p>Making off: hacking ing direct</p><p>BUTThere was a big problem:</p><p>A virtual keyboard.</p><p>viernes, 30 de enero de 15</p></li><li><p>Each number of the keyboard is an image sent by the API </p><p>encoded in base64.</p><p>Making off: hacking ING DIRECT</p><p>viernes, 30 de enero de 15</p></li><li><p>Each number of the keyboard is an image sent by the API </p><p>encoded in base64.</p><p>Making off: hacking ING DIRECT</p><p>viernes, 30 de enero de 15</p></li><li><p>And in each request, the base64 string was dierent for all numbers.</p><p>In other words: some pixels were dierent even if they looked the same.</p><p>Making off: hacking ING DIRECT</p><p>!=</p><p>viernes, 30 de enero de 15</p></li><li><p>Solution:</p><p>Take one sample for every number.</p><p>Then use rmagick gem to iterate over each pixel </p><p>(for each number) and calculate how dierent </p><p>theyre from the sample.</p><p>Making off: hacking ING DIRECT</p><p>viernes, 30 de enero de 15</p></li><li><p>Decoding the received pinpad (keyboard)</p><p>Making off: hacking ING DIRECT</p><p>viernes, 30 de enero de 15</p></li><li><p>Recognizing what numbers are they</p><p>Making off: hacking ING DIRECT</p><p>viernes, 30 de enero de 15</p></li><li><p>Filling the required gaps</p><p>Making off: hacking ING DIRECT</p><p>viernes, 30 de enero de 15</p></li><li><p>one gem to rule them all.</p><p>introducing:</p><p>bank_scrapviernes, 30 de enero de 15</p></li><li><p>bank_scrap is a Ruby gem with one goal: becoming to banks what ActiveMerchant is </p><p>to payment gateways:</p><p>A common abstraction layer for fetching bank data.</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>bank_scrap has a Ruby API and a Command Line Interface (CLI).</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>Here is how it works from your Ruby code:</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>Last version (0.0.8) supports fetching accounts balance and transactions for BBVA &amp; ING Direct </p><p>(Bankinter will get up-to-date soon)</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>Each bank implements its adapter with a new class that inherits from Bank</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>bank_Scrap</p><p>Gem dependencies</p><p>mechanize HTTP requests</p><p>thor Implementing the CLI</p><p>activesupport Rails candies, like Date.today - 2.months</p><p>money Currency formatting and exchange</p><p>rmagick To hack virtual keyboards (used by ING adapter)</p><p>nokogiri Parsing HTML (used by Bankinter adapter)</p><p>execjs Executing JS on ruby (used by Bankinter adapter)</p><p>viernes, 30 de enero de 15</p></li><li><p>Once you have your bank data as Ruby objects the sky is the limit.</p><p>(The sky or your imagination).</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>Some free ideas:</p><p>Use bank_scrap to automate email reminders for expired payments.</p><p>Use bank_scrap and Twilio to get SMS notifications of your transactions </p><p>(as some banks dont oer this)</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>New stu we would like to add to bank_scrap:</p><p> More bank adapters.</p><p> Exporters API (CSV, YAML, etc.).</p><p> A complementary gem for creating a dashboard of your bank data (like the one we have in Diacode).</p><p> Support for write operations (creating transactions)?</p><p> Tests. Yeah.</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>For doing all of this we need your help. Especially for writing new adapters for other banks.(we dont have as many bank accounts as Brcenas).</p><p>So please, fork the code and contribute!https://github.com/ismaGNU/bank_scrap</p><p>bank_Scrap</p><p>viernes, 30 de enero de 15</p></li><li><p>viernes, 30 de enero de 15</p></li><li><p>takeaways</p><p>viernes, 30 de enero de 15</p></li><li><p>#1</p><p>viernes, 30 de enero de 15</p></li><li><p>BITCOIN WILL RULE THE WORLD</p><p>#1</p><p>viernes, 30 de enero de 15</p></li><li><p>#2</p><p>viernes, 30 de enero de 15</p></li><li><p>BANKS SUCKS, BUT WE CAN MAKE SOMETHING ABOUT IT</p><p>#2</p><p>viernes, 30 de enero de 15</p></li><li><p>#3</p><p>viernes, 30 de enero de 15</p></li><li><p>BUILDING SOMETHING YOU NEED IS THE BEST WAY TO DOOPEN SOURCE</p><p>#3</p><p>viernes, 30 de enero de 15</p></li><li><p>#4</p><p>viernes, 30 de enero de 15</p></li><li><p>WRITING RUBY WITHOUT RAILSIS COOL (AND F*CKING FAST)</p><p>#4</p><p>viernes, 30 de enero de 15</p></li><li><p>#5</p><p>viernes, 30 de enero de 15</p></li><li><p>DONT TAKE TESTING AS YOUR OWN YIHAD.</p><p>MAKE SURE YOURE BUILDING SOMETHING USEFUL FIRST.</p><p>#5</p><p>viernes, 30 de enero de 15</p></li><li><p>#6</p><p>viernes, 30 de enero de 15</p></li><li><p>BE GOOD API CITIZENS (OR YOU MAY GET BANNED)</p><p>#6</p><p>viernes, 30 de enero de 15</p></li><li><p>#7</p><p>viernes, 30 de enero de 15</p></li><li><p>CHARLES PROXY IS AN AWESOME TOOL</p><p>#7</p><p>viernes, 30 de enero de 15</p></li><li><p>questions?Special mention for bank_scrap contributors:</p><p>@ismaGNU, @raulmarcosl, @ferblape</p><p>Thank you.</p><p>viernes, 30 de enero de 15</p></li></ul>