Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Download Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Post on 17-Jul-2015

972 views

Category:

Software

11 download

TRANSCRIPT

  • Hacking your bank with Ruby

    & reverse engineering

    Madrid.rb 29/01/2015

    viernes, 30 de enero de 15

  • About me:Javier Cuevas@javier_dev

    Ruby on rails shop p2p marketplace for dog owners

    viernes, 30 de enero de 15

  • About

    javiercuevas

    victorviruete

    ricardogarcia

    brunobayn

    artur Chruszcz

    viernes, 30 de enero de 15

  • Before we get started...

    viernes, 30 de enero de 15

  • LETS MAKE SOMETHING CLEAR

    Before we get started...

    viernes, 30 de enero de 15

  • By 2030

    viernes, 30 de enero de 15

  • BITCOIN WILL RULE THE WORLD

    By 2030

    viernes, 30 de enero de 15

  • By 2030

    viernes, 30 de enero de 15

  • BANKS WILL DISAPPEAR

    By 2030

    viernes, 30 de enero de 15

  • By 2030

    viernes, 30 de enero de 15

  • COLLECTING EUROS WILL BE A HOBBY

    By 2030

    viernes, 30 de enero de 15

  • COLLECTING EUROS WILL BE A HOBBY

    By 2030

    viernes, 30 de enero de 15

  • COLLECTING EUROS WILL BE A HOBBY

    By 2030

    viernes, 30 de enero de 15

  • By 2030

    viernes, 30 de enero de 15

  • GOVERNMENTS WILL COLLAPSE

    By 2030

    viernes, 30 de enero de 15

  • Until then...

    viernes, 30 de enero de 15

  • WE CAN MAKE BANKS SUCK LESS

    Until then...

    viernes, 30 de enero de 15

  • viernes, 30 de enero de 15

  • now lets get started

    viernes, 30 de enero de 15

  • the ROOT OF problem

    Charging our clients per hour of work

    Charging our clients every 15 days

    In Diacode we have two rules for invoicing

    viernes, 30 de enero de 15

  • the problem

    viernes, 30 de enero de 15

  • the problem

    Sending biweekly invoices means checking our bank account every 2 weeks

    to make sure weve been paid

    viernes, 30 de enero de 15

  • the problem

    Sending biweekly invoices means checking our bank account every 2 weeks

    to make sure weve been paid

    Or every week if were working for 2 clients simultaneously.

    viernes, 30 de enero de 15

  • the problem

    This how I was doing this.

    viernes, 30 de enero de 15

  • the problem

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 1

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 1

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 2

    Our user is not our NIF, nor our email.Its a weird number impossible to remember

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 3

    Where do I see the last transactions?Maybe on Transferencias? Nope.

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 3

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 4

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 4

    We only have one account.Why the f*ck I have to select it every time?

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 5

    Concept = TransfersSUPER HELPFUL.

    viernes, 30 de enero de 15

  • the problemfacepalm_count = 5

    Concept = TransfersSUPER HELPFUL.

    Do you see that tiny icon?Thats what I had to click to

    find out who paid us

    viernes, 30 de enero de 15

  • the problem

    TL;DR

    5 facepalms and 30 clicks laterI could see if our last invoice was paid

    viernes, 30 de enero de 15

  • the problem

    TL;DR

    5 facepalms and 30 clicks laterI could see if our last invoice was paid

    This thing every week.

    viernes, 30 de enero de 15

  • the problem

    viernes, 30 de enero de 15

  • viernes, 30 de enero de 15

  • this is me today

    viernes, 30 de enero de 15

  • the solution

    viernes, 30 de enero de 15

  • the solution

    viernes, 30 de enero de 15

  • the solution

    viernes, 30 de enero de 15

  • the solution

    viernes, 30 de enero de 15

  • the solution

    viernes, 30 de enero de 15

  • the solution

    viernes, 30 de enero de 15

  • the solution

    viernes, 30 de enero de 15

  • viernes, 30 de enero de 15

  • (YOU)wow!

    that was cool!how did you do it?

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    BBVAs website sucks.

    BUT they have a pretty good mobile app...

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    BBVAs website sucks.

    BUT they have a pretty good mobile app...

    viernes, 30 de enero de 15

  • ...which probably uses an API, right?

    Making off: hacking bbva

    BBVAs website sucks.

    BUT they have a pretty good mobile app...

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    What if we use reverse engineering to discover the

    API used by the mobile app?

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    Madrid.rb, please meet Charles Proxy

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    Charles Proxy allows you to inspect the network trac

    generated on your computer... or on your phone.

    Yes, even with SSL.

    Installation guide -> http://bit.ly/1DbqsZi

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    Login endpoint

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    Bank Accounts endpoint

    viernes, 30 de enero de 15

  • Making off: hacking bbva

    Bank Accounts endpoint

    WTFviernes, 30 de enero de 15

  • Making off: hacking bbva

    Transactions endpoint

    viernes, 30 de enero de 15

  • Making off: hacking bankinter

    After hacking BBVA, my friend @ismaGNU

    decided to hack Bankinter.

    This time with an (old school) approach: web scrapping with Nokogiri

    viernes, 30 de enero de 15

  • Making off: hacking bankinter

    But... there was one trap.

    Bankinters website needs to execute a random Javascript function

    that changes in every request.

    So we cannot predict its output.

    viernes, 30 de enero de 15

  • Making off: hacking bankinter

    Solution:

    Using execjs gem to execute Javascript code from Ruby.

    viernes, 30 de enero de 15

  • Making off: hacking bankinter

    viernes, 30 de enero de 15

  • Making off: hacking ing direct

    @raulmarcosljoined the party to hack ING Direct.

    ING has both a good mobile app and a good web app.

    The web app turned out to be a single page app using the

    same API than the mobile app.

    viernes, 30 de enero de 15

  • Making off: hacking ing direct

    BUTThere was a big problem:

    A virtual keyboard.

    viernes, 30 de enero de 15

  • Making off: hacking ing direct

    BUTThere was a big problem:

    A virtual keyboard.

    viernes, 30 de enero de 15

  • Each number of the keyboard is an image sent by the API

    encoded in base64.

    Making off: hacking ING DIRECT

    viernes, 30 de enero de 15

  • Each number of the keyboard is an image sent by the API

    encoded in base64.

    Making off: hacking ING DIRECT

    viernes, 30 de enero de 15

  • And in each request, the base64 string was dierent for all numbers.

    In other words: some pixels were dierent even if they looked the same.

    Making off: hacking ING DIRECT

    !=

    viernes, 30 de enero de 15

  • Solution:

    Take one sample for every number.

    Then use rmagick gem to iterate over each pixel

    (for each number) and calculate how dierent

    theyre from the sample.

    Making off: hacking ING DIRECT

    viernes, 30 de enero de 15

  • Decoding the received pinpad (keyboard)

    Making off: hacking ING DIRECT

    viernes, 30 de enero de 15

  • Recognizing what numbers are they

    Making off: hacking ING DIRECT

    viernes, 30 de enero de 15

  • Filling the required gaps

    Making off: hacking ING DIRECT

    viernes, 30 de enero de 15

  • one gem to rule them all.

    introducing:

    bank_scrapviernes, 30 de enero de 15

  • bank_scrap is a Ruby gem with one goal: becoming to banks what ActiveMerchant is

    to payment gateways:

    A common abstraction layer for fetching bank data.

    bank_Scrap

    viernes, 30 de enero de 15

  • bank_scrap has a Ruby API and a Command Line Interface (CLI).

    bank_Scrap

    viernes, 30 de enero de 15

  • Here is how it works from your Ruby code:

    bank_Scrap

    viernes, 30 de enero de 15

  • Last version (0.0.8) supports fetching accounts balance and transactions for BBVA & ING Direct

    (Bankinter will get up-to-date soon)

    bank_Scrap

    viernes, 30 de enero de 15

  • Each bank implements its adapter with a new class that inherits from Bank

    bank_Scrap

    viernes, 30 de enero de 15

  • bank_Scrap

    Gem dependencies

    mechanize HTTP requests

    thor Implementing the CLI

    activesupport Rails candies, like Date.today - 2.months

    money Currency formatting and exchange

    rmagick To hack virtual keyboards (used by ING adapter)

    nokogiri Parsing HTML (used by Bankinter adapter)

    execjs Executing JS on ruby (used by Bankinter adapter)

    viernes, 30 de enero de 15

  • Once you have your bank data as Ruby objects the sky is the limit.

    (The sky or your imagination).

    bank_Scrap

    viernes, 30 de enero de 15

  • Some free ideas:

    Use bank_scrap to automate email reminders for expired payments.

    Use bank_scrap and Twilio to get SMS notifications of your transactions

    (as some banks dont oer this)

    bank_Scrap

    viernes, 30 de enero de 15

  • New stu we would like to add to bank_scrap:

    More bank adapters.

    Exporters API (CSV, YAML, etc.).

    A complementary gem for creating a dashboard of your bank data (like the one we have in Diacode).

    Support for write operations (creating transactions)?

    Tests. Yeah.

    bank_Scrap

    viernes, 30 de enero de 15

  • For doing all of this we need your help. Especially for writing new adapters for other banks.(we dont have as many bank accounts as Brcenas).

    So please, fork the code and contribute!https://github.com/ismaGNU/bank_scrap

    bank_Scrap

    viernes, 30 de enero de 15

  • viernes, 30 de enero de 15

  • takeaways

    viernes, 30 de enero de 15

  • #1

    viernes, 30 de enero de 15

  • BITCOIN WILL RULE THE WORLD

    #1

    viernes, 30 de enero de 15

  • #2

    viernes, 30 de enero de 15

  • BANKS SUCKS, BUT WE CAN MAKE SOMETHING ABOUT IT

    #2

    viernes, 30 de enero de 15

  • #3

    viernes, 30 de enero de 15

  • BUILDING SOMETHING YOU NEED IS THE BEST WAY TO DOOPEN SOURCE

    #3

    viernes, 30 de enero de 15

  • #4

    viernes, 30 de enero de 15

  • WRITING RUBY WITHOUT RAILSIS COOL (AND F*CKING FAST)

    #4

    viernes, 30 de enero de 15

  • #5

    viernes, 30 de enero de 15

  • DONT TAKE TESTING AS YOUR OWN YIHAD.

    MAKE SURE YOURE BUILDING SOMETHING USEFUL FIRST.

    #5

    viernes, 30 de enero de 15

  • #6

    viernes, 30 de enero de 15

  • BE GOOD API CITIZENS (OR YOU MAY GET BANNED)

    #6

    viernes, 30 de enero de 15

  • #7

    viernes, 30 de enero de 15

  • CHARLES PROXY IS AN AWESOME TOOL

    #7

    viernes, 30 de enero de 15

  • questions?Special mention for bank_scrap contributors:

    @ismaGNU, @raulmarcosl, @ferblape

    Thank you.

    viernes, 30 de enero de 15

Recommended

View more >