Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Download Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Post on 17-Jul-2015

972 views

Category:

Software

11 download

TRANSCRIPT

Hacking your bank with Ruby & reverse engineeringMadrid.rb 29/01/2015viernes, 30 de enero de 15About me:Javier Cuevas@javier_devRuby on rails shop p2p marketplace for dog ownersviernes, 30 de enero de 15About javiercuevasvictorviruetericardogarciabrunobaynartur Chruszczviernes, 30 de enero de 15Before we get started...viernes, 30 de enero de 15LETS MAKE SOMETHING CLEARBefore we get started...viernes, 30 de enero de 15By 2030viernes, 30 de enero de 15BITCOIN WILL RULE THE WORLDBy 2030viernes, 30 de enero de 15By 2030viernes, 30 de enero de 15BANKS WILL DISAPPEARBy 2030viernes, 30 de enero de 15By 2030viernes, 30 de enero de 15COLLECTING EUROS WILL BE A HOBBYBy 2030viernes, 30 de enero de 15COLLECTING EUROS WILL BE A HOBBYBy 2030viernes, 30 de enero de 15COLLECTING EUROS WILL BE A HOBBYBy 2030viernes, 30 de enero de 15By 2030viernes, 30 de enero de 15GOVERNMENTS WILL COLLAPSEBy 2030viernes, 30 de enero de 15Until then...viernes, 30 de enero de 15WE CAN MAKE BANKS SUCK LESSUntil then...viernes, 30 de enero de 15viernes, 30 de enero de 15now lets get startedviernes, 30 de enero de 15the ROOT OF problem Charging our clients per hour of work Charging our clients every 15 daysIn Diacode we have two rules for invoicingviernes, 30 de enero de 15the problemviernes, 30 de enero de 15the problemSending biweekly invoices means checking our bank account every 2 weeks to make sure weve been paid viernes, 30 de enero de 15the problemSending biweekly invoices means checking our bank account every 2 weeks to make sure weve been paid Or every week if were working for 2 clients simultaneously.viernes, 30 de enero de 15the problemThis how I was doing this.viernes, 30 de enero de 15the problemviernes, 30 de enero de 15the problemfacepalm_count = 1viernes, 30 de enero de 15the problemfacepalm_count = 1viernes, 30 de enero de 15the problemfacepalm_count = 2Our user is not our NIF, nor our email.Its a weird number impossible to rememberviernes, 30 de enero de 15the problemfacepalm_count = 3Where do I see the last transactions?Maybe on Transferencias? Nope.viernes, 30 de enero de 15the problemfacepalm_count = 3viernes, 30 de enero de 15the problemfacepalm_count = 4viernes, 30 de enero de 15the problemfacepalm_count = 4We only have one account.Why the f*ck I have to select it every time?viernes, 30 de enero de 15the problemfacepalm_count = 5Concept = TransfersSUPER HELPFUL.viernes, 30 de enero de 15the problemfacepalm_count = 5Concept = TransfersSUPER HELPFUL.Do you see that tiny icon?Thats what I had to click to find out who paid usviernes, 30 de enero de 15the problemTL;DR5 facepalms and 30 clicks laterI could see if our last invoice was paidviernes, 30 de enero de 15the problemTL;DR5 facepalms and 30 clicks laterI could see if our last invoice was paidThis thing every week.viernes, 30 de enero de 15the problemviernes, 30 de enero de 15viernes, 30 de enero de 15this is me todayviernes, 30 de enero de 15the solutionviernes, 30 de enero de 15the solutionviernes, 30 de enero de 15the solutionviernes, 30 de enero de 15the solutionviernes, 30 de enero de 15the solutionviernes, 30 de enero de 15the solutionviernes, 30 de enero de 15the solutionviernes, 30 de enero de 15viernes, 30 de enero de 15(YOU)wow! that was cool!how did you do it?viernes, 30 de enero de 15Making off: hacking bbvaBBVAs website sucks.BUT they have a pretty good mobile app...viernes, 30 de enero de 15Making off: hacking bbvaBBVAs website sucks.BUT they have a pretty good mobile app...viernes, 30 de enero de 15...which probably uses an API, right?Making off: hacking bbvaBBVAs website sucks.BUT they have a pretty good mobile app...viernes, 30 de enero de 15Making off: hacking bbvaWhat if we use reverse engineering to discover the API used by the mobile app?viernes, 30 de enero de 15Making off: hacking bbvaMadrid.rb, please meet Charles Proxyviernes, 30 de enero de 15Making off: hacking bbvaCharles Proxy allows you to inspect the network trac generated on your computer... or on your phone.Yes, even with SSL.Installation guide -> http://bit.ly/1DbqsZi viernes, 30 de enero de 15Making off: hacking bbvaLogin endpointviernes, 30 de enero de 15Making off: hacking bbvaBank Accounts endpointviernes, 30 de enero de 15Making off: hacking bbvaBank Accounts endpointWTFviernes, 30 de enero de 15Making off: hacking bbvaTransactions endpointviernes, 30 de enero de 15Making off: hacking bankinterAfter hacking BBVA, my friend @ismaGNUdecided to hack Bankinter.This time with an (old school) approach: web scrapping with Nokogiriviernes, 30 de enero de 15Making off: hacking bankinterBut... there was one trap.Bankinters website needs to execute a random Javascript function that changes in every request.So we cannot predict its output.viernes, 30 de enero de 15Making off: hacking bankinterSolution:Using execjs gem to execute Javascript code from Ruby.viernes, 30 de enero de 15Making off: hacking bankinterviernes, 30 de enero de 15Making off: hacking ing direct@raulmarcosljoined the party to hack ING Direct.ING has both a good mobile app and a good web app. The web app turned out to be a single page app using the same API than the mobile app.viernes, 30 de enero de 15Making off: hacking ing directBUTThere was a big problem:A virtual keyboard.viernes, 30 de enero de 15Making off: hacking ing directBUTThere was a big problem:A virtual keyboard.viernes, 30 de enero de 15Each number of the keyboard is an image sent by the API encoded in base64.Making off: hacking ING DIRECTviernes, 30 de enero de 15Each number of the keyboard is an image sent by the API encoded in base64.Making off: hacking ING DIRECTviernes, 30 de enero de 15And in each request, the base64 string was dierent for all numbers.In other words: some pixels were dierent even if they looked the same.Making off: hacking ING DIRECT!=viernes, 30 de enero de 15Solution:Take one sample for every number.Then use rmagick gem to iterate over each pixel (for each number) and calculate how dierent theyre from the sample.Making off: hacking ING DIRECTviernes, 30 de enero de 15Decoding the received pinpad (keyboard)Making off: hacking ING DIRECTviernes, 30 de enero de 15Recognizing what numbers are theyMaking off: hacking ING DIRECTviernes, 30 de enero de 15Filling the required gapsMaking off: hacking ING DIRECTviernes, 30 de enero de 15one gem to rule them all.introducing:bank_scrapviernes, 30 de enero de 15bank_scrap is a Ruby gem with one goal: becoming to banks what ActiveMerchant is to payment gateways:A common abstraction layer for fetching bank data.bank_Scrapviernes, 30 de enero de 15bank_scrap has a Ruby API and a Command Line Interface (CLI).bank_Scrapviernes, 30 de enero de 15Here is how it works from your Ruby code:bank_Scrapviernes, 30 de enero de 15Last version (0.0.8) supports fetching accounts balance and transactions for BBVA & ING Direct (Bankinter will get up-to-date soon)bank_Scrapviernes, 30 de enero de 15Each bank implements its adapter with a new class that inherits from Bankbank_Scrapviernes, 30 de enero de 15bank_ScrapGem dependenciesmechanize HTTP requeststhor Implementing the CLIactivesupport Rails candies, like Date.today - 2.monthsmoney Currency formatting and exchangermagick To hack virtual keyboards (used by ING adapter)nokogiri Parsing HTML (used by Bankinter adapter)execjs Executing JS on ruby (used by Bankinter adapter)viernes, 30 de enero de 15Once you have your bank data as Ruby objects the sky is the limit.(The sky or your imagination).bank_Scrapviernes, 30 de enero de 15Some free ideas:Use bank_scrap to automate email reminders for expired payments.Use bank_scrap and Twilio to get SMS notifications of your transactions (as some banks dont oer this)bank_Scrapviernes, 30 de enero de 15New stu we would like to add to bank_scrap: More bank adapters. Exporters API (CSV, YAML, etc.). A complementary gem for creating a dashboard of your bank data (like the one we have in Diacode). Support for write operations (creating transactions)? Tests. Yeah.bank_Scrapviernes, 30 de enero de 15For doing all of this we need your help. Especially for writing new adapters for other banks.(we dont have as many bank accounts as Brcenas).So please, fork the code and contribute!https://github.com/ismaGNU/bank_scrapbank_Scrapviernes, 30 de enero de 15viernes, 30 de enero de 15takeawaysviernes, 30 de enero de 15#1viernes, 30 de enero de 15BITCOIN WILL RULE THE WORLD#1viernes, 30 de enero de 15#2viernes, 30 de enero de 15BANKS SUCKS, BUT WE CAN MAKE SOMETHING ABOUT IT#2viernes, 30 de enero de 15#3viernes, 30 de enero de 15BUILDING SOMETHING YOU NEED IS THE BEST WAY TO DOOPEN SOURCE#3viernes, 30 de enero de 15#4viernes, 30 de enero de 15WRITING RUBY WITHOUT RAILSIS COOL (AND F*CKING FAST)#4viernes, 30 de enero de 15#5viernes, 30 de enero de 15DONT TAKE TESTING AS YOUR OWN YIHAD.MAKE SURE YOURE BUILDING SOMETHING USEFUL FIRST.#5viernes, 30 de enero de 15#6viernes, 30 de enero de 15BE GOOD API CITIZENS (OR YOU MAY GET BANNED)#6viernes, 30 de enero de 15#7viernes, 30 de enero de 15CHARLES PROXY IS AN AWESOME TOOL#7viernes, 30 de enero de 15questions?Special mention for bank_scrap contributors:@ismaGNU, @raulmarcosl, @ferblapeThank you.viernes, 30 de enero de 15

Recommended

View more >