Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Hacking your bank
with Ruby
& reverse engineering
Madrid.rb 29/01/2015
viernes, 30 de enero de 15

About me:
Javier Cuevas
@javier_dev
Ruby on rails shop p2p marketplace for dog owners

About
javier
cuevas
victor
viruete
ricardo
garcia
bruno
bayón
artur
Chruszcz

Before we get started...

LET’S MAKE
SOMETHING
CLEAR
Before we get started...

By 2030

BITCOIN
WILL RULE
THE WORLD
By 2030

BANKS
WILL
DISAPPEAR
By 2030

COLLECTING
EUROS WILL
BE A HOBBY
By 2030

GOVERNMENTS
WILL
COLLAPSE
By 2030

Until then...

WE CAN
MAKE BANKS
SUCK LESS
Until then...

now let’s
get started

the ROOT OF problem
• Charging our clients per hour of work
• Charging our clients every 15 days
In Diacode we have two rules for invoicing

the problem

the problem
Sending biweekly invoices means
checking our bank account every 2 weeks
to make sure we’ve been paid

the problem
Sending biweekly invoices means
checking our bank account every 2 weeks
to make sure we’ve been paid
Or every week if we’re working
for 2 clients simultaneously.

the problem
This how I was doing this.

the problem
facepalm_count = 1

the problem
facepalm_count = 2
Our user is not our NIF, nor our email.
It’s a weird number impossible to remember

the problem
facepalm_count = 3
Where do I see the last transactions?
Maybe on “Transferencias”? Nope.

the problem
facepalm_count = 3

the problem
facepalm_count = 4

the problem
facepalm_count = 4
We only have one account.
Why the f*ck I have to select it every time?

the problem
facepalm_count = 5
Concept = “Transfers”
SUPER HELPFUL.

the problem
facepalm_count = 5
Concept = “Transfers”
SUPER HELPFUL.
Do you see that tiny icon?
That’s what I had to click to
ﬁnd out who paid us

the problem
TL;DR
5 facepalms and 30 clicks later
I could see if our last invoice was paid

the problem
TL;DR
5 facepalms and 30 clicks later
I could see if our last invoice was paid
This thing every week.

this is
me today

the solution

(YOU)
wow!
that was cool!
how did you do it?

Making off: hacking bbva
BBVA’s website sucks.
BUT
they have a pretty good mobile app...

...which probably uses an API, right?
BBVA’s website sucks.
BUT
they have a pretty good mobile app...

What if we use reverse
engineering to discover the
API used by the mobile app?

Madrid.rb, please meet
Charles Proxy

Charles Proxy allows you to
inspect the network traﬃc
generated on your
computer... or on your phone.
Yes, even with SSL.
Installation guide -> http://bit.ly/1DbqsZi

Login endpoint

Bank Accounts endpoint

Bank Accounts endpoint
WTF

Transactions endpoint

Making off: hacking bankinter
After hacking BBVA,
my friend @ismaGNU
decided to hack Bankinter.
This time with an (old school) approach:
web scrapping with Nokogiri

But... there was one trap.
Bankinter’s website needs to execute a
random Javascript function
that changes in every request.
So we cannot predict its output.

Solution:
Using execjs gem to
execute Javascript code from Ruby.

Making off: hacking ing direct
@raulmarcosl
joined the party to hack ING Direct.
ING has both a good mobile app
and a good web app.
The web app turned out to be a
single page app using the
same API than the mobile app.

Making off: hacking ing direct
BUT
There was a big problem:
A virtual keyboard.

Each number of the keyboard is
an image sent by the API
encoded in base64.
Making off: hacking ING DIRECT

And in each request, the base64 string
was diﬀerent for all numbers.
In other words: some pixels were
diﬀerent even if they looked the same.
!=

Solution:
Take one sample for every number.
Then use rmagick gem to
iterate over each pixel
(for each number)
and calculate how diﬀerent
they’re from the sample.

Decoding the received pinpad (keyboard)

Recognizing what numbers are they

Filling the required gaps

one gem to rule
them all.
introducing:
bank_scrap

bank_scrap is a Ruby gem with one goal:
becoming to banks what ActiveMerchant is
to payment gateways:
A common abstraction layer
for fetching bank data.
bank_Scrap

bank_scrap has a Ruby API and a
Command Line Interface (CLI).
bank_Scrap

Here is how it works from your Ruby code:
bank_Scrap

Last version (0.0.8) supports fetching accounts
balance and transactions for BBVA & ING Direct
(Bankinter will get up-to-date soon)
bank_Scrap

Each bank implements its adapter with
a new class that inherits from Bank
bank_Scrap

bank_Scrap
Gem dependencies
mechanize HTTP requests
thor Implementing the CLI
activesupport Rails candies, like Date.today - 2.months
money Currency formatting and exchange
rmagick To hack virtual keyboards (used by ING adapter)
nokogiri Parsing HTML (used by Bankinter adapter)
execjs Executing JS on ruby (used by Bankinter adapter)

Once you have your bank data as Ruby objects
the sky is the limit.
(The sky or your imagination).
bank_Scrap

Some free ideas:
Use bank_scrap to automate email reminders
for expired payments.
Use bank_scrap and Twilio to get SMS
notiﬁcations of your transactions
(as some banks don’t oﬀer this)
bank_Scrap

New stuﬀ we would like to add to bank_scrap:
• More bank adapters.
• Exporters API (CSV, YAML, etc.).
• A complementary gem for creating a dashboard of
your bank data (like the one we have in Diacode).
• Support for write operations (creating transactions)?
• Tests. Yeah.
bank_Scrap

For doing all of this we need your help.
Especially for writing new adapters for other banks.
(we don’t have as many bank accounts as Bárcenas).
So please, fork the code and contribute!
https://github.com/ismaGNU/bank_scrap
bank_Scrap

takeaways

BITCOIN
WILL RULE
THE WORLD
#1

BANKS SUCKS,
BUT WE CAN
MAKE
SOMETHING
ABOUT IT
#2

BUILDING
SOMETHING YOU
NEED IS THE
BEST WAY TO DO
OPEN SOURCE
#3

WRITING RUBY
WITHOUT RAILS
IS COOL (AND
F*CKING FAST)
#4

DON’T TAKE TESTING
AS YOUR OWN YIHAD.
MAKE SURE YOU’RE
BUILDING SOMETHING
USEFUL FIRST.
#5

BE GOOD API
CITIZENS (OR
YOU MAY GET
BANNED)
#6

CHARLES
PROXY IS AN
AWESOME
TOOL
#7

questions?
Special mention for bank_scrap contributors:
@ismaGNU, @raulmarcosl, @ferblape
Thank you.

Hacking your bank with Ruby and reverse engineering (Madrid.rb)

Related slideshows

More Related Content

Hacking your bank with Ruby and reverse engineering (Madrid.rb)