3

My bank does not have an API so I want my server to log in and check incoming payments to notify me if a client has paid or not.

I would like the server to log in and scrape using Beautifulsoup and then logout automatically once a day.

If I store my username and password on the server and not in a file and only allow SSH login: would this be a secure enough way to go about this?

edit

let me clarify, i will store the username and password salted and hashed, but the decryption key i will store in the servers memcache and no were on file, then i manually export this key to memory on each machine reboot. also login will only be via a key

Dr Manhattan
  • 141
  • 6
  • Welcome. Do you mean you are saving your credentials in a server and get them via SSH to login to your bank account ? –  Aug 06 '15 at 09:33
  • i put an edit there to answer your question – Dr Manhattan Aug 06 '15 at 09:46
  • Ok, so you are asking if AFTER storing and retrieving the credentials using this method, using BeautifulSoup to login to your bank will be safe ? Or are you asking if the method you are using to store and retrieve your credentials is safe ? –  Aug 06 '15 at 09:50
  • well, both actually as both are vulnerable – Dr Manhattan Aug 06 '15 at 10:00
  • Are you entirely positive that there will be never a scenario where your server can be compromised? If so then you're mistaken. Storing un-encrypted credentials on anything internet-connected is always a risk. – AlexH Aug 06 '15 at 09:34
  • You say salted and hashed but that won't work. Do you mean encrypted? – Neil Smithline Aug 06 '15 at 16:51
  • You're question title says 'http'. Do you mean 'https'? – Neil Smithline Aug 06 '15 at 16:52
  • @NeilSmithline thanks for the correction, i edited the question to reflect https, and yes encrypted – Dr Manhattan Aug 07 '15 at 11:06
  • You can't store a password "salted and hashed" if you can decrypt it... – Lucas Kauffman Aug 07 '15 at 19:01

2 Answers2

1

The application itself would be as secure as you can build it to be. There are some pitfalls like:

  • Not treating SSL exceptions properly. If an invalid certificate is encountered, the obvious behaviour is to abort the connection. Some libraries might accept invalid certificates by default.
  • Insecurely storing data from the banking website
  • Using vulnerable libraries, like old versions of OpenSSL

One problem would be storing the banking credentials in the app or the server. You said you will hash them, but that can't work because you need the credentials in cleartext for every connection and hashing can't be decrypted. Maybe you meant to say you store the keys symmetrically encrypted and manually decrypt them each time, but that isn't secure because an attacker can tamper with the bank authentication code and steal the credentials when your app authenticates to the bank. This is not a showstopper, this only means that you have to protect the whole system that runs the app. You can do that by hardening the security of the server and protecting the credentials you log with to that server.

Cristian Dobre
  • 9,897
  • 1
  • 32
  • 51
0

Through your comment, you asked about the safety of storing and retrieving your credentials that way, but also if it is enough secure to use them after to log in automatically to your bank account.

For the first part, you need to assess yourself the security of your server first and since you want retrieve the credentials using SSH, may be you need to throw a glance on how to secure an SSH server from AskUbuntu website. But the idea of hashing and salting your password is an interesting thing you did, and there are so many questions about this subject on this website such as this one: Why are salted hashes more secure for password storage?

For using BeautifulSoup for automatic login, it is quite the same as when you use Mechanize, selenium or other similar libraries because all of them rely after all on using class httplib.HTTPSConnection and as you can read from that link:

Note: HTTPS support is only available if the socket module was compiled with SSL support.

And I suppose you know how to use it in Python, for example:

>>> import httplib
>>> connectme = httplib.HTTPSConnection("mail.yahoo.com")
>>> connectme.request("GET", "/")
>>> response = connectme.getresponse()
>>> print response.status, response.reason
200 OK
Community
  • 1
  • thank you for the answer, i wont be getting the credentials via ssh, i will be uploading the decryption key for the salt and hash into the servers memory via ssh, but using a key and not a username and password. where would the vulnerability most likely be MITM attack? – Dr Manhattan Aug 06 '15 at 11:34
  • @DrManhattan If you're in full control of the server (which it seems like) and have access to it physically, wouldn't pre-shared keys for ssh from your server to device make it hard for a MITM to be successful? Without the (preferably strong) key ever sent through a network, all communication should be as secure as the keys permit. – Alex Aug 06 '15 at 15:43
  • @begueradj there are two vulnerable spots, when i login to set the decryption ket, and when my https library connects to the bank. the MITM im scared of is the https connection between my server and the bank – Dr Manhattan Aug 07 '15 at 12:27
  • @DrManhattan You can prevent that by checking if all the URIs you go through are in HTTPS, if not the case then you can design a custom alarm message to modify your credentials as quickly as possible –  Aug 07 '15 at 12:30
  • @DrManhattan Also, I hope your bank uses multi-factor authentication mechanism (which almost always the case) so that if the alarm message triggers on a time (during login process) you're not next to your machine, no big deal would be done on your bank account. But you can forward the alarm message to your phone, for example (if your phone is always on you) –  Aug 07 '15 at 12:40