Ask HN: Why don't banks render numbers as PNGs instead of using HTML?
I've been thinking about scammers lately and thought about rendering numbers as a png in browsers instead of displaying them as HMTL for banks. This would ensure scammers can't just go in and edit the html on the fly potentially saving some people from this kind of attack.
I played around with libvips and can easily create a png with any text.
vips text x.png "1,234,567" --width 100 --align centre --dpi 340
Any thoughts on why this shouldn't be done?
25 comments
[ 3.5 ms ] story [ 48.4 ms ] thread> This would ensure scammers can't just go in and edit the html on the fly
How would the scammers "edit the HTML on the fly" of a bank's website that they don't control...?
If they can control it somehow (either via a hack, local malware, browser extension, or just hand-editing the site on the victim's computer)... well, they can just as easily replace your PNG with one of their own, or just replace it with regular HTML numbers.
If someone can control the bank website, it's game over. It's not a matter of graphics vs text?
If they wanted to edit the HTML for some reason, it's trivial to just use their own image or replace the <img> with their own text.
The prevention for this isn't to render texts as image, but not to screen share your computer with random people online, much less hand mouse control over to them while you're logged in to your bank. If it's some elderly person doing this or the such, you should really teach them better or they'll get scammed from much less esoteric threats :(
But I don't think the fix for that is for banks to change how they render text. Users can get fooled with just a few IMs. I know people who lost thousands to Zelle/Cash app scams purely over Craigslist emails or messages that way...
Making banks render text as images won't magically fix that. Especially since many people these days use phone apps instead of browsers for banking anyway.
In the scam they pretend to make a refund to the victim where the victim has to put in the refund amount, the scammer, that has access to the pc via remote control then adds a 0 to the amount and pretends the victim has entered the incorrect amount. That input was just in the windows CMD and did not send any money. The scammer now will talk about that he lose his job because the company has lost a lot of money. The scammer than wants the money back via gift cards. (Because gift cards cant be tracked or refund)
2. Scammers can fake PNGs just like HTML.
Edit: Just tried it with Chase, Merrill Lynch, Citibank, Bank of America, and Wells Fargo. Only Wells Fargo had a CSP in place to prevent this. But even Walls Fargo let you just inject a data URL image.
They are not in any way interested inn tightening of fortgaurding their portal's rendering, until it ends up causing them to give more money i.e. bad for business.
Finally, text makes web scraping/parsing much easier, and even ignoring that text is smaller than any image format.
Web scrapping shouldn't be a requirement of personal banking websites. Am I missing something here?
They will also likely just come up with a small tweak on the scam if there is a change like this. I’ve watched some of the videos where they pull up a command prompt and run a script where the user is entering the amount to transfer into the CLI. When they type the amount the scammer slips in an extra 0 before the user presses enter. If someone is going to fall for entering their info into a strange black box with text, they will fall for literally anything. The scammer could simply delete the image on the page so the balance doesn’t show and say there is a bug… or delete the image and replace it with text, even if it looks off, the type of person being targeted won’t catch it.
The harder we make it for scammers, the worse it is for them. I'm not claiming this is fool proof - scammers might be able to generate a png on the fly and inject that as the image like solrdev mentioned in another comment. They would still need to match background colors or possibly jump through some other hoops. The more work we make them do, the more likely the are to mess up. It also makes it more obvious to the person being scammed.
In terms of deleting the image and inserting text instead, I've tried it and it's hard to make it look good quickly. You also see instant feedback of the missing element and then the text coming in. It's a cue that something isn't quite right.
Personally I found it quite annoying, both because (philosophically) it's just security theater that doesn't actually protect anything, and (pragmatically), like the other poster said, it made copying & pasting more difficult. It also broke page zoom (I'm old and need to enlarge all the fonts to read). But such a feature did exist.
Security doesn't work like that. Mostly because (as in this case) the obfuscation is trivial to bypass. I simply replace your set of pngs with my html text.
It's probably worth understanding that professional scammers are not deterred by these trivial speed bumps.
The way to defeat scammers is to train those you know to accept that every one who phones you is a scammer. Every email you get is a scam. Trust nothing. Believe no one. The more they protest the more scammey they are.
And just for kicks, if you make any mistakes, if you do anything without consulting me first, I'm putting you in a home! (I wouldn't, but the point is made.)
Pngs on the bank page or not won't make my mom safe. Rabid terror of being scammed will.
And for the rest it will just many times annoy them for no gain.