Ask HN: Why don't banks render numbers as PNGs instead of using HTML?

2 points by 4RealFreedom 10 months ago | 25 comments
I've been thinking about scammers lately and thought about rendering numbers as a png in browsers instead of displaying them as HMTL for banks. This would ensure scammers can't just go in and edit the html on the fly potentially saving some people from this kind of attack.

I played around with libvips and can easily create a png with any text.

vips text x.png "1,234,567" --width 100 --align centre --dpi 340

Any thoughts on why this shouldn't be done?

  • solardev 10 months ago
    I don't understand your threat model:

    > This would ensure scammers can't just go in and edit the html on the fly

    How would the scammers "edit the HTML on the fly" of a bank's website that they don't control...?

    If they can control it somehow (either via a hack, local malware, browser extension, or just hand-editing the site on the victim's computer)... well, they can just as easily replace your PNG with one of their own, or just replace it with regular HTML numbers.

    If someone can control the bank website, it's game over. It's not a matter of graphics vs text?

    • 4RealFreedom 10 months ago
      They ask a person to login to their bank account with screen sharing. They then take control of the mouse and edit the HTML on the fly making it look like they transferred a large amount to the bank account. Now they ask the person to wire money back or they will lose their job.
      • solardev 10 months ago
        If they already control your browser, they don't have to edit the HTML and fake anything. They can just transfer money to themselves from your account...

        If they wanted to edit the HTML for some reason, it's trivial to just use their own image or replace the <img> with their own text.

        The prevention for this isn't to render texts as image, but not to screen share your computer with random people online, much less hand mouse control over to them while you're logged in to your bank. If it's some elderly person doing this or the such, you should really teach them better or they'll get scammed from much less esoteric threats :(

        • 4RealFreedom 10 months ago
          If you're interested, I would suggest watching some Kitboga. I don't actually know anyone that has had this happen but there are plenty of stories around the internet. I will try doing some img replacement with my own text and see how it works out.
          • nanobyte109 10 months ago
            I think he talks about the refund scams.

            In the scam they pretend to make a refund to the victim where the victim has to put in the refund amount, the scammer, that has access to the pc via remote control then adds a 0 to the amount and pretends the victim has entered the incorrect amount. That input was just in the windows CMD and did not send any money. The scammer now will talk about that he lose his job because the company has lost a lot of money. The scammer than wants the money back via gift cards. (Because gift cards cant be tracked or refund)

      • theandrewbailey 10 months ago
        1. This would break accessibility requirements.

        2. Scammers can fake PNGs just like HTML.

        • 4RealFreedom 10 months ago
          I'll give you accessibility. I tried changing images in the browser on the fly and it just hides the image. That's probably because the browser would need to make a new GET request.
          • solardev 10 months ago
            That's probably a content security policy or CSS thing. Just tried it on a site (not HN, because of content security) and it worked fine.
            • 4RealFreedom 10 months ago
              I've tried a few different sites and I can't make it happen. I'll keep trying.
              • 4RealFreedom 10 months ago
                Wouldn't banks have content security setup?
          • akshardave 10 months ago
            This is a legit good idea and I don't think there's any reason not to do this. I had a similar idea to instead render the balance amount inside a canvas to make it difficult for a scammer to change it. Could also add event listeners to the canvas so when the canvas element or its nearby/parent elements get removed or changed, the page could automatically logout and show an alert message warning about a possible scam. For accessibility, aria-* tags could still be added and there could be ways to allow copying the balance amount too.
            • al_borland 10 months ago
              I often login to my bank to copy an account number when I need it. I don’t like to rely on typing it correctly. This change would kill that. Sure, I could use OCR on the image, but that isn’t 100% perfect, like a text copy is.

              They will also likely just come up with a small tweak on the scam if there is a change like this. I’ve watched some of the videos where they pull up a command prompt and run a script where the user is entering the amount to transfer into the CLI. When they type the amount the scammer slips in an extra 0 before the user presses enter. If someone is going to fall for entering their info into a strange black box with text, they will fall for literally anything. The scammer could simply delete the image on the page so the balance doesn’t show and say there is a bug… or delete the image and replace it with text, even if it looks off, the type of person being targeted won’t catch it.

              • 4RealFreedom 10 months ago
                I don't think we need to do it for every number. Account number, for example, could still be HTML. Balance could be converted, though.

                The harder we make it for scammers, the worse it is for them. I'm not claiming this is fool proof - scammers might be able to generate a png on the fly and inject that as the image like solrdev mentioned in another comment. They would still need to match background colors or possibly jump through some other hoops. The more work we make them do, the more likely the are to mess up. It also makes it more obvious to the person being scammed.

                In terms of deleting the image and inserting text instead, I've tried it and it's hard to make it look good quickly. You also see instant feedback of the missing element and then the text coming in. It's a cue that something isn't quite right.

                • bruce511 10 months ago
                  One sees this argument a lot in security circles, mostly by people with little to no training. This idea that "every little bit helps, so let's toss in some obfuscation ".

                  Security doesn't work like that. Mostly because (as in this case) the obfuscation is trivial to bypass. I simply replace your set of pngs with my html text.

                  It's probably worth understanding that professional scammers are not deterred by these trivial speed bumps.

                  The way to defeat scammers is to train those you know to accept that every one who phones you is a scammer. Every email you get is a scam. Trust nothing. Believe no one. The more they protest the more scammey they are.

                  And just for kicks, if you make any mistakes, if you do anything without consulting me first, I'm putting you in a home! (I wouldn't, but the point is made.)

                  Pngs on the bank page or not won't make my mom safe. Rabid terror of being scammed will.

                  • solardev 10 months ago
                    I don't think this is completely unheard of, FWIW. For a few years, one of the big banks (maybe BofA? can't remember for sure) was actually doing this (rendering text as images) for account numbers, not balances.

                    Personally I found it quite annoying, both because (philosophically) it's just security theater that doesn't actually protect anything, and (pragmatically), like the other poster said, it made copying & pasting more difficult. It also broke page zoom (I'm old and need to enlarge all the fonts to read). But such a feature did exist.

                • tonetegeatinst 10 months ago
                  Probably accessibility reasons. Even ancient browsers or obscure browsers support text. Their is a non zero chance a browser wouldn't support the image format, or the image might not scale across different screen sizes. Also iirc their was some vulnerability that used a image format so that's also a issue to think about.

                  Finally, text makes web scraping/parsing much easier, and even ignoring that text is smaller than any image format.

                  • 4RealFreedom 10 months ago
                    Couldn't alt-text be used to address accessibility?

                    Web scrapping shouldn't be a requirement of personal banking websites. Am I missing something here?

                  • stop50 10 months ago
                    Then how do access people with vision problems the website? Afaik only the banks in Germany use FINTS for banking
                    • 4RealFreedom 10 months ago
                      Had to look up FINTS. You are right about accessibility.
                    • Ekaros 10 months ago
                      If you are already dealing with scammers. Well they will find the ways around it and put energy in it.

                      And for the rest it will just many times annoy them for no gain.

                      • nextos 10 months ago
                        My bank used to do this. They also forced you to type things for certain operations using a screen keyboard where key labels were shuffled.