Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why don't banks render numbers as PNGs instead of using HTML?
2 points by 4RealFreedom 3 months ago | hide | past | favorite | 25 comments
I've been thinking about scammers lately and thought about rendering numbers as a png in browsers instead of displaying them as HMTL for banks. This would ensure scammers can't just go in and edit the html on the fly potentially saving some people from this kind of attack.

I played around with libvips and can easily create a png with any text.

vips text x.png "1,234,567" --width 100 --align centre --dpi 340

Any thoughts on why this shouldn't be done?




I don't understand your threat model:

> This would ensure scammers can't just go in and edit the html on the fly

How would the scammers "edit the HTML on the fly" of a bank's website that they don't control...?

If they can control it somehow (either via a hack, local malware, browser extension, or just hand-editing the site on the victim's computer)... well, they can just as easily replace your PNG with one of their own, or just replace it with regular HTML numbers.

If someone can control the bank website, it's game over. It's not a matter of graphics vs text?


They ask a person to login to their bank account with screen sharing. They then take control of the mouse and edit the HTML on the fly making it look like they transferred a large amount to the bank account. Now they ask the person to wire money back or they will lose their job.


If they already control your browser, they don't have to edit the HTML and fake anything. They can just transfer money to themselves from your account...

If they wanted to edit the HTML for some reason, it's trivial to just use their own image or replace the <img> with their own text.

The prevention for this isn't to render texts as image, but not to screen share your computer with random people online, much less hand mouse control over to them while you're logged in to your bank. If it's some elderly person doing this or the such, you should really teach them better or they'll get scammed from much less esoteric threats :(


If you're interested, I would suggest watching some Kitboga. I don't actually know anyone that has had this happen but there are plenty of stories around the internet. I will try doing some img replacement with my own text and see how it works out.


I can believe that it happens. People are gullible, unfortunately :(

But I don't think the fix for that is for banks to change how they render text. Users can get fooled with just a few IMs. I know people who lost thousands to Zelle/Cash app scams purely over Craigslist emails or messages that way...

Making banks render text as images won't magically fix that. Especially since many people these days use phone apps instead of browsers for banking anyway.


I think he talks about the refund scams.

In the scam they pretend to make a refund to the victim where the victim has to put in the refund amount, the scammer, that has access to the pc via remote control then adds a 0 to the amount and pretends the victim has entered the incorrect amount. That input was just in the windows CMD and did not send any money. The scammer now will talk about that he lose his job because the company has lost a lot of money. The scammer than wants the money back via gift cards. (Because gift cards cant be tracked or refund)


1. This would break accessibility requirements.

2. Scammers can fake PNGs just like HTML.


I'll give you accessibility. I tried changing images in the browser on the fly and it just hides the image. That's probably because the browser would need to make a new GET request.


That's probably a content security policy or CSS thing. Just tried it on a site (not HN, because of content security) and it worked fine.


I've tried a few different sites and I can't make it happen. I'll keep trying.



Wouldn't banks have content security setup?


Maybe? You'd hope, but who knows. Still easy to just replace the image with plain text in the HTML, or a data URL (if allowed). Or put an iframe in there. Point is, if they control the HTML they can do pretty much anything.

Edit: Just tried it with Chase, Merrill Lynch, Citibank, Bank of America, and Wells Fargo. Only Wells Fargo had a CSP in place to prevent this. But even Walls Fargo let you just inject a data URL image.


Systems that these banks have provided are provided for feasible access to your account.

They are not in any way interested inn tightening of fortgaurding their portal's rendering, until it ends up causing them to give more money i.e. bad for business.


This is a legit good idea and I don't think there's any reason not to do this. I had a similar idea to instead render the balance amount inside a canvas to make it difficult for a scammer to change it. Could also add event listeners to the canvas so when the canvas element or its nearby/parent elements get removed or changed, the page could automatically logout and show an alert message warning about a possible scam. For accessibility, aria-* tags could still be added and there could be ways to allow copying the balance amount too.


I often login to my bank to copy an account number when I need it. I don’t like to rely on typing it correctly. This change would kill that. Sure, I could use OCR on the image, but that isn’t 100% perfect, like a text copy is.

They will also likely just come up with a small tweak on the scam if there is a change like this. I’ve watched some of the videos where they pull up a command prompt and run a script where the user is entering the amount to transfer into the CLI. When they type the amount the scammer slips in an extra 0 before the user presses enter. If someone is going to fall for entering their info into a strange black box with text, they will fall for literally anything. The scammer could simply delete the image on the page so the balance doesn’t show and say there is a bug… or delete the image and replace it with text, even if it looks off, the type of person being targeted won’t catch it.


I don't think we need to do it for every number. Account number, for example, could still be HTML. Balance could be converted, though.

The harder we make it for scammers, the worse it is for them. I'm not claiming this is fool proof - scammers might be able to generate a png on the fly and inject that as the image like solrdev mentioned in another comment. They would still need to match background colors or possibly jump through some other hoops. The more work we make them do, the more likely the are to mess up. It also makes it more obvious to the person being scammed.

In terms of deleting the image and inserting text instead, I've tried it and it's hard to make it look good quickly. You also see instant feedback of the missing element and then the text coming in. It's a cue that something isn't quite right.


One sees this argument a lot in security circles, mostly by people with little to no training. This idea that "every little bit helps, so let's toss in some obfuscation ".

Security doesn't work like that. Mostly because (as in this case) the obfuscation is trivial to bypass. I simply replace your set of pngs with my html text.

It's probably worth understanding that professional scammers are not deterred by these trivial speed bumps.

The way to defeat scammers is to train those you know to accept that every one who phones you is a scammer. Every email you get is a scam. Trust nothing. Believe no one. The more they protest the more scammey they are.

And just for kicks, if you make any mistakes, if you do anything without consulting me first, I'm putting you in a home! (I wouldn't, but the point is made.)

Pngs on the bank page or not won't make my mom safe. Rabid terror of being scammed will.


I don't think this is completely unheard of, FWIW. For a few years, one of the big banks (maybe BofA? can't remember for sure) was actually doing this (rendering text as images) for account numbers, not balances.

Personally I found it quite annoying, both because (philosophically) it's just security theater that doesn't actually protect anything, and (pragmatically), like the other poster said, it made copying & pasting more difficult. It also broke page zoom (I'm old and need to enlarge all the fonts to read). But such a feature did exist.


Probably accessibility reasons. Even ancient browsers or obscure browsers support text. Their is a non zero chance a browser wouldn't support the image format, or the image might not scale across different screen sizes. Also iirc their was some vulnerability that used a image format so that's also a issue to think about.

Finally, text makes web scraping/parsing much easier, and even ignoring that text is smaller than any image format.


Couldn't alt-text be used to address accessibility?

Web scrapping shouldn't be a requirement of personal banking websites. Am I missing something here?


Then how do access people with vision problems the website? Afaik only the banks in Germany use FINTS for banking


Had to look up FINTS. You are right about accessibility.


If you are already dealing with scammers. Well they will find the ways around it and put energy in it.

And for the rest it will just many times annoy them for no gain.


My bank used to do this. They also forced you to type things for certain operations using a screen keyboard where key labels were shuffled.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: