WingNews logo WingNews
top | item 41302438

Ask HN: Why don't banks render numbers as PNGs instead of using HTML?

2 points| 4RealFreedom | 1 year ago

I've been thinking about scammers lately and thought about rendering numbers as a png in browsers instead of displaying them as HMTL for banks. This would ensure scammers can't just go in and edit the html on the fly potentially saving some people from this kind of attack.

I played around with libvips and can easily create a png with any text.

vips text x.png "1,234,567" --width 100 --align centre --dpi 340

Any thoughts on why this shouldn't be done?

25 comments

order

solardev|1 year ago

I don't understand your threat model:

> This would ensure scammers can't just go in and edit the html on the fly

How would the scammers "edit the HTML on the fly" of a bank's website that they don't control...?

If they can control it somehow (either via a hack, local malware, browser extension, or just hand-editing the site on the victim's computer)... well, they can just as easily replace your PNG with one of their own, or just replace it with regular HTML numbers.

If someone can control the bank website, it's game over. It's not a matter of graphics vs text?

4RealFreedom|1 year ago

They ask a person to login to their bank account with screen sharing. They then take control of the mouse and edit the HTML on the fly making it look like they transferred a large amount to the bank account. Now they ask the person to wire money back or they will lose their job.

theandrewbailey|1 year ago

1. This would break accessibility requirements.

2. Scammers can fake PNGs just like HTML.

4RealFreedom|1 year ago

I'll give you accessibility. I tried changing images in the browser on the fly and it just hides the image. That's probably because the browser would need to make a new GET request.

akshardave|1 year ago

This is a legit good idea and I don't think there's any reason not to do this. I had a similar idea to instead render the balance amount inside a canvas to make it difficult for a scammer to change it. Could also add event listeners to the canvas so when the canvas element or its nearby/parent elements get removed or changed, the page could automatically logout and show an alert message warning about a possible scam. For accessibility, aria-* tags could still be added and there could be ways to allow copying the balance amount too.

al_borland|1 year ago

I often login to my bank to copy an account number when I need it. I don’t like to rely on typing it correctly. This change would kill that. Sure, I could use OCR on the image, but that isn’t 100% perfect, like a text copy is.

They will also likely just come up with a small tweak on the scam if there is a change like this. I’ve watched some of the videos where they pull up a command prompt and run a script where the user is entering the amount to transfer into the CLI. When they type the amount the scammer slips in an extra 0 before the user presses enter. If someone is going to fall for entering their info into a strange black box with text, they will fall for literally anything. The scammer could simply delete the image on the page so the balance doesn’t show and say there is a bug… or delete the image and replace it with text, even if it looks off, the type of person being targeted won’t catch it.

4RealFreedom|1 year ago

I don't think we need to do it for every number. Account number, for example, could still be HTML. Balance could be converted, though.

The harder we make it for scammers, the worse it is for them. I'm not claiming this is fool proof - scammers might be able to generate a png on the fly and inject that as the image like solrdev mentioned in another comment. They would still need to match background colors or possibly jump through some other hoops. The more work we make them do, the more likely the are to mess up. It also makes it more obvious to the person being scammed.

In terms of deleting the image and inserting text instead, I've tried it and it's hard to make it look good quickly. You also see instant feedback of the missing element and then the text coming in. It's a cue that something isn't quite right.

tonetegeatinst|1 year ago

Probably accessibility reasons. Even ancient browsers or obscure browsers support text. Their is a non zero chance a browser wouldn't support the image format, or the image might not scale across different screen sizes. Also iirc their was some vulnerability that used a image format so that's also a issue to think about.

Finally, text makes web scraping/parsing much easier, and even ignoring that text is smaller than any image format.

4RealFreedom|1 year ago

Couldn't alt-text be used to address accessibility?

Web scrapping shouldn't be a requirement of personal banking websites. Am I missing something here?

stop50|1 year ago

Then how do access people with vision problems the website? Afaik only the banks in Germany use FINTS for banking

4RealFreedom|1 year ago

Had to look up FINTS. You are right about accessibility.

Ekaros|1 year ago

If you are already dealing with scammers. Well they will find the ways around it and put energy in it.

And for the rest it will just many times annoy them for no gain.

nextos|1 year ago

My bank used to do this. They also forced you to type things for certain operations using a screen keyboard where key labels were shuffled.