HACKER Q&A
📣 4RealFreedom

Why don't banks render numbers as PNGs instead of using HTML?


I've been thinking about scammers lately and thought about rendering numbers as a png in browsers instead of displaying them as HMTL for banks. This would ensure scammers can't just go in and edit the html on the fly potentially saving some people from this kind of attack.

I played around with libvips and can easily create a png with any text.

vips text x.png "1,234,567" --width 100 --align centre --dpi 340

Any thoughts on why this shouldn't be done?

  👤 solardev Accepted Answer ✓
I don't understand your threat model:

> This would ensure scammers can't just go in and edit the html on the fly

How would the scammers "edit the HTML on the fly" of a bank's website that they don't control...?

If they can control it somehow (either via a hack, local malware, browser extension, or just hand-editing the site on the victim's computer)... well, they can just as easily replace your PNG with one of their own, or just replace it with regular HTML numbers.

If someone can control the bank website, it's game over. It's not a matter of graphics vs text?

👤 theandrewbailey
1. This would break accessibility requirements.

2. Scammers can fake PNGs just like HTML.

👤 akshardave
This is a legit good idea and I don't think there's any reason not to do this. I had a similar idea to instead render the balance amount inside a canvas to make it difficult for a scammer to change it. Could also add event listeners to the canvas so when the canvas element or its nearby/parent elements get removed or changed, the page could automatically logout and show an alert message warning about a possible scam. For accessibility, aria-* tags could still be added and there could be ways to allow copying the balance amount too.
👤 al_borland
I often login to my bank to copy an account number when I need it. I don’t like to rely on typing it correctly. This change would kill that. Sure, I could use OCR on the image, but that isn’t 100% perfect, like a text copy is.

They will also likely just come up with a small tweak on the scam if there is a change like this. I’ve watched some of the videos where they pull up a command prompt and run a script where the user is entering the amount to transfer into the CLI. When they type the amount the scammer slips in an extra 0 before the user presses enter. If someone is going to fall for entering their info into a strange black box with text, they will fall for literally anything. The scammer could simply delete the image on the page so the balance doesn’t show and say there is a bug… or delete the image and replace it with text, even if it looks off, the type of person being targeted won’t catch it.

👤 tonetegeatinst
Probably accessibility reasons. Even ancient browsers or obscure browsers support text. Their is a non zero chance a browser wouldn't support the image format, or the image might not scale across different screen sizes. Also iirc their was some vulnerability that used a image format so that's also a issue to think about.

Finally, text makes web scraping/parsing much easier, and even ignoring that text is smaller than any image format.

👤 stop50
Then how do access people with vision problems the website? Afaik only the banks in Germany use FINTS for banking
👤 Ekaros
If you are already dealing with scammers. Well they will find the ways around it and put energy in it.

And for the rest it will just many times annoy them for no gain.

👤 nextos
My bank used to do this. They also forced you to type things for certain operations using a screen keyboard where key labels were shuffled.