[solardev]

I don't understand your threat model:

> This would ensure scammers can't just go in and edit the html on the fly

How would the scammers "edit the HTML on the fly" of a bank's website that they don't control...?

If they can control it somehow (either via a hack, local malware, browser extension, or just hand-editing the site on the victim's computer)... well, they can just as easily replace your PNG with one of their own, or just replace it with regular HTML numbers.

If someone can control the bank website, it's game over. It's not a matter of graphics vs text?

[4RealFreedom]

They ask a person to login to their bank account with screen sharing. They then take control of the mouse and edit the HTML on the fly making it look like they transferred a large amount to the bank account. Now they ask the person to wire money back or they will lose their job.

[solardev]

If they already control your browser, they don't have to edit the HTML and fake anything. They can just transfer money to themselves from your account...

If they wanted to edit the HTML for some reason, it's trivial to just use their own image or replace the <img> with their own text.

The prevention for this isn't to render texts as image, but not to screen share your computer with random people online, much less hand mouse control over to them while you're logged in to your bank. If it's some elderly person doing this or the such, you should really teach them better or they'll get scammed from much less esoteric threats :(

[4RealFreedom]

If you're interested, I would suggest watching some Kitboga. I don't actually know anyone that has had this happen but there are plenty of stories around the internet. I will try doing some img replacement with my own text and see how it works out.

[solardev]

I can believe that it happens. People are gullible, unfortunately :(

But I don't think the fix for that is for banks to change how they render text. Users can get fooled with just a few IMs. I know people who lost thousands to Zelle/Cash app scams purely over Craigslist emails or messages that way...

Making banks render text as images won't magically fix that. Especially since many people these days use phone apps instead of browsers for banking anyway.

[nanobyte109]

I think he talks about the refund scams.

In the scam they pretend to make a refund to the victim where the victim has to put in the refund amount, the scammer, that has access to the pc via remote control then adds a 0 to the amount and pretends the victim has entered the incorrect amount. That input was just in the windows CMD and did not send any money. The scammer now will talk about that he lose his job because the company has lost a lot of money. The scammer than wants the money back via gift cards. (Because gift cards cant be tracked or refund)