[al_borland]

I often login to my bank to copy an account number when I need it. I don’t like to rely on typing it correctly. This change would kill that. Sure, I could use OCR on the image, but that isn’t 100% perfect, like a text copy is.

They will also likely just come up with a small tweak on the scam if there is a change like this. I’ve watched some of the videos where they pull up a command prompt and run a script where the user is entering the amount to transfer into the CLI. When they type the amount the scammer slips in an extra 0 before the user presses enter. If someone is going to fall for entering their info into a strange black box with text, they will fall for literally anything. The scammer could simply delete the image on the page so the balance doesn’t show and say there is a bug… or delete the image and replace it with text, even if it looks off, the type of person being targeted won’t catch it.

[4RealFreedom]

I don't think we need to do it for every number. Account number, for example, could still be HTML. Balance could be converted, though.

The harder we make it for scammers, the worse it is for them. I'm not claiming this is fool proof - scammers might be able to generate a png on the fly and inject that as the image like solrdev mentioned in another comment. They would still need to match background colors or possibly jump through some other hoops. The more work we make them do, the more likely the are to mess up. It also makes it more obvious to the person being scammed.

In terms of deleting the image and inserting text instead, I've tried it and it's hard to make it look good quickly. You also see instant feedback of the missing element and then the text coming in. It's a cue that something isn't quite right.

[bruce511]

One sees this argument a lot in security circles, mostly by people with little to no training. This idea that "every little bit helps, so let's toss in some obfuscation ".

Security doesn't work like that. Mostly because (as in this case) the obfuscation is trivial to bypass. I simply replace your set of pngs with my html text.

It's probably worth understanding that professional scammers are not deterred by these trivial speed bumps.

The way to defeat scammers is to train those you know to accept that every one who phones you is a scammer. Every email you get is a scam. Trust nothing. Believe no one. The more they protest the more scammey they are.

And just for kicks, if you make any mistakes, if you do anything without consulting me first, I'm putting you in a home! (I wouldn't, but the point is made.)

Pngs on the bank page or not won't make my mom safe. Rabid terror of being scammed will.

[solardev]

I don't think this is completely unheard of, FWIW. For a few years, one of the big banks (maybe BofA? can't remember for sure) was actually doing this (rendering text as images) for account numbers, not balances.

Personally I found it quite annoying, both because (philosophically) it's just security theater that doesn't actually protect anything, and (pragmatically), like the other poster said, it made copying & pasting more difficult. It also broke page zoom (I'm old and need to enlarge all the fonts to read). But such a feature did exist.