I played around with libvips and can easily create a png with any text.
vips text x.png "1,234,567" --width 100 --align centre --dpi 340
Any thoughts on why this shouldn't be done?
> This would ensure scammers can't just go in and edit the html on the fly
How would the scammers "edit the HTML on the fly" of a bank's website that they don't control...?
If they can control it somehow (either via a hack, local malware, browser extension, or just hand-editing the site on the victim's computer)... well, they can just as easily replace your PNG with one of their own, or just replace it with regular HTML numbers.
If someone can control the bank website, it's game over. It's not a matter of graphics vs text?
If they wanted to edit the HTML for some reason, it's trivial to just use their own image or replace the <img> with their own text.
The prevention for this isn't to render texts as image, but not to screen share your computer with random people online, much less hand mouse control over to them while you're logged in to your bank. If it's some elderly person doing this or the such, you should really teach them better or they'll get scammed from much less esoteric threats :(
2. Scammers can fake PNGs just like HTML.
They will also likely just come up with a small tweak on the scam if there is a change like this. I’ve watched some of the videos where they pull up a command prompt and run a script where the user is entering the amount to transfer into the CLI. When they type the amount the scammer slips in an extra 0 before the user presses enter. If someone is going to fall for entering their info into a strange black box with text, they will fall for literally anything. The scammer could simply delete the image on the page so the balance doesn’t show and say there is a bug… or delete the image and replace it with text, even if it looks off, the type of person being targeted won’t catch it.
The harder we make it for scammers, the worse it is for them. I'm not claiming this is fool proof - scammers might be able to generate a png on the fly and inject that as the image like solrdev mentioned in another comment. They would still need to match background colors or possibly jump through some other hoops. The more work we make them do, the more likely the are to mess up. It also makes it more obvious to the person being scammed.
In terms of deleting the image and inserting text instead, I've tried it and it's hard to make it look good quickly. You also see instant feedback of the missing element and then the text coming in. It's a cue that something isn't quite right.
Security doesn't work like that. Mostly because (as in this case) the obfuscation is trivial to bypass. I simply replace your set of pngs with my html text.
It's probably worth understanding that professional scammers are not deterred by these trivial speed bumps.
The way to defeat scammers is to train those you know to accept that every one who phones you is a scammer. Every email you get is a scam. Trust nothing. Believe no one. The more they protest the more scammey they are.
And just for kicks, if you make any mistakes, if you do anything without consulting me first, I'm putting you in a home! (I wouldn't, but the point is made.)
Pngs on the bank page or not won't make my mom safe. Rabid terror of being scammed will.
Personally I found it quite annoying, both because (philosophically) it's just security theater that doesn't actually protect anything, and (pragmatically), like the other poster said, it made copying & pasting more difficult. It also broke page zoom (I'm old and need to enlarge all the fonts to read). But such a feature did exist.
Finally, text makes web scraping/parsing much easier, and even ignoring that text is smaller than any image format.
Web scrapping shouldn't be a requirement of personal banking websites. Am I missing something here?
And for the rest it will just many times annoy them for no gain.
