Why the Internet Needs Mutation Observers

How Banking Websites Can Help Stop Refund Scams

Anatomy of a Scam (Inspect Element Method)

1. Victim receives call in which the scammer claims that he is from a reputable company (usually Microsoft).
2. The scammer, usually with an obvious Indian accent, provides an American sounding name, and says that the victim is eligible for a refund from their alleged company. The scammer offers to give this refund himself.
3. The scammer gets the victim to install and use Google Chrome.
4. The scammer gets the victim to download some Remote Desktop client such as TeamViewer to allow the scammer access to the victim's computer.
5. The scammer gets the victim to login to the victim's bank and permit the scammer to connect via the aforementioned client.
6. The scammer, now having access to the victim's computer, tells the victim to look away, and then the magic starts.
7. The scammer right clicks the bank account and hits "Inspect Element," which lets them edit the HTML.
8. The scammer types in the original number, plus some number much larger than the agreed upon amount.
9. The scammer permits the victim to see the amount, telling them that they have refunded them too much money. They then urge the victim to pay them back the amount minus the refund. This is, of course, money that the victim does not have.
10. The scammer, upon receiving payment, hangs up, and the victim usually doesn't notice until much later.

How to Detect "Inspect Element" Tampering

Fortunately, web designers for online banking can detect tampering using a JavaScript API called Mutation Observers, which has been available since IE11. In short, Mutation Observers watch for changes in the HTML DOM and triggers callbacks when this happens. As an example, try using the Inspect Element trick on the number below. There is also a script that increments the value every 5 seconds, so be quick! This shows that you can still set the innerHTML with JavaScript/jQuery yourself, while still detecting Inspect Element changes. That way you can still use AJAX to refresh the values. This works because when jQuery does it, it triggers a mutation of type childList instead of characterData.

And here is the source code for it:

You can close the tab, lock the customer out, or prevent changes altogether. (As a side note, the alert box does not block the inspector. If you want to undo any inspect-element changes, don't use an alert box.)

Alternative Method: Interfund Tranfser (IFT) Method

1. Instead of using "Inspect Element," the scammer transfers funds in between accounts, distracting the victim from what he's doing.
2. The scammer hopes to convince the scammer that his account has more money, and the scam proceeds as in the first section.

Recommended Measures for Banks and Other Financial Institutions

As a somewhat experienced Full Stack Dev, I do have a few recommended actions. My personal philosophy with this is to do EVERYTHING reasonably possible to alert and protect the customer.

• Use alert boxes to show that something is wrong. I recommend that the alert is displayed a few times in case the scammer tries to close the window. If the customer has not blacked out the screen, this will be warning sign #1.
• Log the customer out and replace the page with a pure HTML warning like above. A more concise and direct message would be better. Contact your legal team and work with your managers to tailor it to your business logic and needs. This will mitigate immediate damage that the scammer can cause to the account. When the customer closes, trigger an alert with onbeforeunload to stall for more time for the customer to read the message.
• Time out the customer for an hour, and/or set a temporary password. This will prevent the scammer from getting back in to the account immediately after he retreats.
• Email, SMS, and Call the customer with detailed instructions on how to unlock the account. Always confirm changes to contact information with the customer in case the scammer tries to change it via customer profile settings. The confirmation message should include a warning that the contact should never be anyone other than the customer or an authorized account manager, and especially not someone claiming to refund money. (Specifically call out this type of scam.)
• To deal with the IFT method, encourage customers to put alerts on their accounts to show that a large sum of money has been transferred. Further, pages should display status information at the top of the Account Summary page showing that the last transfer was an IFT of x amount.

Ideas for Scambaiters Making Fake Websites

I decided to add this section because scambaiting seems to be one of the most effective ways of dealing with scammers. (I mean, it's not like their government is doing anything about it.) This list is not meant to be exhaustive by any means. Though I do have a lot of ideas for nasty tricks, I want to keep this article short. This is just meant to give scambaiters some inspiration.

• Obviously, you don't want to end the scam prematurely, so I would use a more subtle message. How about: "All fund transfers are final. If you have been over-refunded, you are under no legal obligation to return any money to the refunder. Enjoy your extra cash!"
• Then, if they try to change it to 0.00, change the value to 10000.00. Make the message say, "Thank you for your generosity!"
• Or you can track the old pre-change value by adding 'characterDataOldValue' to the config list (See MDN's website). This means you can calculate the difference, divide that by 100, and set it to the expected refund amount for extra confusion. Make sure you use the 'toFixed' method.

Conclusion

These types of scams are becoming more and more prevalent. A simple solution like this can easily put a stop to them, or at least slow them down long enough for the customer to become suspicious.