ANZ takes down online statements

Update: SC investigation finds security flaw.
ANZ has disabled customers' online banking statements after an SC Magazine investigation found a significant security flaw in the service.

The bank has temporarily taken down customers' ability to download statements from the online banking service.

A spokesman for the bank said the fix, first reported by The Age, would take a "few weeks".

The ability was taken down after an SC Magazine investigation discovered statements viewed online by the bank's customers remained permanently stored in browser histories.

Because the statements are not tied to specific browser sessions and do not expire, identity thieves could potentially plunder troves of statements stored in browser histories if using public terminals.

Customers can reduce exposure to the flaw by wiping browser histories on computers after use, particularly when using shared or public computers.

SC informed the bank of the vulnerability more than a week in advance of the publication of the story to allow it time to act on the flaw.

At the time, it was understood the bank's outsourcer, Salmat, was considering fixing the issue.

Salmat designed the technology that supported the online statements but referred the matter to ANZ when asked about the flaw.

A spokesman for the bank acknowledged the issue at the time and said it was "looking at ways to further improve security".

He claimed that the issue was "not specific to ANZ". 

However, checks on the other big banks, Westpac subsidiary St George and a number of credit unions and smaller banks found they were not vulnerable to the same flaw.

This method of identity theft would be an order of magnitude more efficient than swiping statements from mail boxes.

Bank statements, when in the wrong hands, provide the account details, name, address and offer an indication of a victim's financial status.

Thieves use this information to con and steal money from individuals and institutions. SC recently detailed how scammers stole $45,000 from one man by leveraging similar information to launch social engineering attacks.

Identity theft is also used to conduct tax return and superannuation fraud.