ANZ eStatement critical flaw

David Heath
Thursday, 15 December 2011 20:46

Business IT - Security

ANZ Bank has disabled the use of all online bank statements until a critical flaw is fixed.

The ANZ Bank's online bank statement functionality (called eStatement) has a serious flaw related to the browser history.

The flaw was discovered a week ago by SC Magazine, who gave the Bank a week to address the issue before going public (which they did at 6:30 Thursday morning).

Of interest is the very generous statement that "The outsourcer was understood to be considering fixing the bug."  A Salmat [the identified outsourcer] spokesperson told iTWire that the company strongly denied any involvement in the development of this system, insisting that the ANZ Bank was the developer.

The issue with the online statements relates to browser histories - the problem being that the statement remains in the browser history after the page is closed.  If this is a PC in your own home, it's probably not a problem; but if it's an Internet café computer, there can be a problem, as the information is easily accessed by the next person using the computer and scanning the recent pages visited.

All parties have recommended that browser histories be deleted after viewing a statement, but this is really only a partial fix.

It was only later that ANZ announced they would disable the service.