Security Market Segment LS
Thursday, 15 December 2011 21:46

ANZ eStatement critical flaw


ANZ Bank has disabled the use of all online bank statements until a critical flaw is fixed.

The ANZ Bank's online bank statement functionality (called eStatement) has a serious flaw related to the browser history.

The flaw was discovered a week ago by SC Magazine, who gave the Bank a week to address the issue before going public (which they did at 6:30 Thursday morning).

Of interest is the very generous statement that "The outsourcer was understood to be considering fixing the bug."  A Salmat [the identified outsourcer] spokesperson told iTWire that the company strongly denied any involvement in the development of this system, insisting that the ANZ Bank was the developer.

The issue with the online statements relates to browser histories - the problem being that the statement remains in the browser history after the page is closed.  If this is a PC in your own home, it's probably not a problem; but if it's an Internet café computer, there can be a problem, as the information is easily accessed by the next person using the computer and scanning the recent pages visited.

All parties have recommended that browser histories be deleted after viewing a statement, but this is really only a partial fix.

It was only later that ANZ announced they would disable the service.

In a later report, ANZ has now removed access to eStatements, although when iTWire visited the relevant page, the bank still appeared to be actively promoting the service.

This error ranks right up there with the First State Super URL-editing breach.  In fact it's such a basic error that it doesn't even make it into the OWASP top ten Web Application Security Risks, which enumerates well-known risks.

ANZ has said that the service will remain offline until a proper fix is installed but warn this could take weeks.  In the mean time iTWire recommends all users of this service clear the browser cache on every machine they have used to view statements.  The more paranoid in the audience might also like to add a disk cleanup followed by a defrag.

Following initial publication of this report, Salmat issued the following statement to iTWire:

Salmat is working with ANZ Bank to resolve the security issue with its e-Statements.

This security issue is not a flaw or breakdown in Salmat systems or processes.

Salmat can confirm that there is no associated security risk for any other bank or credit union using a Salmat system for bank statements.

The company was contacted for clarification of this statement and their response has been included on the first page.  ANZ Bank has also been invited to respond.



You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments