ANZ Bank's sticky statements a prize for ID thieves

(Update) The online banking statements of ANZ Bank customers are vulnerable to access via identity thieves, SC Magazine can reveal.

Bank statements viewed online remain stored permanently in browser histories.  

Because the statements are not tied to specific browser sessions and do not expire, identity thieves could plunder troves of statements stored in browser histories if using public terminals.

SC informed the bank of the vulnerability more than a week in advance of the publication of this story to allow it time to act on the flaw.

The banks' outsourcer Salmat referred the matter to ANZ.

It said later that it was working with ANZ Bank to resolve the security issue.

"This security issue is not a flaw or breakdown in Salmat systems or processes," a spokesman said.

"Salmat can confirm that there is no associated security risk for any other bank or credit
union using a Salmat system for bank statements."

A spokesman for the ANZ said the bank was "aware of the issue" and claimed that while the issue was "not specific to ANZ", it was "looking at ways to further improve security".

Customers could mitigate expose to the flaw by wiping browser histories when using shared computer terminals.

Checks on Westpac, Commonwealth Bank, St George, NAB and a number of credit unions and smaller banks found they were not vulnerable to the same flaw.

This method of identity theft would be an order of magnitude more efficient than swiping statements from mail boxes.

Bank statements, when in the wrong hands, provide the account details, name, address and offer an indication of a victim's financial status.

Thieves use this information to con and steal money from individuals and institutions. SC recently detailed how scammers stole $45,000 from one man by leveraging similar information to launch social engineering attacks.

Identity theft is also used to conduct tax return and superannuation fraud.