We’ve seen this week a lot in the news about the ANZ Bank and the security issue they’ve had with their online banking. ANZ have now taken their online statements offline until such time as they resolve the issue.
The IT Professional that discovered the issue is a colleague of mine. We’ll call him Mr Y for now. Here’s the side to the story that has not yet been published… and it’s certainly a real issue and a concern that it’s not yet been resolved.
- In July this year Mr Y discovered the flaw as he himself is a user of the ANZ Banks online facilities. Mr Y is not a security research at all, but an IT Professional focused on serving his customers business needs with IT Solutions.
- He contacted the bank at that time and after spending considerable amount of time talking to different people, finally was able to get his message across so they understood what he was saying.
- The ANZ Bank has one of their security team contact Mr Y and they advised him that he was indeed correct and it was an issue. They advised that they were investigating it as a serious concern.
- The ANZ Banks online statements are part of a facility provided by by a third party company called Salmat who also provides the same services to other banking institutions. Mr Y contacted about the problem but never got a response from them. One can only conclude that they didn’t think it was a problem for if they have, I’m sure they would have contacted Mr Y back.
- Despite trying to contact the ANZ about the issue over the next few months, Mr Y got ZERO response from them.
- Earlier this week SC Magazine broke the story making it public knowledge after giving the ANZ at least a weeks notice that they intended to release this to the public.
- ANZ Bank have chosen not to do anything until AFTER the story was published. Seriously – ANZ, you’ve got to be kidding that you decide to STILL not do anything UNTIL the press come out with it?
- Despite all of this, the ANZ Bank still has not contacted Mr Y even after it’s gone to press.
So I have to wonder, if the ANZ Bank have known about this security flaw for many months now, then why the heck did it take pressure from the press for them to do anything about it? Why also have they now inconvenienced all of their online customers by removing access to the online statements when they could have resolved this earlier without the negative press that has ensued?
What about other banks that are using the same system – they themselves are vulnerable and yet we’ve not seen anything to suggest that they have taken action to resolve the issue.
As an IT Professional, I have to wonder what their security response policy must look like. For them to have failed to acknowledge the issue initially, and then once the press alerted them to it, further fail to acknowledge they knew about it is just not acceptable.
As an ANZ customer, I’ve got to consider also the security of the information that they have on me. How do I know it’s still secure with such lax policies as they have in place to allow this to go on?