ANZ's Internet banking goes to insane lengths to be more insecure..

, posted: 16-Jun-2008 18:32

Where do i start with describing the wierd decisions ANZ internet banking team makes. The first is their hiding of the URL. ANZ Users are trained to go to http://anz.co.nz and then click on that blue login button on the top right. However that first page at http://anz.co.nz/ is just a plain old http response, i.e. no SSL, so it can be spoofed. A transparent proxy or a dns attack can return a different response here so you don't know you're not really talking to ANZ's server. So, as you're trained to do, you click on the login link, and it bounces up with a popup (that is, if you have javascript and popups enabled). The really bizarre thing here is ANZ have deliberately *hidden* the address bar - so it's a popup from a page you're not sure is ANZ's, and you're not sure the popup is really from ANZ either. It might have a valid SSL cert, but you can't see the address anymore so you're not sure. You then proceed to blindly enter your internet banking credentials into Joe Blogg's website and have no idea he's listening man in the middle. The SSL cert is vaild, but can't see it's actually Joe Blogg's SSL cert. Ignoring the javascript monstrosity that is the menu system once you're inside this anonymous website, -- the logout functionality also requires that popups be turned on.. infact it opens 3 popups, one on click and 2 more on window close. It seems that unless the 2nd popup works, you're still logged in -- so folks who whitelisted the first popup and then got annoyed enough to not whitelist the second, are still logged in. Meanwhile you view jJoe Blogg's website and some CSRF start transferring all your money elsewhere... The moral of the story - stop trusting Joe Bloggs. Especially if you're a bank.

Other related posts:
Google Code Jam
microsoft supporting old edition of ODF
ISO OOXML decision appeal filed by South Africa, Brasil, India.






Comment by sleemanj, on 16-Jun-2008 19:16

Not an excuse, but Firefox no longers permits the address bar to be removed from popups as far as I recall.  Opera also (largely by virtue of it's MDI design ) always shows the address bar.


Author's note by taniwha, on 16-Jun-2008 19:18

yay! people smarter than ANZ's inetbanking team are working on mozillabrowsers to stop such insecure behaviour finding such thing on an internet banking site of all places is so wtf it's almost lol-worthy.


Comment by rscole86, on 16-Jun-2008 19:21

Another great feature, is something the GF and her mum use for THEIR own business. The personal account, and work account are combined so that when you log on line, you can access both accounts.
They both have joint access to the business account, but only her mum has 'authority' to access the personal account, but she does not mind what her daughter does.
The GF used the secure mail service, to query a business account transaction. ANZ replied, saying that she is not authorised to talk to them about the account, and that they cannot talk to her!
Good one ANZ! We realise the personal and business accounts use the same log in, infact you suggested we do that! And now that we have, only the person who's personal account it is linked to can talk to you. *sigh*
Last moan, their 90 day transaction history, is actually UP TO 90 days. The 90 days will depend on your statement date, so at times all you will get is 60 days :(


Comment by rscole86, on 16-Jun-2008 19:24

BTW, I can see the address bar in IE7


Comment by hellonearthisman, on 16-Jun-2008 19:37

I used ANZ and I found the number of clicks needed to move money from one account to another is S.A.D (Stupid And Dumb)


Author's note by taniwha, on 16-Jun-2008 19:55

I asked ANZ once, via "secure mail", will they be changing their hiding of the address bar, in light of all the spam-phising emails out there and the need to see the address bar. their reply explain that the address bar is removed for "security reasons"... well, you can't argue with "security reasons", can you?


Comment by paradoxsm, on 16-Jun-2008 20:23

It's certainly not the best setup. A weird link on a main page, a pop-up window that could be from anywhere, another pop-up windows spawns from that looking even more obscured.
The only thing that seems to detect is if you click through the links too fast it closes down the blimmin session! other security attacks seem to be rather easy.

It used to be worse, typing in anz.co.nz used to redirect to anz.com/nz. if you typed in the latter url direct though, you couldn't actually log in! ugh!

Whoever implemented that interface needs to look at something other than IT or project management for their next role.

I think Kiwibank has the best interface and so much information available too about logins and user-fingerprinting.. Security is top-notch, offering an enhanced random security filter and soon they will use an  an on-screen keyboard to further bolt it down. If you try and access the page from a script or even a new browser window, it will detect a possible security breach and immediately close down the session.
It's always available though a single browser window at
https://www.kiwibank.co.nz/banking/Login.asp
It uses Ultradata's MyViewPoint.
(I do not work for Kiwibank or any related company)


ANZ are in the process of upgrading their site so they may be rectifing this.


Author's note by taniwha, on 17-Jun-2008 00:30

@paradoxsm that onscreen keyboard, i wonder how accessible that is for the blind, visual or motion impaired folks out there..


Comment by lugh, on 17-Jun-2008 08:25

FYI - I've forwarded this issue to our Risk guys again to see if anything's been raised internally.


Author's note by taniwha, on 17-Jun-2008 10:17

I hope Joe Bloggs doesn't read this.


Comment by jumbo, on 29-Jun-2009 18:48

The whole site sux. I'm not interested in whats available to austrailians. I'm still waiting for a reply to last nights query. nothing yet from the anybody


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:

taniwha's profile

Wally (Brenda) 
Te Whanganui O Tara
New Zealand