ANZ's Internet banking goes to insane lengths to be more insecure..
The first is their hiding of the URL. ANZ Users are trained to go to http://anz.co.nz and then click on that blue login button on the top right. However that first page at http://anz.co.nz/ is just a plain old http response, i.e. no SSL, so it can be spoofed. A transparent proxy or a dns attack can return a different response here so you don't know you're not really talking to ANZ's server.
So, as you're trained to do, you click on the login link, and it bounces up with a popup (that is, if you have javascript and popups enabled). The really bizarre thing here is ANZ have deliberately *hidden* the address bar - so it's a popup from a page you're not sure is ANZ's, and you're not sure the popup is really from ANZ either. It might have a valid SSL cert, but you can't see the address anymore so you're not sure.
You then proceed to blindly enter your internet banking credentials into Joe Blogg's website and have no idea he's listening man in the middle. The SSL cert is vaild, but can't see it's actually Joe Blogg's SSL cert.
Ignoring the javascript monstrosity that is the menu system once you're inside this anonymous website, -- the logout functionality also requires that popups be turned on.. infact it opens 3 popups, one on click and 2 more on window close. It seems that unless the 2nd popup works, you're still logged in -- so folks who whitelisted the first popup and then got annoyed enough to not whitelist the second, are still logged in. Meanwhile you view jJoe Blogg's website and some CSRF start transferring all your money elsewhere...
The moral of the story - stop trusting Joe Bloggs. Especially if you're a bank.
Other related posts:
Google Code Jam
microsoft supporting old edition of ODF
ISO OOXML decision appeal filed by South Africa, Brasil, India.
Comment by rscole86, on 16-Jun-2008 19:21 , user id: 25990)
Another great feature, is something the GF and her mum use for THEIR own business. The personal account, and work account are combined so that when you log on line, you can access both accounts.
They both have joint access to the business account, but only her mum has 'authority' to access the personal account, but she does not mind what her daughter does.
The GF used the secure mail service, to query a business account transaction. ANZ replied, saying that she is not authorised to talk to them about the account, and that they cannot talk to her!
Good one ANZ! We realise the personal and business accounts use the same log in, infact you suggested we do that! And now that we have, only the person who's personal account it is linked to can talk to you. *sigh*
Last moan, their 90 day transaction history, is actually UP TO 90 days. The 90 days will depend on your statement date, so at times all you will get is 60 days :(
Comment by rscole86, on 16-Jun-2008 19:24 , user id: 25990)
BTW, I can see the address bar in IE7
Comment by hellonearthisman, on 16-Jun-2008 19:37 , user id: 25537)
I used ANZ and I found the number of clicks needed to move money from one account to another is S.A.D (Stupid And Dumb)
Comment by paradoxsm, on 16-Jun-2008 20:23 , user id: 8664)
It's certainly not the best setup. A weird link on a main page, a pop-up window that could be from anywhere, another pop-up windows spawns from that looking even more obscured.
The only thing that seems to detect is if you click through the links too fast it closes down the blimmin session! other security attacks seem to be rather easy.
It used to be worse, typing in anz.co.nz used to redirect to anz.com/nz. if you typed in the latter url direct though, you couldn't actually log in! ugh!
Whoever implemented that interface needs to look at something other than IT or project management for their next role.
I think Kiwibank has the best interface and so much information available too about logins and user-fingerprinting.. Security is top-notch, offering an enhanced random security filter and soon they will use an an on-screen keyboard to further bolt it down. If you try and access the page from a script or even a new browser window, it will detect a possible security breach and immediately close down the session.
It's always available though a single browser window at
https://www.kiwibank.co.nz/banking/Login.asp
It uses Ultradata's MyViewPoint.
(I do not work for Kiwibank or any related company)
ANZ are in the process of upgrading their site so they may be rectifing this.
Comment by lugh, on 17-Jun-2008 08:25 , user id: 5002)
FYI - I've forwarded this issue to our Risk guys again to see if anything's been raised internally.
Comment by jumbo, on 29-Jun-2009 18:48 , user id: )
The whole site sux. I'm not interested in whats available to austrailians. I'm still waiting for a reply to last nights query. nothing yet from the anybody
Add a comment
Please note: comments that are inappropriate or promotional in nature will be deleted.
E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.
Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments.
If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.
Comment by sleemanj, on 16-Jun-2008 19:16 , user id: 27497)
Not an excuse, but Firefox no longers permits the address bar to be removed from popups as far as I recall. Opera also (largely by virtue of it's MDI design ) always shows the address bar.