There will be more to this.

For example, with ANZ you need the following:

1) Customer Number

2) Password and

3) Onlinecode, if the customer has this enabled (SMS Verification)

There is also transfer limits on most accounts - by default, this is $1000.

The attacker will need to:

1) Get the customer number along with the password.

2) Get either the sim card number or mobile account number (here in NZ)

3) Port the number.

4) Login to IB.

5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

But really - I call BS here. Also, on that note this is why you don't use POLi!