ANZ to replace online banking system

The Australia and New Zealand Banking Group (ANZ) will replace its online banking system later this year in an attempt to improve security and add new functionality.
Written by Munir Kotadia, Contributor
update The Australia and New Zealand Banking Group (ANZ) will replace its online banking system later this year in an attempt to improve security and add new functionality.

An ANZ spokesperson said on Thursday that the bank plans to push the new service live by the middle of this year.

"The whole system is going to be replaced in a couple of months. The first implementation will be a mirror of our current functionality -- as we stabilise the new system. We will then look to add functionality. It is a bit early to say when it will hit but certainly in the next three or four months," the spokesperson told ZDNet Australia .

He refused to release any further details about the project.

ANZ's online banking site was criticised earlier this week by Internet security firm SurfControl. The company highlighted weaknesses in the way ANZ has made use of JavaScript because it could help criminals create authentic looking copies of the Web site for use in phishing attacks.

Charles Heunemann, general manager of SurfControl APAC, on Wednesday highlighted the same vulnerability in both ANZ and rival Westpac's online banking sites.

"We had a close look at a number of major banks. The ANZ and Westpac both have some basic password validation, you can easily download most of the JavaScript code for the main banks without too much trouble.... From this it would be very easy... to create a phishing Web site that behaved in exactly the same way as the genuine one," Heunemann told ZDNet Australia .

According to Heunemann, the code could be used in conjunction with a phishing kit to create fraudulent sites.

"By not locking this down the banks just make it a little bit easier for criminals to ply their trade,' added Heunemann.

Paul Jennings, Westpac's head of channel and systems management, told ZDNet Australia  that the bank is investigating the JavaScript issue.

"Westpac takes customer security very seriously, and as a part of this, we are enhancing our fraud prevention through continuous process improvement. The issue that has been raised has been taken into account, and will be actively monitored," said Jennings.

Westpac is is already under pressure to improve its online bank's log-in interface after customers slated the new on-screen keypad.

In response to a ZDNet Australia  news story in February describing the introduction of Westpac's on-screen keypad, users of the system have been critical of the keypad's functionality and even suggested it could make logging onto the online services less secure.

Typical comments from ZDNet Australia  readers are summed up by someone identifying themselves as Ross: "When I use the ATM I cover the buttons with my hand for security. If I can't cover the monitor for security from prying eyes, how can I use Westpac's services in public, at work or overseas in an Internet cafe?"

Westpac's Jennings said the tool was designed purely to reduce the risk from keyloggers stealing customers' passwords: "The new sign on page does not attempt to prevent a standard phishing attack, nor is it designed to comprehensively mitigate all potential avenues of attack, but rather to help mitigate the risk presented by generic keylogging trojans deployed on customer PCs."

Editorial standards