ANZ Bank's online banking statements are vulnerable to access by identity thieves, an SC Magazine investigation has found.
Statements viewed online by the bank's customers remain stored permanently in browser histories.
Because the statements are not tied to specific browser sessions and do not expire, identity thieves could potentially plunder troves of statements stored in browser histories if using public terminals.
Customers can reduce exposure to the flaw by wiping browser histories on computers after use, particularly when using shared or public computers.
SC informed the bank of the vulnerability more than a week in advance of the publication of this story to allow it time to act on the flaw.
The banks' outsourcer Salmat designed the technology that supported the statements but referred the matter to ANZ.
It is understood Salmat has considered fixing the bug.
A spokesman for the bank acknowledged the issue and said it was "looking at ways to further improve security".
He claimed that the issue was "not specific to ANZ".
However, checks on the other big banks, Westpac subsidiary St George and a number of credit unions and smaller banks found they were not vulnerable to the same flaw.
This method of identity theft would be an order of magnitude more efficient than swiping statements from mail boxes.
Bank statements, when in the wrong hands, provide the account details, name, address and offer an indication of a victim's financial status.
Thieves use this information to con and steal money from individuals and institutions. SC recently detailed how scammers stole $45,000 from one man by leveraging similar information to launch social engineering attacks.